user599292 wrote:These days having to know the password is seldom necessary for "continuity". And it has been more than a decade since I've last seen the password-on-paper-kept-safe-by-manager approach being used.
yes that was my guess, the password may be required if the admin was off when that credential was requried to perform an urgent task, hence the need to record it somewhere another admin can access it. But I guess from a risk perspective its identifying where the password is, and who can access it, so it doesnt fall into the wrong hands..
Billy Verreynne wrote:+1
Password based security is based on the principle of using a secret, and using that secret for identification.
It makes no sense to document that secret. Have never seen DBAs "documenting" such secrets for "continuity" (fail to grasp why continuity would be a reason).
What some shops do is have the DBA/sysadmin record the password on a paper, stick it into a sealed envelope, and have the manager keep it. Reason: should the admin person knowing the secret not be available to perform some urgent task requiring the secret, a stand-in will need to do the task, but will require the secret to do it. (is this what you implied with continuity?)
To be honest - I question the credentials of a DB security speaker when this person states that DBAs record passwords as plain text in documents as common practise.
I have been doing DBA stuff in some form or another since the 80s - and have NEVER seen this "common practise" anywhere.