With the advent of Sarbanes-Oxley, it seems everyone is hot to start changing their passwords on a regular basis. This is enough of a problem for people, but when systems need to use passwords to get things done automatically, it turns into a nightmare.
I started putting together a specification for a password “lockbox” that would handle this. It would have to be able to handle standalone machines that were their own security domain (e.g. Unix with local passwd file) or a group of machines that share the same password (e.g. NIS or AD). It would be nice if you could encode the password expiration policy and have the system automatically change the password for you so it wouldn’t expire. You’d want sophisticated ACLs to control who can see which passwords.
Yesterday I went to a presentation from a company about a product of theirs that seems to cover all of this and more: Cyber-Ark’s Enterprise Password Vault.
It’s not cheap, but on the old build-versus-buy continuum, I think this is one I’d rather buy.