this post was submitted on 02 Apr 2025

51 points (98.1% liked)

Sysadmin

8484 readers

16 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago

MODERATORS

DarraignTheSane@lemmy.world

00Lemming@lemmy.world

L3s@lemmy.world

Sysadmins, how do you store and manage passwords? (feddit.org)

submitted 5 days ago* (last edited 5 days ago) by cron@feddit.org to c/sysadmin@lemmy.world

58 comments fedilink hide all child comments

From a simple KeePass database to enterprise credential management solutions—what’s your setup at work?

top 50 comments

sorted by: hot top controversial new old

[–] stoy@lemmy.zip 2 points 1 day ago* (last edited 1 day ago) (1 children)

Keepass.

Backed up in the cloud, with a long password with plenty of non english characters in the password.

For learning new passwords, I write them down on a note in my wallet, without any explanation of where they lead or what username to use.

[–] BlaueHeiligenBlume@feddit.org 2 points 1 day ago

The same basically. For the real paranoid stuff I have the keepassx file in a veracrypt container.

[–] Nougat@fedia.io 46 points 5 days ago

Not today, Russia.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 34 points 5 days ago (3 children)

The method of champions. Post-it on the bottom of keyboard.

[–] partial_accumen@lemmy.world 18 points 5 days ago (2 children)

Bottom of keyboard? Are you out of space on your monitor to place additional Post-its with user credentials on them? /s

[–] cron@feddit.org 19 points 5 days ago

Boss, I need a third monitor, I'm out of space for post-its

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 11 points 5 days ago

Monitor bezel is for the less secure systems. Under the keyboard is for the secure stuff.

And the really secure systems are in the filing cabinet.

[–] shalafi@lemmy.world 4 points 4 days ago

Got a thrift store keyboard. The pink sticky on the bottom said:

User: admin

Pass: password

I wish I was joking. Someone out there was dumb enough to need a reminder on that one.

[–] cron@feddit.org 3 points 5 days ago

I would need a small book hidden under my keyboard. My work password safe has approximately 100 entries.

[–] SkaveRat@discuss.tchncs.de 30 points 5 days ago

more dev than sysop, but: bitwarden

[–] refurbishedrefurbisher@lemmy.sdf.org 18 points 4 days ago* (last edited 4 days ago) (2 children)

I write it in plaintext then email it to myself. For my email password, I write that down on a sticky note next to my monitor with my webcam pointing towards it with Skype and Zoom always running so I can look at it when I'm not at home. I always make sure to turn 2FA off as well, since that gets annoying and isn't very convenient.

I might choose to mirror the webcam stream to a public RTMP stream later, but not sure yet, since I think that might open up some security holes.

[–] cron@feddit.org 10 points 4 days ago

This is exactly the kind of innovation I was looking for.

[–] phanto@lemmy.ca 3 points 4 days ago (1 children)

Also, if you use a really easy to remember password... I like P@ssw0rd! Easy to remember, and nobody will ever guess it because, get this... The 'o' is actually a zero!

[–] refurbishedrefurbisher@lemmy.sdf.org 2 points 4 days ago

Your password shows up to me as ************

[–] rumba@lemmy.zip 8 points 4 days ago

Bit Warden, one password, whatever float your boat just not last pass.

For SHTF stuff GPG.

[–] cron@feddit.org 10 points 5 days ago* (last edited 5 days ago)

We use Netwrix Password Secure at work. They just announced this week they have found a RCE vulnerability in their software...

[–] FauxLiving@lemmy.world 7 points 4 days ago (1 children)

correct horse battery staple

[–] invalidname@lemmy.world 3 points 4 days ago

Always a relevant xkcd

[–] slazer2au@lemmy.world 8 points 5 days ago

We use PasswordState at work and KeePassXC for personal passwords.

[–] skooma_king@lemm.ee 6 points 5 days ago

Bitwarden/KeePass for MFA (not SMS or email) protected accounts. Pen and paper stored in a fire proof vault for non-MFA and break glass accounts.

[–] jplee@lemmy.world 6 points 5 days ago (3 children)

As an admin for a Linux server, I want to institute a ssh pub key expiration policy for all the users and enforce non-reuse of old keys. Does anyone have a best solution for this?

[–] db0@lemmy.dbzer0.com 4 points 4 days ago

How do you do your pubkey deployments? If you use ansible, it should be simple enough.

[–] cron@feddit.org 4 points 5 days ago* (last edited 4 days ago)

Sounds like certificates to me, but I don't know of any such solution

Edit: I found out that openssh allows the logon with a certificate. This guide shows how to setup a public key that expires after 52 weeks.

[–] ag10n@lemmy.world 3 points 4 days ago

https://smallstep.com/docs/tutorials/ssh-certificate-login/

https://sssd.io/

[–] Godort@lemm.ee 6 points 5 days ago

We use ITGlue because it lets us tie password records to documentation which makes finding things very streamlined.

