Blog | G5 Cyber Security

Secure LAN Tool Passwords

G5 Cyber Security

TL;DR

Don’t store passwords in plain text! Use a password manager with a strong master key, or integrate your tool with an existing authentication system like Active Directory. If you *must* store them locally, encrypt them using a robust algorithm and securely manage the encryption key.

Storing LAN Tool Passwords Securely

  1. Understand the Risks: Storing passwords anywhere is risky. Plain text storage is extremely dangerous – anyone with access to the file can see all your credentials. Even seemingly secure methods can be vulnerable if not implemented correctly.
    • Compromised LAN = Compromised Passwords
    • Insider Threats
    • Weak Encryption
  2. Option 1: Password Manager (Recommended)

    The best approach is to use a dedicated password manager. This centralises storage and provides strong encryption.

    • Bitwarden, LastPass, KeePass: These are popular options. Choose one that suits your needs and budget.
    • Strong Master Key: The security of the entire system relies on a very strong master key. Use a long, complex password or passphrase.
    • Multi-Factor Authentication (MFA): Enable MFA wherever possible for added protection.
  3. Option 2: Integrate with Existing Authentication (Highly Recommended)

    If your organisation uses an authentication system like Active Directory, integrate your LAN tool with it.

    • Centralised Management: Users use their existing credentials.
    • Policy Enforcement: Password complexity and rotation policies are handled centrally.
    • Auditing: Easier to track access and changes.
    • Example (Python with LDAP): 
      import ldap

try:
    l = ldap.initialize('ldap://your_ldap_server')
    l.simple_bind_s(username, password)
    # Authentication successful
except ldap.LDAPError as e:
    print(f'Authentication failed: {e}')
  4. Option 3: Local Encryption (If absolutely necessary)

    Only use this if you cannot use a password manager or integrate with an existing system. It’s more complex and requires careful implementation.

    • Choose a Strong Algorithm: AES-256 is a good choice. 
      from cryptography.fernet import Fernet

key = Fernet.generate_key()
f = Fernet(key)
token = f.encrypt(b'my secret password')
decrypted_password = f.decrypt(token).decode()
    • Secure Key Storage: This is the hardest part! Do not store the key with the encrypted passwords. Consider:
      • Hardware Security Module (HSM)
      • Key Management System (KMS)
      • Separate, offline storage (very carefully managed).
    • Salt and Hash: Before encrypting, hash the password with a unique salt for each user. This adds an extra layer of security. 
      import hashlib
salt = 'your_unique_salt'
hashed_password = hashlib.sha256((password + salt).encode()).hexdigest()
    • Regular Key Rotation: Change the encryption key periodically.
  5. Avoid These Mistakes:
    • Storing passwords in plain text files (e.g., CSV, TXT).
    • Using weak encryption algorithms (e.g., DES, RC4).
    • Hardcoding keys into your application code.
    • Sharing the encryption key with anyone who doesn’t absolutely need it.
Exit mobile version