Password Management

[net....@gmail.com]

Is it safe to store passwords in RK? Is there a way for us to make passwords invisible unless they are unlocked somehow?

[Chris Small]

They're hashed with a salt using SHA128 (or whatever you specify in your web.config). So yes, they're pretty safe

On Fri, 13 May 2016, 07:27 , <net....@gmail.com> wrote:

Is it safe to store passwords in RK? Is there a way for us to make passwords invisible unless they are unlocked somehow?

--
You received this message because you are subscribed to the Google Groups "Roadkill Wiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to roadkillwiki...@googlegroups.com.
To post to this group, send an email to roadki...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/roadkillwiki/c3fbf00b-734d-49d3-9390-b928821e5467%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[net....@gmail.com]

On Friday, 13 May 2016 18:27:15 UTC+12, net....@gmail.com wrote:
> Is it safe to store passwords in RK? Is there a way for us to make passwords invisible unless they are unlocked somehow?

Sorry, I definitely wasn't clear enough. I am using RK for documentation of client sites. As part of this, we are storing some passwords. I am trying to ensure those passwords have an extra layer of protection if possible.

[Mike Zandvliet]

Chris can no doubt give you a more authoritative answer - but I would note that RoadKill, like most (all?) wiki's, stores the page content in plain text in the database. Depending on what database technology you are using, this may or may not be encrypted when it is 'at rest'. And unless you are using HTTPS, then it definitely isn't encrypted when it is 'in motion'. Personally, I would never store passwords in any wiki, regardless of whether it is accessible via internet or not, as wikis are not purpose built for this. Best practice for password storage in databases is to always encrypt them (preferably as a one-way-hash) with a unique salt - so storing them in plain text is the absolute opposite of best practice.

And in your case, you mention the passwords are for "client sites", so you'd actually be risking the security of your clients - which is far worse than risking just your own security.

I'd strongly recommend you use a dedicated local (i.e. non-internet) program such as KeePass for this kind of purpose, and then just reference that on your wiki.... i.e. "Credentials are in KeePass", but don't provide the location or master key for it.  KeePass and other software like it, store the passwords in a secure encrypted file, which you can control access to. I would recommend you avoid any web based service that stores passwords for you, as they can be compromised, and you never really know if you can trust them in the first place.

Cheers,
Mike

[Chris Small]

As Mike said, a password vault would make more sense (1password or Lastpass for basic usage). As all the pages in Roadkill are viewable to anyone on your network, encrypting the database wouldn't make much difference.

One other approach would be to create a plugin that lets you reveal the password when click a button you enter a password on the page, along with enabling SQL Server encrypted db.

--

You received this message because you are subscribed to the Google Groups "Roadkill Wiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to roadkillwiki...@googlegroups.com.

To post to this group, send email to roadki...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/roadkillwiki/d0abcde5-7c65-46e4-aca2-df4d778d74f8%40googlegroups.com.