VSS Password Guidelines

A customer recently asked, “In most VSS articles, the recommendation is for the VSS password to match the domain password. In short, since the VSS users database is (a) difficult to secure from VSS users, and (b) passwords are stored plain-text, I wondered if this is really a good idea. “ 

This query prompted me to generate the following password guidelines for VSS. If you have other suggestions, please add a comment. I am not a security expert, by any means. Also, Andrew provides a great primer on Safe Computing that is a must-read.

SourceSafe Password Guidelines

1. Don't use the same computer password twice. Your domain password should differ from your VSS password.

2. Include one number and one character in your password.

3. Don't leave your passwords on a post-it on your monitor.

4. Be paranoid.

5. Change passwords for the guest and Admin users as soon as you create a new VSS database.

6. Don't forget the Admin user's password...ever.

7. Strictly limit access to the Admin user's password. One Admin is safest. Two Admins is wise (see Rule #4). Three Admins is neither safe nor wise.

8. Write your password down in at least two places...in case you lose one of them or forget where it is.

9. Don't send your password by email, IM, or pigeon. Most pigeons have links to sophisticated underworld crime syndicates. If you don’t believe this, go rent Ghost Dog: The Way of the Samurai.

If your network is secure, your SourceSafe databases are secure as well. In Avoiding the VSS Login Prompt, I warned that, “team members should be FORBIDDEN to use the same password in VSS as they do for their network account since anyone with administrative access to the VSS database can obtain it.“ This statement is true, but only partially so. It’s partially true because VSS Passwords are encrypted. Nonetheless, a knowledgeable insider with unlimited time can do amazing things. If in doubt, see rule #4.

For more information about how to optimize the security of your VSS databases, see VSS Security Tip and Introduction to Visual SourceSafe Database Security.

[minor edit on 1/22 at 1310hrs by KorbyP)

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

• Anonymous
  January 22, 2004
  I haven't ever met anyone else who as actually seen Ghost Dog... great movie.

• Anonymous
  January 22, 2004
  What about password length?
  
  And shouldn't number (2) be "Include at least one number and one character in your password"?

• Anonymous
  January 22, 2004
  
  VSS might be safe from intruders, but your data is never safe. I've used VSS on a couple projects and the database corrupts itself about once a week, resulting in data loss. No wonder Microsoft does not use VSS internally for its own projects.

• Anonymous
  January 22, 2004
  I use NTFS permissions to secure the user accounts and data.
  
  I basically have a group for our only VSS database called "default". Only people in their have the rights to use VSS. Of course they could come in and wipe out the database easily but its a manner of inner-trust.
  
  The way I secure the user accounts it that I give only the user who is supposed to login to that account access to their USER directory. I do not use passwords since I use NTFS security.
  
  I am pretty sure this was the recommended method for creating a team environment in VSS.

• Anonymous
  January 22, 2004
  The VSS development team's databases (and my documentation database) are all set up like Adam's. An individual user can associate a VSS password with their domain name-derived VSS username if they want, but doing so is not required.

• Anonymous
  January 22, 2004
  Mike's right. For details, see http://weblogs.asp.net/korbyp/archive/2003/06/05/53999.aspx.

• Anonymous
  January 22, 2004
  ....if you have VSS Admin, Tools/Options "Use network name for automatic user log in" selected (which is the default), and the name of the currently logged on user matches the name in soucesafe, then VSS doesn't use the password at all...!

• Anonymous
  January 22, 2004
  Yo runtime,
  1) You can prevent and/or identify and fix data corruption issues in your SourceSafe database by running the Analyze utility. I posted a script that automates the process in http://blogs.msdn.com/korbyp/archive/2003/07/16/54063.aspx.
  2)The SourceSafe team has and I am told will continue to hunt down and eliminate or mitigate data corruption issues. I apologize for any inconvenience you may have experienced in the past and assure you that your concerns are being heard.
  
  For the record, This blog is provided "AS IS" with no warranties, and confers no rights.

