Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Open Source Multi-User Password Management?

timothy posted more than 2 years ago | from the login-admin-password-blank dept.

Security 198

An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"

cancel ×

198 comments

Sorry! There are no comments related to the filter you selected.

passpack works for me (0)

Anonymous Coward | more than 2 years ago | (#39976263)

Ive been using passpack.com it's been okay, although looking for something cheaper for the value..

lol (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39976269)

lol

Better than the last place I worked at (4, Funny)

Hamsterdan (815291) | more than 2 years ago | (#39976273)

It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)

Re:Better than the last place I worked at (1)

Anonymous Coward | more than 2 years ago | (#39976371)

If only there was +1 sad..

Re:Better than the last place I worked at (4, Interesting)

jtownatpunk.net (245670) | more than 2 years ago | (#39976419)

I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).

Re:Better than the last place I worked at (4, Funny)

Anonymous Coward | more than 2 years ago | (#39976507)

Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

Re:Better than the last place I worked at (1)

rwa2 (4391) | more than 2 years ago | (#39976607)

Heh, the best thing that I could come up with in a Wintel-centric environment was an encrypted zip file containing an excel spreadsheet. The master password would be periodically rotated and sent to people in an encrypted email.

We had access to Keepass or something similar, but our management couldn't be bothered to install it from the depot :P

Re:Better than the last place I worked at (1)

rwa2 (4391) | more than 2 years ago | (#39976613)

Oh yeah, but it sucked because opening an excel spreadsheet in a zip file would cause it to be extracted to the temp dir first :P

Re:Better than the last place I worked at (4, Informative)

forkazoo (138186) | more than 2 years ago | (#39976721)

We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

(tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

Wallet (5, Informative)

tskirvin (125859) | more than 2 years ago | (#39976287)

Wallet [eyrie.org] is a Kerberos-based secret management tool. It works well for me.

Re:Wallet (2)

miknix (1047580) | more than 2 years ago | (#39977539)

Gringotts [shlomifish.org] is a secure notes manager for Linux and other UNIX-like systems. I've been using it to store passwords for more than three years.

KeePassX (5, Informative)

Anonymous Coward | more than 2 years ago | (#39976299)

KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

Multi-user? (1)

anarcat (306985) | more than 2 years ago | (#39976761)

Is it multi-user however?

Re:Multi-user? (2)

Electricity Likes Me (1098643) | more than 2 years ago | (#39976795)

KeePass 2 can be run on Mono and is multi-user for the databases - you all need the same password to decrypt the database however, but it does allow simultaneous shared access.

Re:Multi-user? (0)

Anonymous Coward | more than 2 years ago | (#39976891)

I've not had a lot of luck with KeePass 2 on OSX. It crashes a lot. KeePassX works ok though.

Re:Multi-user? (4, Informative)

Kalidor (94097) | more than 2 years ago | (#39976905)

This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

Re:Multi-user? (2, Informative)

Anonymous Coward | more than 2 years ago | (#39977523)

This! KeePass2 on a shared drive

You can go one better than a shared network drive by saving to a URL.
Specifically, setup a subversion server with WebDAV enabled. This way you can always go back to an old version if your db gets corrupted in any way. Subversion hook scripts can be used for implementing a backup plan (we use one to sync our keepass svn repo to a read-only mirror on a remote site.) The apache ldap auth module can be used to control access (this is on top of the actual keepass db password)

Re:Multi-user? (1)

Anonymous Coward | more than 2 years ago | (#39977247)

And webscale. It has to be webscale.

Re:KeePassX (1)

Anonymous Coward | more than 2 years ago | (#39976879)

+1 for KeePass

I started using it in 2009 and haven't looked back.

It works great with my Ubuntu and Windows mix. I keep it on a USB drive.

Re:KeePassX (3, Interesting)

Sam the Nemesis (604531) | more than 2 years ago | (#39977423)

I keep it on a USB drive.

Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.

Delete the spreadsheet. (0)

Anonymous Coward | more than 2 years ago | (#39976311)

I use post it notes - taped to my monitor. I just got tired of all my coworkers asking me for the passwords.