Personally, I use Bitwarden

[–] lightnsfw@reddthat.com 4 points 4 days ago

At work I keep them in onenote (they are encoded) because they won't let us install an actual password manager and half the shit I log into doesn't support SSO/doesn't have it set up and is all on different password schemes. Our service account passwords are in a shared cyberark vault.

[–] thatradomguy@lemmy.world 4 points 4 days ago (1 children)

Keepass

load more comments (1 replies)

[–] Astigma@feddit.uk 5 points 5 days ago* (last edited 5 days ago)

We have a KeePass DB as a fallback but mostly use a PAM solution to manage server access.

[–] NABDad@lemmy.world 4 points 4 days ago (1 children)

Scribbled on the whiteboard in the office.

[–] pinball_wizard@lemmy.zip 3 points 4 days ago

I would never scribble my password on a whiteboard. It's important to write in large clear letters so I can read it from across the lab.

[–] ikidd@lemmy.world 4 points 5 days ago* (last edited 5 days ago)

On a post-it note stuck to the monitor.

[–] lena@gregtech.eu 3 points 5 days ago

Bitwarden self-hosted with vaultwarden on my Hetzner VPS

[–] ocassionallyaduck@lemmy.world 3 points 5 days ago (3 children)

I don't understand the extreme love for Bitwarden. I understand it's useful, but I want as few things with a webui and server instance as possible, especially passwords, the thing that should be most secure.

KeePass, vault saved into the user's One Drive synced folder is sufficient. It's secure, offline, and automatically makes backups. And migrates to the new system just by logging into One Drive.

Bitwarden and others worry me because they have a lot of exposed attack surface, comparatively, and require much more maintenance to keep secure imo. I don't want to expose any of that to a portal or anything.

That said, I don't hate Bitwarden, the bitwarden/vault warden software is incredibly solid for what it is.

[–] wreckedcarzz@lemmy.world 15 points 5 days ago (1 children)

OneDrive

offline

...shoukd we tell them?

[–] ocassionallyaduck@lemmy.world 4 points 4 days ago

You can access it offline.

I do not mean to imply the One Drive is offline. It's the syncing backend.

But if your internet is out, you can still open your vault and look up a router password, for example, because the vault is a file on your local machine.

[–] otacon239@lemmy.world 11 points 5 days ago (1 children)

The actual answer will always be convenience. It’s just too easy to be able to smack my thumb on the fingerprint sensor to login to just about anything.

I understand your point on security, but for the masses, it needs to be as frictionless as possible.

And getting someone to use BW over nothing is a massive improvement even if it’s not perfect.

load more comments (1 replies)

[–] ag10n@lemmy.world 11 points 5 days ago (3 children)

https://bitwarden.com/help/cli/

If you’re concerned about security audits they do those regularly too

https://bitwarden.com/help/is-bitwarden-audited/

In addition to free as in source, they are respected because they have a high-quality, certified, third-party audited product.

load more comments (3 replies)

[–] CompactFlax@discuss.tchncs.de 3 points 5 days ago* (last edited 5 days ago) (8 children)

Personally, 1Password, but their enshittifaction is serious.

Work, Password Safe. But we’re moving to CyberArk.

[–] rhacer@lemmy.world 5 points 5 days ago (1 children)

I've been using 1password for over a decade. I'd love to know more about the enshitification you're seeing.

[–] CompactFlax@discuss.tchncs.de 7 points 4 days ago (1 children)

I just looked back and my first vault item dates back to 2010. Time flies.

I think enshittification is slightly an overstatement. They’re under VC pressure now and moving aggressively towards a subscription model with capabilities increasingly behind the subscription. I bought a few licenses for Mac and PC a while ago; the software still works but no browser extensions - need a subscription for that. Also, take a look at their job postings. Same job pays double in USA vs Canada. Funny way to do things if they’re Canadian.

[–] rhacer@lemmy.world 2 points 4 days ago

Thanks for a great response. I've been a paying customer for ages, and added my family as well. So I don't have the paywall issues you're seeing.

load more comments (7 replies)

[–] shalafi@lemmy.world 2 points 4 days ago

Used Keeper at my last gig. Was pretty happy with it all in all. Lacking some admin features, rock and roll support. Not too pricey, but it is per-user/per-month. Played nicely with our Google auth.

[–] knobbysideup@sh.itjust.works 2 points 4 days ago

For actual sysadmin stuff? Ansible vaults. Things that are managed otherwise either in ssh blowfish encrypted files or the company 1password thing (not my choice)

[–] Valon_Blue@sh.itjust.works 2 points 4 days ago

Self-hosted Bitwarden only accessible from behind my self-hosted VPN.

[–] 0ndead@infosec.pub 2 points 5 days ago

I tattoo them on my thigh like everybody else

load more comments