[kefka]

Tell me about it. Fortunately where I work is sane and reasonable about it.

We have a password sheet. You have to be on the VPN(login/password). Then you can log in. Login/Password(diff from above)/2nd password+OTP. Then a password sheet password.

I'm still rooting out passwords from our repo with goobers putting creds in sourcecode (yeah, not config files....grrrrr). But I attack them as I find them. Ive only found 1 root password for a DB in there... and thankfully changed!

[posixplz]

A plaintext password sheet? Despite the layers of network access control, this is a horribly bad practice in our modern age. Vault is free and encrypted secret storage systems are hardly a new concept.

[kefka]

Not at all. The password sheet password is actually a GPG key. Everything stored encrypted.

We suffer from NIH greatly. We end rolling our own stuff because either we don't trust 3rd party stuff, or it doesn't work in our infrastructure. In this case, multiple access locks with GPG is sufficient.

[posixplz]

A response 8 days later is better than no response at all, right? :)

I agree that a multi-recipient GPG protected file is sufficient for a small org. In fact, that's how I used to do it Circa 2011. We found it worked quite well - we committed the GPG protected files to a version control system (git) and used githooks to make sure that only encrypted files were permitted, preventing users from intentionally/accidentally defeating gitignore.