password stores?


i'm wondering how large isps offering managed cpe services manage their
password databases.

let's say radius/tacacs is used for normal cpe user aaa, but there is
some 'backup' local user account created on the cpe for situations when
the radius server is unreachable. for security reasons, this backup
account (as well as snmp communities, radius key etc.) is unique per cpe
to avoid frauds caused by end-users (even if one does password recovery
on the cpe, they still don't have the password for other cpe's).

if there are hundreds or thousands of these cpe's that could mean
storing of tens thousands of password. are there any crypto-based
products available or do the people use their own stuff?


Slovakia, that's an interesting one for NANOG.

Key management is still a hard problem. It would be nice if the NSA
published how they do it, but I suspect they don't have a cost-effective
way either. Vendors/providers are all over the board. For the most part,
if you are concerned about security you should view it as any other vendor
default password.

On the other hand, people sometimes latch onto small vulnerabilities. If
the only way the password can be used is at the local console, it may be
considered only a slightly increased security risk. If someone has
physical access to your console, you're usually toast anyway. You might
configure things so the local password only works when the network
authentication is not available. This reduces the window of opportunity.
Its still a risk. But it may be an acceptable risk, such the fire
department requiring a master key kept in a lockbox outside the front door
of a office building.

The broadband forums have started talking about this. But the solution
they came up with isn't that great, disable local access. I suspect
eventually we'll see PK smartcard addressible CPE, much like
satellite/cable set-top boxes, and customers will no longer be able to
(easily) access the box.