Offline paper based passwords backups

Posted by masterofrants@reddit | sysadmin | View on Reddit | 24 comments

Today spent 3 hours stressing about veeam backups only to find out that the encryption key for the 16 tb backup is mostly gone and we won't be able to retrieve it lol.

And the previous sysadmins had password managers with keepass containing everything but time has eroded that too.

So how many here are doing a paper based dump of the full password database from keepass or bitwarden?

I'm thinking a paper copy at the bosses home or something might probably work right?

[-]

Certain-Community438@reddit

I hope nobody sticks a tiny camera in whatever safe he puts them in.

And doesn't live in a wooden house in a wildfire zone.

Etc.

How about:

A Key Vault. With redundancy for IAM:

A group with access
Also an App Registration for programmatic access (and in case someone wrecks Conditional Access)
- if you do more than one cloud: federate a well-managed identity from there with the App Reg
- add certificates for access: self-signed certs are absolutely fine for Client Authentication provided you manually validate the source in the same way a CA would (or of course, you create them yourself in the same Key Vault)

[-]

I had left a company for just shy of 90 days when one of the techs I liked (they obviously asked him specifically to call me) called and asked for the passphrase for the Keypass database. I laughed and told him it was in the safe. The he asked for the safe combination. This had me in absolute fits laughing, because I gave all this information to the director before I left, who, obviously, did not write it down.

So, I told him to go into the server room and call me back when he had the key to rack 27. Which he promptly reminded me we did not have a rack 27! I told him to just call me back when he had the key.

20 minutes later he called me back and told me he had the key to a rack we didn't have. I told him to take the tag off the ring and pull out the paper the number was written on. Unfold the paper and he would have the combination to the safe.

He now calls this story, "The Quest for the Unholy Passphrase!".

Always have a backuo of your backups!

[-]

crzdcarney@reddit

I would have charged for that…. At least 3x the rate they paid me as an employee.

[-]

--RedDawg--@reddit

Should have contracted for a high hourly rate and an 8 hour minimum to dig them out of the hole they got themselves into by not following the plans you laid out.

[-]

UrbyTuesday@reddit

yeah the “stick it to the man” narrative is a peculiarly reddit-based mentality which rarely bears any fruit in the real world, especially in a small world. Sometimes it’s necessary but mostly counterproductive.

[-]

schnurble@reddit

it's not reddit-based, it's commonly discussed, and honestly it's a fair thing to do, especially when you depart under less than ideal circumstances.

In 2012 I left a startup that was incredibly toxic. They asked me to do some part time consulting after my departure. So I asked for $200/hr (I was making about $60/hr at the time) and they accepted. They even insisted it be W2, not 1099. That was their mistake which I let them make.

At the end of the year I got paid $800/hr to sit on an airplane from DCA to SFO. I have no regrets.

[-]

TinderSubThrowAway@reddit

In the real world, outside of reddit fever dreams, being a dick doesn’t bear longterm benefits.

[-]

jaydizzleforshizzle@reddit

Ehh, it’s a different vibe if OP had been laid off or something, but sometimes in IT in certain cities, it’s a small world, and I don’t see the harm in informing them if they ask. Not like he had to do any real work, they already paid for him to be smart enough to do the backup passphrase.

[-]

MaelstromFL@reddit

This is why I am sure they had this particular tech call me. If it was the director, I probably would have made him work for the info. The guy who called I had mentored, and I wasn't going to pull his chain.

[-]

Dry_Ask3230@reddit

Our KeePass database is backed up with Veeam along with all servers. All encryption keys and passwords necessary to restore Veeam backups (and anything else that might be needed to accelerate disaster recovery process in general) are printed out yearly. This printout is given to CEO, IT director, and sysadmin for storage in home safes.

[-]

J2E1@reddit

We do a monthly dump to an encrypted USB and store it in a safe in our datacenter. Backup of the password for the USB is stored in a secure location and same thing for the safe.

[-]

ZAFJB@reddit

in a safe in our datacenter

And when your datacenter catches fire....

[-]

J2E1@reddit

The backup onto the USB stick is only in the event something happens to our Keeper cloud provider going down. I guess if that implodes AND my DR datacenter burns down, I'll probably not be coming into work as I figure out how to fight off the T-800s.

[-]

MrMeeseeksAnswers@reddit

Is the datacenter catching on fire at the same time the you lose access to the passwords? Its the backup, not the primary.

[-]

TinderSubThrowAway@reddit

1- that’s the backup, not the only copy.
2- Actual datacenters are generally really hard to catch on fire since there’s not really much stuff that can actually burn and spread in them. Even then, if it’s any significant type of safe then it’s not gonna affect it.

[-]

ZAFJB@reddit

If you are super paranoid:

long complex password
Split password into two
Print one half and give it to suitable person to store off site in a safe
Print other half and give it to another suitable person to store off site in a safe
Repeat with (an)other pair(s) of people

That prevents issues with a single user going rogue.

[-]

nico282@reddit

Previous job for the Microsoft breaking glass account we had user, pass and 2fa key in a safe in the CIO office.

Our responsibility stops there, the security of the safe and the combination was none of our business or responsibility.

I guess the same solution may be used for a semestral printout of the passwords in a sealed envelope.

[-]

Emmanuel_BDRSuite@reddit

boss’s house isn’t a bad call. Just gotta balance redundancy with not creating a single piece of paper destroys the company scenario

[-]

BlueHatBrit@reddit

Safety deposit boxes are still a thing and pretty good for these small but important things. Get a couple of people who are able to access it and you're good to go.

I wouldn't store anything at someone's home unless you're ordered to. It probably won't jibe with insurance policies, in particular something like cyber insurance.

Safety deposit boxes are off-site, secure, and have managed security and fire protections.

If you've got a safe on-site then that's probably fine as well but it's never a bad idea to have an off-site version as well.

[-]

WayneH_nz@reddit

I have it stored with my lawyer. you could store it with your company lawyer. not in the boss's place.

[-]

RavenWolf1@reddit

Always test these backups every year.

[-]

Immediate-Opening185@reddit

It's not exactly secure not because its on paper assuming there is a fire proof safe at the bosses home but because the way your talking about wouldn't include 2fa on what an account with very liberal permissions. I would recommend looking into IAM policies for your IDP provider, most of the big ones have a specific solution to this problem.

[-]

Jtrickz@reddit

Is this serious?

You need people and policy and follow it.

Start looking for other jobs.

[-]

BeyondRAM@reddit

Good luck bro