How do very big companies manage passwords?

Third-party password managers such as 1password, etc. are very useful for people, businesses, etc. to store passwords, but obviously I bet Facebook, Google, Twitter and other super big tech companies don’t use such third-party services and have their own password managers for their most critical passwords.

How can a very big company manage some of the world’s most sensitive passwords? (example: Gmail team root access password!)

Even with the most advanced password manager, you still have the problem of the master password.

Should this be shared among a few trusted people? Or kept by only 1 or 2 people (then what happens in the case of an accident?)

Are big companies known to use implementations of Shamir’s Secret Sharing?

More generally, what are well known methods that very big companies use to manage their most sensitive passwords? (i.e. passwords that, if lost, could generate tens of billions of $ of loss)

Oauth2.0 | How to manage user session in Single Page application running in an iframe?

I’m new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.

Server

Application A: Spring boot back-end application sever, with some RestEndpoints exposed connected with Mysql database.

Front End

Application B: Spring boot Web Applicaiton which have some JSP pages for login and some other template features(Also connected with same Mysql database used by back-end server).

Application C: Inside application B we have an Iframe in which Angular app is running, angular app calls the back-end server and show data.

Also in future we want to use SSO for our application as well.

Current Security

At the moment we don’t have any security on back-end server (i.e We can simply call RestEnd points without any authentication), Application B has basic login security implemented via spring security. User logins on application B and then he/she can use application C (Angular) as well. User session is managed at Application B, when session expires users forced to logout.

Oauth2 Authorization

What we are trying to acheive is make the server (Application A) as Oauth2Resource server and Oauth2Authorization server. Application B (JSP front end) remove database connection from it as well as the login controller, application B will call oauth2 server for authorizing user with "password" flow, when application B will receive access_token and refresh_token it will then somehow pass it to Iframe (angular app) to store these tokens inside cookie and on every subsequent request to server angular will add access token to it.

I’ve read articles about that Oauth2.0 have deprecated the use of "Implicit Flow", and they prefer to use the "Authorization Code Flow". I am having a very hard time to understand how this flow can be used for single page applications(SPA like angular). Also where to store the access_token and refresh_token if I use the implcit flow? I’m aware that storing both tokens in cookies is not a good practice.

Also how to manage user session now? what I have gathered so far is that, on requesting resource server with Bearer access token, when we get unauthorized response, we’ll then request for new access token with help of refresh token, but in case when refresh_token is also expired I will force user to login screen. Is this right approach?

Sorry for the long context, any help will be highly appreciated. Thanks

I manage to connect to Azure Analysis Services from SSMS, but not from SSIS

I’m new to the Microsoft Server Suite.

I’ve downloaded SSMS and connected to Azure Analysis Services from it. I’m able to query my data using mdx without any problems.

However, I actually intend to build an ETL pipeline with the AAS cube as one of the sources. So I installed SSIS and have been trying to connect it to the AAS cube.

I first add "Analysis Services Processing Task" to the package. The result looks ok (when I click on "Test connection" the result is positive). But when I click on "Add", it doesn’t detect any cubes (there are two on the AAS server specified):

enter image description here

I assumed it worked anyway, but I can’t query the cube no matter how I try to do that. I added "Execute SQL task", but when I run it, it gives me an error:

enter image description here

enter image description here

enter image description here

The error message is:

An OLE DB record is available. Source: "Microsoft OLE DB Driver for SQL Server" Hresult: 0x80004005 Description: "Login timeout expired". An OLE DB record is available. Source: "Microsoft OLE DB Driver for SQL Server" Hresult: 0x80004005 Description: "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.". An OLE DB record is available. Source: "Microsoft OLE DB Driver for SQL Server" Hresult: 0x80004005 Description: "Named Pipes Provider: Could not open a connection to SQL Server [53]. ". Error: 0xC00291EC at Execute SQL Task, Execute SQL Task: Failed to acquire connection "asazure://northeurope.asazure.windows.net/xxxx". Connection may not be configured correctly or you may not have the right permissions on this connection. Task failed: Execute SQL Task Warning: 0x80019002 at Package: SSIS Warning Code DTS_W_MAXIMUMERRORCOUNTREACHED. The Execution method succeeded, but the number of errors raised (1) reached the maximum allowed (1); resulting in failure. This occurs when the number of errors reaches the number specified in MaximumErrorCount. Change the MaximumErrorCount or fix the errors. SSIS package "C:\Users176\source\repos\Integration Services Project1\Integration Services Project1\Package.dtsx" finished: Failure. The program ‘[18664] DtsDebugHost.exe: DTS’ has exited with code 0 (0x0).

Any ideas?

How to manage a mute PC?

I am GM in a custom universe I created (medieval fantastic), and a player asked me if he could create a mute character. I refused because I was afraid it would be too hard to manage, and not fun for him to play. Not to mention that the system I use is very basic and does not handle such a case, so I cannot rely on it.

By mute I mean a character who cannot make sounds with his mouth/throat. There is no universal sign language in this universe.

More specific concerns:

  • I am afraid the player will not play as much as before. He is a good player with good experience, but he sometimes thinks that RP restrictions forbid him from acting in some situations (if he is not the most skilled person in the group in a specific issue, he will not participate in it). How could I encourage roleplaying of the mute character (just like you would encourage a warrior to do things by putting battles in the story)?

  • As a GM, creating a place in the story for that kind of character seems almost impossible. He won’t be able to discuss his feelings or ideas with the other PCs and NPCs. As the stories I create are generally based on ethical discussions, information gathering from other characters, and are generally socially focused, I don’t know how to give the mute character his own piece of the cake. How can I give the player challenges and rewards while he is unable to do anything that involves discussion in a mostly social story?

  • A character who cannot express its ideas in the group is a sad character. What means do I have as a GM, and does he have as a PC, to communicate with the group in a easy and direct way, to make it immersive yet enjoyable?

  • Finally, if possible, I would like to know if you have any experience with this. I would like to let the player try, but I don’t want to ruin a whole campaign because of that decision.

EDIT : Regarding the answers

I accepted the answer because it displays the most practical advice, and experience, while covering all points of my question very carefully. The other answers here are still very good, and I suggest you look at all of them is you are in the same position as me.

How to better manage Qualys WAS for 30 sites that are scanned monthly

I was giving the responsibility of a Qualys WAS. There are around 30 sites I need to monthly scan, and check alerts. I need to automate all this process so I’m thinking on this

  1. Create a script or application that could easily schedule and start the scan of the sites

  2. The same app will also pull the reports from Qualys WAS

Now it comes to the issue:

I need to report on the issues found. And have those reports where they could be accessible for compliance reasons.

What do experts do about this?

  • Is the best option to create an application that pulls the issues found from Qualys and later, presents them in a system or DB, with a web interface easy to be validated and share with people who need to access that info?

  • Do you think that having 30 sites, scanned monthly, validating issues found, and doing some other administrative stuff to keep this part working as perfect as possible, do you think just one skilled engineer is enough 100% on this? Or do you think I will need to ask for more people?

My group is too big for my game, how to manage this situation?

So I may have a happy problem. I just finished a game with a group of five players, all of them enjoyed it and we’ve been talking about the next game we would start. None of them are problem players, none of them will refuse the invitation (I think) and ultimately all of them are friends and will know if one is excluded.

However, I find five players to be too much for me: due to the nature of the game we play, the kind of situations I like to set up and the time it takes to go through so many people while having some RP in there. Those issues make it so I have trouble running the game I’d like to run. Making it less enjoyable for me and, I think, for some of the players.

So… How can I, as a GM, deal with a group that’s too big for me if I don’t want to force someone out?

In a perfect world, one or two of the players would drop out of the game of their own volition. But realistically, I would like to drop one or two, which I don’t know how to go about making it happen, or make the game more manageable for the group I have.


