TechSoup.org The place for nonprofits, charities, and libraries

How do you store important technology information?

How do you store important technology information?

  • Does your nonprofit have a place it stores usernames, passwords, and other important technology-related information? What has worked best for you?
    senior editor, TechSoup
  • This is a security issue and a disaster recovery issue.

    I know the security advice to only choose strong passwords, never to write them down etc. but I need to live in the real world. I advise this to any one who asks me.

    Do not worry about recording usernames and passwords that you can reset with administrator rights. Things that you can not reset, user names, account names, passwords, activation codes, serial numbers etc. put them all down in a single plain text file and lock that up with a single strong password.

    Keep this single secure file with your systems documentation (of course you have a copy of the systems documentation off site don't you?). Do not forget to ensure that at least one other trustworthy person in your organisation knows the password. Remember to look both ways next time you cross the road.

    Pete Cheer

    Peter Cheer
    Information Management Officer Pakistan Humanitarian Forum

    web site http://tinyurl.com/visimpscot

  • In our office we happen to have a large walk in safe. Inside the safe I've got a file I keep with all of the licenses, etc.

    I do have important information such as passwords in a sealed envelope within the safe. Only three people have our combination so it's pretty secure. I do not store this information electronically.
    Dan Tuuri, CISSP * * * * * * * * * * * * * * * * * All advice given or comments made are mine, and mine only. They do not represent the view of my agency/employer. Eat advice at your own risk.
  • Microsoft XP offers a Forgotten Password Wizard. While you still remember your password, you can create a floppy disk that will allow you (or anyone else) to set a new password. Setting a new password with the wizard preserves saved "internal" passwords that you saved for web sites, and so on, and updates the floppy disk with new information in case the password must be reset again. The floppy disk is specific to one account on one computer.

    As Microsoft warns, "Other users may be able to use the password reset disk to gain access to your computer. For this reason, store this disk in a safe and secure location."
  • I learned about KeePass, a secure password database program, from Lifehacker.com. I will be implementing it shortly. Here's the link.

  • I use AnyPassword (anypassword.com) to save all of my un-retrievable passwords... at least the ones that a live CD can't rest. I also save that file on two different lexar's encrypted drives. this way if one gets erased I still have the other.
  • Like others here.. I keep a text file with the link (if applicable), username and password to all tech admin resources, and a brief description of what the login is for. It's then stored in printed form in our agency safe, which only 3 people have access to.

    I just need to remember to print them a new update each time I update a password.

    For users... Our HR person gets a tech sheet from me to fill in. They check-mark all the things a new staff needs (ie: an e-mail address, what database they need access to, etc). On that sheet the HR person notes the desired password for the user. When I complete the setup, I return the file to our HR staff, and they file it in the employee's staff file.
  • I'm an office of one person, but I have to organize a bunch of different passwords, etc. I use the universal password tool in firefox. But I also keep back up in my outlook as a note and a hard copy in my office. The latter is very low-tech - I keep it on my rolodex under p for password and a different card for each password. The system hasn't failed me for years.
  • I keep a draft e-mail in my Outlook for various web passwords I need for work. That can be retrieved by anyone who is an administrator. We have a tech company we contract with for tech support. They have our administrator passwords in case someone blows us up and the couple of us that know the password all die at once *laughs*.

    I do try to set up at least one other user at the vital sites we use just in case I get hit by a truck one day (namely our background check site and credit card processing site). Anything vital to your day to day business should have more than one person with access, even if only one person generally uses it.
  • Do not worry about recording usernames and passwords that you can reset with administrator rights.

    I agree with this, and also agree that it needs to be considered not only a security issue, but also a disaster recovery issue.

    I am currently in the process of using KeePass to document all user ids and passwords that I and other staff use that cannot be reset.

    The KeePass database and keyfiles will be backed up as part of our disaster recovery plan.

    The process to access KeePass will be stored in a sealed envelope and placed in our safe on-site, as well as a safety deposit box located off-site, in case something happens.

    For those that are only storing this information on-site, I strongly recommend considering disaster recovery requirements and off-site storage/recovery.
  • I keep 3 wordpad documents in the start menu on our Server for "Work History", "Users" (with passwords), and "Network Notes".

    Only admins have access to the server which can be accessed locally or remotely.

    This way these notes are backed up, easily printed periodically for storage in a safe.

    Also, as a contract service provider (not an employee), they don't have to worry that I am the only keeper of the information. Any provider that is given access to the server would have easy access to the information they need to do whatever task they need to without wasting time.

    David Stark | Techpro Networks, LLC
    Mac • PC Technologist | Anchorage | Alaska
    907 | 229 | 3370
    "Sign up for the 'Technologist' newsletter at techpronetworks.com"

  • I like techprodave's suggestions. One way to possibly improve security would be to store the file on a TrueCrypt Volume. This is my approach. I store the info in a ms access database which is saved on the TrueCrypt volume so that if I forget to save a record it will only be one record. I also set TrueCrypt to automatically unmount the file after a set time in case I forget.
  • I use FolderShare (now part of Microsoft) to replicate important data between three computers I regularly use. Also, I am VERY happy with Mozy online backup - free version gives you 2GB (plus extra for referrals) and I use commercial version which is $5/month for unlimited (!!) space.
  • We have 1 domain admin password, known to 3 of the top people in the organization, written down on paper and stored in secure locked file cabinets. I also keep a copy of it in the fire safe where I keep backup tapes. I change the password every 6 months, or whenever I discover that it has been given out to an unauthorized user.

    I have a separate admin password for individual workstations, which is widely known, and I make everyone admin on their own (XP) machines - that way I don't have to even log in as admin when installing software. Firewall, Norton and SpyBot keep most of the junk software off the machines, and I'm moving toward virtual machines to make it simpler to do reinstalls when necessary.

    I do have my ISP info, dns info, domain registrar info, etc. in file folders in my file cabinet, and copies of the names of the companies in my fire safe. Copies of the entire file would be unreasonable to maintain.

    I avoid putting passwords on word files and access databases whenever possible, but when I'm forced to do it I make them uniform and simple, since you have to log in to our network before you can get hold of them.

    For internal security, like HR stuff, we use secured shares on our Windows Server 2003 server.

    That's it. Good luck!

    JP
    Unions are the people who have fought against and died at the hands of the U.S. government to give us: Healthcare, the 5-day workweek, an end to child labor, vacations, a livable wage, and many of the other things you consider great about this country.