From Metro Studios Knowledgebase
 Best Practices
For the time being there is no password requirement for Metro Studios passwords, but it is best to implement a best practices policy in order to keep the passwords that allow us to do our jobs safely in regards to our clients.
There is no official requirement for the complexity of the passwords that you use; but, you should employ the best practices possible in the generation of your passwords.
Best case scenario is to have at least a password at least 20 characters in length using uppercase letters, lowercase letters, numbers, and symbols. If you follow these requirements you will have at least a 128 bit password.
Not all passwords you use and generate are going to be able to use these requirements. Ex: Plesk FTP passwords can't be over 14 characters in length and cannot contain quotes.
We should be generating password strings randomly using password generation software. Thankfully KeePass has a built in password generation function which works great for just such a thing. If you're unable to use KeePass there is a Windows application on the T: drive located in /metrofs1/Antidote/Developer Stuff/Applications/passutils.exe. The passutils.exe is great if you have to generate multiple passwords or strings. (I personally use passutils.exe to generate large lists of promotional codes from time to time)
The storage of your personal account passwords and your Metro Studios account passwords should at all times be encrypted. Right now we are using the KeePass software to catalog and encrypt the majority of our department's user accounts and credentials. This KeePass database is the 2.x flavor of KeePass databases in order to implement synchronization of said database.
Any transmission or communication of passwords should be done as securely as possible. This means no passwords should ever be sent to another person in plaintext including but not excluded to, IMs, email, and passing of a plaintext document.. If you have to transmit a password the best possible way would be to do so by phone, or encrypted chat.
 Periodic Updating
We will be periodically updating all of our administration passwords in order to keep a secure rotation. During these periodic updates notifications will be given to all web personal to refer to our KeePass database for a new set of passwords, Ex: FTP. Special consideration will have to be taken for additional Metro Studios employees not in the Web Department and they will be listed under Password Update Special Considerations.
 In Source Code
If you are using a user name and/or password in your source code make sure that it is not an administrative account. The definition of an administrative account would be an account that could potentially effect another application/site or potentially effect server resources. The #1 issue with this one is the segregation of MySQL accounts, and limiting privileges as much as you can.
Issues that we've had in the past with this are primarily the use of Plesk admin or root MySQL accounts in PHP source code.
 In Plaintext
If your password is stored in plaintext, it probably shouldn't be unless it falls under a very few special circumstances. It is OK to have a password in plaintext if it is a MySQL username and password that is used by an application or site.
 Updating a Password in KeePass
There is no more stipulation on updating your passwords in KeePass since we have now moved from the 1.x KeePass database format to the 2.x one.
 Special Considerations
The video department here at Metro Studios uses specific FTP credentials of ours that need to be communicated to them upon updating. The only accounts that they use that I know of are:
- metro_ftp for the main Metro Studios site. (they use this for Flash 8 video approval)
- Multiple users on fms1
 Location / Lockdown
The KeePass database is stored on the T: drive in the following directory: /metrofs1/Antidote/MPL/mpl.kdbx
The KeePass database should NEVER leave the building unless it is under very a special circumstance. The only discovered circumstance is if the internet at Metro Studios were to be out and we were unable to VPN in from home in order to gain access to the document. See Internet Outage Situation for details on what our policy is when Metro Studios internet drops.
Access to the KeePass database should be strictly by local network access or VPN alone. We need to keep the KeePass database in one location on the T: drive to reduce the amount of merging of multiple databases as this is what caused us to not follow through with KeePass before.
There should only be 1 copy of the KeePass database at all times.
 Master Key
The master key is rotated monthly and every member of the department will be asked to memorize in order to keep a consistent rotation.
This key should not be stored anywhere as it is a highly sensitive piece of information.
 Key File
There are mpl.key files that are passed out on thumb drive. A key file is required every time you authenticate against the KeePass database, this is an extra layer of protection as we're not only relying on a password string. These files will be rotated every so often by an administrator to ensure maximum security of the KeePass credentials.
 Internet Outage Situation
If and when the internet drops here at Metro Studios we will have a couple of options to gain access to individual passwords in the KeePass database by phone. If it is within business hours you would first contact anyone from the web department, and then you would contact Becky as she is the only individual outside of our department with access to the database.
If the internet is down outside of normal business hours and we need emergency access to the KeePass database then a web department employee would be forced to travel to the office to provide phone delegation of needed credentials to the other employees.
In certain maintenance situations we may allow the KeePass database out the door on a thumb drive along with the KeePass key. This is only done in situations that call for an employee to continue production from home during an internet outage situation.