Here are a few complications I have:

  • Everyone is friend of everyone else, so merely not inviting someone is just excluding them and hoping they don’t notice or don’t mind being left out.
  • Likewise, everyone seem to be looking forward to the next setting. So I don’t expect anyone to turn down the game unless there is a big change of playstyle.
  • There are no obvious problem-players. The worst I have are follow-along-players. So I have no real ground to expel anyone.
  • The playstyle I’ve found most enjoyable is one of low-combat and more RP and problem solving. Making kind of hard to engage five people.
  • I also find I like to take the time to RP a bit even when resolving mostly basic rolls, so that resolving a full day’s exploration in a single roll and narating the result is not something I want to do frequently.

I found some question close to mine on the site, the closest I have is this one: How can I manage a party that has grown too big?. But it doesn’t help my problem. Mostly because on the focus on Roll20 and dnd (we run a homebrew system for which the closest comparison I have is: Dungeon World with crunchier combat).


For reference, Here are the main avenues I had in mind in case I still have five players for a while.

  • Run the next game in a Westmarch-like style. Off-loading the burden of who is present to the players and giving me a reason to apply time pressure on the players. I’m not sure how feasable this is and may have to resort to selecting two nights instead of one. Based on our current speed. I can’t see how we could run a satisfying game in such a short time (that is partly my fault).
  • Keep the group and keep a close eye on the playtime IRL, keep things focussed. This is what I’ve been doing and I know it has the side-effect of giving little to no spotlight on the players who goes in the wrong direction and the difference between right and wrong direction is jarring in my narration (and I know some players noticed a few time). If someone decides to leave because of it… I can slow down because I have a more manageable group now. If noone dislike it, then I may be alright. But that is not the kind of game I’d like to run.
  • Keep the group and enforce a strict no-splitting rule. See how it goes. I tend to find 5 players+NPCs scenes tough to run and I expect the two least vocal players to just quit talking in such a game. But I can’t find another

How to manage rest with changing GMs and players

I have been running a west marches style D&D 5e game where the GM and the players (along with their characters) change between every session. Due to this, every session ends back in town and with a long rest so that players can change naturally. We have tried the gritty realism rest rules to try to make random encounters meaningful but we are still unable to fit more than 2-3 resource using encounters between long rests. This causes our spellcasters to be overpowered as they can use all their spell slots with no risk.

How can we follow the 6-8 encounters + 2 short rest mentioned in the DMG whilst still having some way to hand over each session?

Some ideas that come to mind:

  • Long rests cost gold or something so they don’t take one at the end of each session
  • Players can only long rest every other session or every 3rd session they come to.

Do you have any other suggestions or have you tried any of these ideas and how did it go?

How to manage a party that runs better in smaller groups?

I’ve been running a pathfinder campaign for close to 4 years now. In my mind it has been quite successful and my players are generally active and engaged in the story. However, over the course of the campaign I have noticed a strange trend that I’m not sure what to do about. It is kind of strange but I’ll do my best to explain it.

Group Composition

My player group consists of 4 (sometimes 5) players; my wife, my sister, my best mate and his girlfriend, another friend also plays but is currently overseas for a year. The age range is between 25-32 and the group all get on well. I love this group and want to see this campaign through to the end. Therefore splitting the group is an absolute last resort.

Campaign Details

I run a large scale open world campaign, with lots of sandbox play and opportunities for the players to explore. There are plots and threats throughout the world but where they go and how they deal with them is entirely up to the players.

Typically the party spend about 50% of it’s time exploring or traveling; 30% in towns, shopping or interacting with NPCs; and 20% in dungeons or on specific quests. I would like to adjust this slightly to reduce the amount of time spent traveling, most of the time is lost to indecision where the party can’t agree on a single course of action. More accurately they like to carefully examine every possible option before deciding, which takes a lot of time to reach a decision.