Re:Delete the spreadsheet. (5, Funny)

lewko (195646) | more than 2 years ago | (#39977365)

I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".

KeepassX in a Dropbox folder (1)

DarkFencer (260473) | more than 2 years ago | (#39976331)

KeepassX in a Dropbox (or some similar sharing) folder works great. More secure encryption than Excel and better for the purpose.

Re:KeepassX in a Dropbox folder (0)

Anonymous Coward | more than 2 years ago | (#39976541)

If you need more security, you can also stick the KeepassX database file into a Truecrypt file volume.

Re: Keep It Simple Stupid (0)

Anonymous Coward | more than 2 years ago | (#39977169)

I use a text file encypted with 2048 bit encryption, save to a gmail account.

Re:KeepassX in a Dropbox folder (1)

leuk_he (194174) | more than 2 years ago | (#39977253)

Is it more secure?

Isn't it the same as a excell sheet with a master password on it?

(Ok, keepass is way cheaper than a excell sheet)

Re:KeepassX in a Dropbox folder (1)

Anonymous Coward | more than 2 years ago | (#39977519)

Excel passwords are easy to crack, google for "advanced office password breaker".

Re:KeepassX in a Dropbox folder (0)

Anonymous Coward | more than 2 years ago | (#39977257)

Works great - especially since there's also an Android KeePassX client.

Team Pass (1)

dark12222000 (1076451) | more than 2 years ago | (#39976335)

I've used Team Pass (site here) [teampass.net] for a few months now. It works well enough. It's at least as secure as an excel sheet. It is however web based, so make sure to lock it down appropriately...

Re:Team Pass (0, Insightful)

Anonymous Coward | more than 2 years ago | (#39976347)

ewww.. php..

Re:Team Pass (0)

Anonymous Coward | more than 2 years ago | (#39977007)

You're just upset that someone made a lousy CRUD app in five lines of code instead of 20 class files with dozens of lines of verbiage around five lines of code plus 50MB of framework libraries and activerecord requiring a small server farm of application servers to handle a few dozen simultaneous requests.

Of course, the app will probably shit itself the first time someone puts a ' in their password, or else return the wrong information for passwords containing \

Re:Team Pass (1)

Bert64 (520050) | more than 2 years ago | (#39977527)

Of course, the app will probably shit itself the first time someone puts a ' in their password, or else return the wrong information for passwords containing \

You're referring to sql injection or magic quotes, and those who rely on the latter to prevent the former.
If coded properly (ie using prepared statements for the db calls!) this won't be a problem, and it's just as easy to write poor code in other languages.

Re:Team Pass (-1, Troll)

Anonymous Coward | more than 2 years ago | (#39976545)

Fuck you and your PHP bullshit shill.

Keepass (0)

Anonymous Coward | more than 2 years ago | (#39976339)

http://keepass.info/ light-weight and easy-to-use password manager.

Re:Keepass (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#39976349)

Keep ass?

KeePass (1)

DiSKiLLeR (17651) | more than 2 years ago | (#39976351)

KeePass?

Works on Windows, Linux, OSX, iPhone, Android, and more.

You can even store the password database on the cloud if you wanted...

Re:KeePass (1)

ArsonSmith (13997) | more than 2 years ago | (#39976451)

sure wish webkeypass wasn't a pile of crap.

Re:KeePass (0)

Anonymous Coward | more than 2 years ago | (#39976625)

I'm mostly satisfied with keepass. But yeah. Its a piece of crap. For the passwords of lesser importance, I resort to a txt file in my secured user profile, and I chnge them on a semi random basis. Its mainly about cost-of-usability.

Re:KeePass (1)

Anonymous Coward | more than 2 years ago | (#39976665)

You can even store the password database on the cloud if you wanted...

Why is this a good idea?

Re:KeePass (1)

Sam the Nemesis (604531) | more than 2 years ago | (#39977431)

You can even store the password database on the cloud if you wanted...

Why is this a good idea?