• Anonymous
  January 22, 2004
  In a time of need, the FAQ below allowed me to reset the admin password for a VSS database:
  
  http://www.michaelis.net/SourceSafe/Faq.htm
  

• Anonymous
  January 23, 2004
  I might also suggest using a Password generator. Some versions of windows (server I think) ship with them and you can find a bunch of good ones googling as well.
  josh

• Anonymous
  January 29, 2004
  Writing a password generator isn't too tough either. In .NET simply do Guid.NewGuid.ToString()...if need be, cut off a certain length.

• Anonymous
  September 25, 2005
  i forgot Admin password of VSS
  which is defaul password of VSS Admin

• Anonymous
  October 24, 2005
  The comment has been removed

• Anonymous
  August 26, 2006
  Very informative post about <a href="http://BingoFree.bravehost.com/financial-planning.html"">http://BingoFree.bravehost.com/financial-planning.html" title="financial planning">financial planning</a> and [URL=http://BingoFree.bravehost.com/financial-planning.html]financial planning[/URL]

• Anonymous
  August 26, 2006
  The comment has been removed

• Anonymous
  August 31, 2006
  We lost the VSS Admin password since the previous colleagues left. Are there any method we can reset the password ? If no .. how we can do the admin tasks?

• Anonymous
  September 01, 2006
  Thank you so much for this great post  about <a href="http://autofinancing.builtfree.org/ecommerce.html"">http://autofinancing.builtfree.org/ecommerce.html" title="ecommerce">ecommerce</a> and [URL=http://autofinancing.builtfree.org/ecommerce.html]ecommerce[/URL]

• Anonymous
  September 02, 2006
  Thanks for the great tips about <a href="http://RouletteFortune.bravehost.com/credit-card-online.html"">http://RouletteFortune.bravehost.com/credit-card-online.html" title="credit card online">credit card online</a> and [URL=http://RouletteFortune.bravehost.com/credit-card-online.html]credit card online[/URL]

• Anonymous
  September 02, 2006
  Thanks for the great tips about <a href="http://RouletteFortune.bravehost.com/credit-card-online.html"">http://RouletteFortune.bravehost.com/credit-card-online.html" title="credit card online">credit card online</a> and [URL=http://RouletteFortune.bravehost.com/credit-card-online.html]credit card online[/URL]

• Anonymous
  September 03, 2006
  Thank you for this great post about <a href="http://eteamz.active.com/moneymanagement/files/personal-finances.html"">http://eteamz.active.com/moneymanagement/files/personal-finances.html" title="personal finances">personal finances</a> and [URL=http://eteamz.active.com/moneymanagement/files/personal-finances.html]personal finances[/URL]

• Anonymous
  September 04, 2006
  Hello, good site and interesting design!
  <a href=" http://xanaxsale.tdfsf.info/xanax-sales.html ">xanax sales</a>
  <a href=" http://tramadolbuy.sauiu.info/tramadol-sales.html ">tramadol sales</a>
  
  Thanks!

• Anonymous
  September 06, 2006
  Very informative post about <a href="http://freecarhire.bravehost.com/ppc-management.html"">http://freecarhire.bravehost.com/ppc-management.html" title="ppc management">ppc management</a> and [URL=http://freecarhire.bravehost.com/ppc-management.html]ppc management[/URL]

• Anonymous
  September 06, 2006
  Very informative post about <a href="http://eteamz.active.com/mysmallbusiness/files/wholesale-mortgage-lender.html"">http://eteamz.active.com/mysmallbusiness/files/wholesale-mortgage-lender.html" title="wholesale mortgage lender">wholesale mortgage lender</a> and [URL=http://eteamz.active.com/mysmallbusiness/files/wholesale-mortgage-lender.html]wholesale mortgage lender[/URL]

• Anonymous
  June 16, 2009
  PingBack from http://fixmycrediteasily.info/story.php?id=5154

• Anonymous
  June 17, 2009
  PingBack from http://patioumbrellasource.info/story.php?id=2724

• Anonymous
  June 18, 2009
  PingBack from http://gardenstatuesgalore.info/story.php?id=2225

• Anonymous
  June 18, 2009
  PingBack from http://cutebirdbaths.info/story.php?id=3957

• Anonymous
  June 19, 2009
  PingBack from http://debtsolutionsnow.info/story.php?id=12046