April 18th, 2005, 11:07 PM
Password Keeper App???
I've recently taken a new position in which I am one member of a team and not the only admin. My boss asked me if I knew of any apps in which our team could store all passwords and share amongst the team. Previously, since it was just me, I stored that stuff in a spreadsheet that I kept offline burned to a CD and locked in our server room. I was wondering/hoping that some of the other AO'ers our there might know of an app that would help out? Obviously given the nature of the content it needs to be secure.
just making some minor adjustments to your system....
April 18th, 2005, 11:12 PM
i dont have time to look for a free one right now but in about 30 seconds on google i found you this
so go ahead and google yourself you'll find something
StreetsCrack.com Join The Best Music Social Network Online.
Music downloads, promotions, forums, profile, games etc...
April 19th, 2005, 12:11 AM
how many passwords are we talking? I would strongly suggest you not store passwords anywhere but in your head if possible. I would certainly not use a program for the passwords. Unless Im mistaken password programs are made to auto log you in, not just store the password. So if you MUST have them written down, I would put them in a text file then use a GOOD encryption program. What ever you do, just lock that file away, and in my experience when hiding passwords security through obscurity is a helper, so dont name the file "passwords" or anything remotley related to it.
April 19th, 2005, 04:10 AM
Check out PasswordSafe. Written originally by crypto-god Bruce Schneier. I use it for my stuff and it has import and export capabilities. http://passwordsafe.sourceforge.net/
A collegue of mine likes this app, KeePass, but havent checked it out. http://keepass.sourceforge.net
Downside to these is you cant have multiple user accounts so my team and I just share the passphrase and when someone leaves we change it. Not the most elegant but it keeps your passwords safe.
April 19th, 2005, 05:26 PM
We have been using Password Agent here. We purchased the product so that various groups can use it and store their master passwords in their own encrypted container. We have had no issues with it to date.
April 19th, 2005, 07:08 PM
We use a word doc placed on a server with the password feature of Word with strong AES encryption enabled. The word doc is compressed and encrypted with winzip 9.0 using the AES 256bit key encryption included in the US domestic version of Winzip. This way the file is encrypted twice and you need two seperate passwords to open the master password document. Both of the passwords are passphrases that are atleast 14 characters in length and meet most complexity requirements.
Auditing of the file is enabled for all access and NTFS permissions for both the file and the directory are limited to only those who have a need to know.
Of course we don't name the file passworddocument.zip. The name is very cryptic and you would never know what is in the zip unless you have a need to know. Access to the server that contains this document is restricted only to administrators, and no shares exist for the volume that contains the password document. You must term server or login locally to the machine to access the password document.
A written policy exists stating that the master password document must never be copied to another machine or anywhere other than the winzip archive it is normally stored in. Violation of this policy can result in immediate termination.
I would never rely on just a single program to protect this type of file regardless of who wrote the program. Also if the program doesn't generate some type of audit trail so that you know who used the file and what they did to it, I would not use it.
April 19th, 2005, 09:29 PM
There is no need for a password file of this type. No exceptions.
No two users should EVER have access to the same account, otherwise accountability goes right out the window.
Regular user passwords can be reset by an administrator. Administrator passwords can be reset by lateral administrators, and if the need really arose any password can be reset with local system access.
April 19th, 2005, 09:51 PM
some times a list like this is absolutley neccessary. We have several lists (not one big one) becasue we have the usernames/passwords for every admin account on every one of our clients computers. combined this is probably close to 1000 machines if we include all of the servers. the list is secured VERY well, both physical security and technological. so I think under the right circumstnaces list are neccessary.
I should add, the lists are in different locations, none of which are in anyway available online. So you need physical access to the machine to get them. but under normal circumstances a list should not be made. I have to remember ~50 passwords and ~20 usernames, and I generally dont have a problem (except for monday mornings before coffee, lol) and the same seems to hold true for my co-workers(some with well over 100 passwords)
April 19th, 2005, 10:21 PM
XTC46... your company needs to look into SSO technology.
Password lists only make bad architecture usable, which is in and of itself bad.
Again, multiple users having access to the same account is TERRIBLE! This alone can make your company fail a SOX or ISO17799 audit.
April 19th, 2005, 10:35 PM
Down here at "scrub" level you will quite often find apps that only allow for a single password, that have security implications, that have no self auditing and multiple users must have access to.... Honest...
We have one where I work that Property Management got when they implemented a key fob system for certain access points. Of course they never came to IT before they made the purchase decision because the software that came with it "seemed more like an addon rather than an auditing system".... If I can access it I can delete the records of my entering the building . The computer it runs on now sits in a "Special Grand Master" locked room but it still has five people using the same authentication credentials because we can't afford to replace an entire $X,000 system for this "little inconvenience".
There are a couple of others within my organization that have similar issues, especially those where we report to funding sources etc. via their web sites where they give us only one login. We need several people to know the authentication credentials so the situation is the same. You may say that it isn't our problem but that of the provider, but that would be wrong. Since we can only access "our" information there, and let's say it's billing information, and someone accesses it and deletes it all we don't get paid by the provider. That means I don't get paid because we, as a company, don't have the money. Can you say "Denial of Service" . Worse yet, if they divulge that information publicly... the loss of credibility, through no fault of our own could cripple the reputation of my company to the point we don't get funded by anyone. Please don't tell me to call them and ask for multiple logins - it will prove you never worked in the "provider/funding source" world - it's their way or the highway, period and they don't care if my stuff is compromised from their box.... The fact will remain that no matter how much we "squawk" about our network being uncompromised and the lost data originated from their systems people will still see that _my_ organizations data was leaked.... Sucks? Yes. Fact of life? Yes!!!!!!
This is a similar argument to those we have engaged in in the past, real world vs. Catch's world. I utterly agree with you, as I have said before about the ideal world, but this is a perfect example of the real world "trumping" the ideal and us "scrubs" having to work around it.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides