

Ask HN: How do you store Unix passwords for your servers? - georgerobinson

Happy Sunday!<p>I have a question for you HN readers about password security (or rather, storing passwords securely!).<p>I don&#x27;t use password authentication (disabled in sshd_config) to SSH into my remote hosts. However, that doesn&#x27;t mean I can simply throw away the password once PKA is set up. I might need to run su to login as root to install software, or to execute other privileged operations.<p>How do you store said passwords? Do you use a password manager? If so, do you ensure that your password manager is available even when you&#x27;re away from your machine? Is there a particular software suite that you use, or would recommend?
======
tptacek
You're probably overthinking it. Use SSH keys to log in, and if you want to
lock things down further than "admin users are simply in sudoers", then write
a more complicated sudoers that permits only some commands for some users.

In practice, an attacker who gets a shell on one of your servers has game-over
access to the data center the server's in.

------
lbostral
I think that Foxpass answers all your needs
[https://www.foxpass.com/learn/](https://www.foxpass.com/learn/)

------
nautical
Have a general password generation rule for servers and accounts for eg :
my/family name + website/server name + current month/year + !@# + some movie
name etc ... i tend not to trust any one with passwords .

~~~
wglb
You might want to think through if that pattern isn't really on the list of
the one terabyte of passwords and phrases that a good password cracker might
build to filter through his GPU rack.

That is to say, I would venture that passwords by this or any other scheme is
too easy to crack. Better have something like 1password generate them for you.

~~~
nautical
I dont completely agree or disagree . There are more factors like my native
language being non english and what i type is translated version of language
to english and some other factors , I find it more secure thn trusting some
one else . Personal preference , although I would love some maths on the top
of it , cant talk without numbers .

