What To Do about Passwords in Your Disaster Recovery Plan

One post thread on Spiceworks caught my eye.  The Spicehead wanted to know what to do about passwords when it came to DR plans.  Was he supposed to put the passwords into it, or just what was he supposed to do with them.  Well, the first thing you don’t want to do is put them in the Disaster Recovery plan itself.  Reason for that is simple.  This is a plain text sort of document, there’s more than one copy of it, and it’s supposed to be open for anyone to inspect.  So there’s plenty of opportunity for passwords to get out in the wild there.

So, what do you want to do with them?  Well, it’s OK to mention in the plan that passwords are kept at such and such a location, and that’s about all you need to do to mention the existence of special passwords.

So, we still have the same question.  What do you do with them?  Well, there are a lot of different ideas on that.

The first idea here is you have to keep them someplace offsite, just like you would with a backup.  They won’t do you a lot of good if they’re encrypted on a server that managed to get burnt up along with everything else.  And putting a list in the old fireproof safe isn’t the smartest idea because you might not be able to get to it right away if the building collapses or is just plain unsafe.  And remember, fireproof is the wrong term, try heat resistant which means they will hold up for X amount of time to X amount of heat before the heat reaches the interior.

One way is to simply print them off or write them into a notebook.  Once you’ve done that, you need to keep it someplace safe like a safety deposit box in a bank.  Make sure to limit access to it (in short, only a handful of people need to have access to that vault, the fewer the better.  If you want to increase the security a bit more, toss it on a USB thumb drive (along with an electronic copy of the plan of course), and encrypt the heck out of it.  Again, the fewer people who have access to the vault, the better, and the fewer people who know the password decryption password the better.  So, how do you police the password?

Well, let’s borrow a piece from Nuclear Weapons security.  Print up a card with random passwords (longer the better – of course one passcode will be real), randomize them on the card, laminate it, and give it to the people who need it.  Of course only they’ll know which of the five passcodes really works.  And don’t mention a word on the card what this goes to and it might be tribal knowledge that isn’t written down anywhere just what the cards are for.  Indeed a good exercise once a year would be to have users pull out the card, and verify they know which passcode is theirs.

You can also keep it on a laptop, preferably one you always have with you.  Trouble is, laptops have an annoying tendency to get left in cars.  Thieves break into cars and they steal laptops.  If you do put it on a laptop, make sure you need a really good password to start the laptop (think bitlocker encryption.  And if you really want to annoy a potential thief, toss a BIOS password on it as well).  Inside, have a program like LastPass, KeePass or such, and have a separate password just for that (again, make sure it’s a good one).  That should drive any potential thief up the wall, or it will send you up the wall remembering three separate passcodes.  Also, some of the password vaults out there will feature two factor authentication which will just make your job easier.

There’s a lot of good cloud passed offerings where you can store passwords, and the vast majority are very reputable.   They don’t want to know your passcodes, but you do need it.  This is another example of having something really robust in terms of a passcode.  If they can offer some manner of two part authentication, that that’s even better.

The whole problem with keeping passwords on the cloud is the same as keeping money in a bank.  Just as every thief in the world knows money is kept in a bank; passwords are kept in a password cloud vault. Do expect hackers to come gunning for those sites (as if they aren’t already).   So read carefully their offerings, and always ask questions concerning cybersecurity and backups that they do.

One final thing to point out is this.  You will need to plan on how you keep passwords up to date.  If you add something new, delete a password or change it, then you need to keep your list of site up to date.  So plan on that and how and when you do that.

As always, there’s no such thing as making anything 100% secure.  But by paying attention to what you’re doing, doing your homework, and thinking things through, you can at the very least make sure that passwords for DR purposes are reasonably safe.

Richard is a freelance IT consultant, a blogger, and a teacher for Saisoft where he teaches VMware Administration, Citrix XenApp, Disaster Planning and Recovery for IT, and Comptia Server+