The Issue

Throughout the campaign there have been a few times when the party was split up, either for a scene or two, or for an entire session where I ran separate sessions for each half of the party. Most recently they encountered a pit trap that left the party separated in a dungeon. I switched back and forth between the parties until they could rejoin and it went quite well. Previously I’ve had two characters enslaved and forced to fight in an arena while the rest of the party worked on the outside to tilt the odds in their favour. These are just two examples from across a long campaign.

The pattern I have noticed is that almost every time I run one of these sessions the feedback I get is something like “That was the best session ever” or “best session in a while, I got everything done that I wanted to”. Basically the players constantly seem to enjoy sessions where they are separated more than ones where they are not.

Some reason I think this may be happening:

  • Faster decision making in smaller groups
  • More focused narrative where they always have a role to play in their scenes
  • Having less options forces them to think more creatively
  • Something to do with how I plan/run these session, though I am unsure what.

My Question

I’ve struggled with how to formulate this as a question so comments are welcome but here is my current question:

How do I best utilise the knowledge that my players enjoy sessions with smaller groups to improve my game?

Things I have considered:

  • Regularly splitting the party – I feel like this is the only solution that can reliably achieve this. But I’m having trouble thinking of ways to split the party often while maintaining a reasonable narrative flow.
  • Request for additional feedback – I’ve already tried this somewhat but haven’t gotten much that is meaningful. I can try for more targeted feedback with specific questions.
  • Changing the way I prepare my sessions – I think this is my preferred solution but I am struggling to identify what I am doing differently between the split and non-split sessions.

Answer types that I am expecting:

  • Advice on how to run for the whole group the way I do for the smaller group
  • Suggestions on what the issue with the larger group may be so that I can fix it
  • Advice on how to regularly split the party in a logical and narratively maintainable way.
  • Something I haven’t thought of (that really the point of this I guess)

TL;DR

My party seem to enjoy sessions where they are split into smaller groups. How can I use this to improve my game overall?

As a DM how can i manage a group with different amount of free time?

I’ve started playing D&D 5e with a group of friend recently. I’m the DM and there are 4 players. In this time of crisis, one is still working and is only available during week ends and the other 3 (and me) have quite a lot of spare time and are eager to play on a daily basis.

Is there a viable option for me and the 3 players to do some side questing or something else and play while not creating a gap between the players ?

Solutions like doing a side campaign without earning neither experience point nor gold seems to ruin the experience. I thought of multi classing but it seems to really impact the character even if the player only use its original class.

I see 3 solutions so far, but none are satisfying : 1: make player create another character 2: create a copy of the current character which will evolve separately 3: do an adventure where all exp and gold won’t be carried over to the main adventure

So i wondered if there is anything that i didn’t’ think of. Sorry if this is a duplicate but i didn’t find anything cause i don’t really know how to write the question in the first place.

How to manage players wanting to carry out opposing actions?

I need to pick your brains for experience in dealing with this sort of situation.

So, in our campaign there was recently an occasion where a character interfered with another character’s actions.

The chaotic good Cleric decided to save a lycanthrope, tie him up, cast Zone of Truth and then interrogated it. It promised it would not attack the party ever again. The Cleric released the creature. It dashed away.

As it was dashing off into the distance, the true neutral Warlock decided to Eldritch Blast it into oblivion.

There was no way the Cleric could interfere. The lycanthrope was beyond saving at the point.

The Cleric has already stated that she is very suspicious of the Warlock because of his track record of “finishing off” anyone and everyone. So, she is on alert already as to his way of behaving in these sorts of situations. She feels frustrated because she cannot carry out any benevolent or compassionate actions which is part of her role-playing her character, without the Warlock zapping her efforts.

So my question is:

How can the DM can apply a game mechanic to allow the Cleric to react to what the Warlock is intending to do?

Someone suggested the Cleric should be able to take an action to stop the Warlock – that both players might role initiative. The Cleric said would ready an action and either tie and gag the Warlock or cast Silence or Command.

I’d appreciate any thoughts on how to best manage this.