A password rotation policy and an audit log. This is really just a matter of security best practices limiting risk exposure:

-Work with management to define who is responsible for what, so you know who needs access to what.
-Give the passwords to as few people as possible
-Wherever possible enforce that users have unique logins (don't share!)
-Log what people do to important assets
-Review your logs
-Rotate passwords regularly. Enforce a password change policy on the unique accounts. Audit the list of recipients when you change the password on a shared account.
-Make people store their passwords in Password Safe, not in a text file.
-I personally prefer to centrally maintain shared assets. Group assets like domain registration accounts and Certificate Authority accounts where the same people will be using them into a single Password Safe then share the decryption passphrase for that safe with the list.
-Have policies and procedures in place for rotating passwords and disabling accounts when someone leaves or no longer has access.
posted by bfranklin at 8:39 AM on July 14, 2011

I should also note: centrally sharing shared credentials helps to avoid lots of copies floating around lots of devices, by and large.
posted by bfranklin at 8:41 AM on July 14, 2011

It partly depends on the level of technical skill within the company. If you're maintaining your own infrastructure, but hiring outside developers to build out your web properties, you can consider just not letting said developers handle deployment at all. They get access to your version control, and maybe your staging environment, but you register the domains, and you deploy from your version control system to your production environment.

At the opposite end of the spectrum, maybe you have nobody on staff that can do anything technical at all. If that's the case, obviously the developers will need all of the passwords to everything, so at that point it becomes more about making sure they have sane internal policies with respect to safeguarding passwords, and making sure that your contractual relationship guarantees that you're the one listed as the domain owner, that you be given passwords if you ask for them, etc. It may be that the firm you hire for development will be handling hosting for you on their infrastructure, which may not entitle you to passwords to administer the server, but you'll want all of this to be clear in advance.

Lots of organizations/companies end up somewhere in the middle, but having clear security policies and carefully crafted contracts will get you most of the way there.
posted by andrewpendleton at 8:50 AM on July 14, 2011

Give access to servers using pubkey auth, not passwords. When someone leaves, you simply remove their key from the authorized_keys file. There's no need to worry about updating or regularly changing passwords. Nobody but the sysadmin gets the root password (or any other password). All accounts are regular user accounts. If a user needs extra access to perform some privileged function or role, that specific function is added to the sudoers file. The registrar password? What in the world are you doing that a web developer would need access to that? The only thing you should ever log in to your registrar for is to change nameservers, which is so infrequent that you can just request the head sysadmin to take care of it if it comes up.
posted by Rhomboid at 2:45 PM on July 14, 2011 [1 favorite]

This thread is closed to new comments.