The password generation templates and options are cool and all, but one of the things we have done for many years is to set our local admin accounts' credentials using the passgen utility that was originally published in Steve Riley and Jesper Johansson’s book Protect Your Windows Network. The main idea of the tool is to create a unique password by using an identifier and a passphrase. The identifier is just the computer name. The passphrase is the variable part, but by using the same password when setting the local admin accounts for all servers, what you get is unique local admin passwords for every server that can be derived even if DPS is inaccessible. For extra credit, we use different master passwords based on the type of account (local Admin, SQL sa accounts, service accounts, etc.), so the ability to select from an array of passwords from a saved source in the vault would be nice.
How this tool could work:
- An administrator would set the master password(s) as well as the length and complexity. The master passwords could be revealed by anyone given a master password reviewer role.
- The tool then could be used by any team member with access to the master passwords to derive credentials to accounts within the scope of that particular master password.
- The passgen tool from the book can also update the passwords for all of the local hosts when given a new master password, this may be a bit heavy for the tool, but it certainly has come in handy for us during our regularly scheduled updates.
- By re-using code from something like passgen, the tool could be standalone, meaning it would not need RDM or DVS, in case that was inaccessible.
In summary, the random password gen tool you have is cool, but I think customers would also benefit from a predictable password gen tool, like passgen or SuperGenPass (web-based approach to the same challenge).
This is an interesting idea. I will add this to our todo list and try to do more research.