What's wrong in keep database on cloud? As long as you are using strong password along with key file, there is remote chance that someone would be able to break-in your database.

Re:KeePass (0)

Anonymous Coward | more than 2 years ago | (#39976827)

I agree and recommend KePass to keep credentials organized and secure; however,

I also recommend RemoteDesktopManager. For a small fee it has a secure central repository to store practically any access method within one database.

Why are you even considering this? (1)

NemoinSpace (1118137) | more than 2 years ago | (#39976353)

Go to your desk drawer. Inside there will be 3 numbered envelopes...

Re:Why are you even considering this? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39976411)

Is one an offer letter for you from my firm? because it's been recinded...

KeePass (5, Informative)

st0nerhat (2540360) | more than 2 years ago | (#39976355)

KeePass satisfies all of your criteria:
  • Open Source: It uses an OSI-certified license.
  • Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
  • Secure: Supports multi-factor authentication.
  • Linux-based: Works with Mono.

Password database (0)

Anonymous Coward | more than 2 years ago | (#39976357)

Keypass nice encryption multiple password inputs and key to text encrypted has keys which can be stored offline. It will do and is free but as it good. I have not done any penetration testing against the db or the keys but as you know anything can be broken given time or a good graphics card :)

keepass? (0)

Anonymous Coward | more than 2 years ago | (#39976363)

I've always found keepass to work well. it's open source and it integrates with remote desktop manager too if you need it.

GPG + Dropbox (1)

dw (5168) | more than 2 years ago | (#39976369)

At work, we use gpg to encrypt our password file for specific recipients, and place that file in a dropbox share. On occasion, we'll generate a snippet of the file and encrypt it for a specific user (junior admin) and place it in the same location.

Arbitrary complexity is often contrary to trustable security. If you really trust your encryption scheme, then it shouldn't matter where you store it (windows share).

Re:GPG + Dropbox (0)

Anonymous Coward | more than 2 years ago | (#39976433)

Pretty much do the same but in a git repo instead. When someone leaves their access gets removed and passwds changed. Their is a gpg plugin for vim that makes reading/writing easy too.

Re:GPG + Dropbox (2)

WuphonsReach (684551) | more than 2 years ago | (#39976479)

We create separate files by service and encrypt the contents with GPG (regular old text files with ASCII armored encryption blocks).

Dead simple, other then the GPG key management and passing around public keys. There's also the issue that every time you add someone new, you need to re-encrypt all the files (but that's a key management / PKI issue).

Since they're regular text files, they can be emailed, printed, faxed, OCRd, stuffed in envelopes / safes, etc. We stuff ours into a version control system for simplicity.

It's also a good method to use for personal accounts. Create 1 file per account / service and just encrypt the contents with GPG.

PM me ... (0)

Anonymous Coward | more than 2 years ago | (#39976373)

all your passwords and I'll keep them safe for you. Just email me when you need them and I'll get them right out to you! I might need to share a few with some third parties and my buddy who goes by BOFH

pwsafe (0)

Anonymous Coward | more than 2 years ago | (#39976375)

I'm using the pwsafe command line program with a single master password shared among my team.

Just post them here (0)

Anonymous Coward | more than 2 years ago | (#39976391)

We'll take care of it for you.

Of course, (1, Funny)

iplayfast (166447) | more than 2 years ago | (#39976401)

You can use notepad...

Not free, not open source, not linux based (0)

Anonymous Coward | more than 2 years ago | (#39976417)

While it's not linux based, or open source, or free, we use Passwordstate (http://www.clickstudios.com.au/) and it's wonderful. It's got a ton of features including auditing and an emergency access password in case you're down completely and need to unlock passwords to restart your systems. I highly recommend it.

Use KeePass (0)

Anonymous Coward | more than 2 years ago | (#39976523)

My colleagues and I had the same problem at work. We used a spreadsheet and stored it in an access restricted file share. We switched to KeePass and keep the password database file in our IT file share. It's worked out better since it lets you keep notes and metadata with the password entry and has a great password generator. We only have to remember a master password and we can get in to see all of our passwords for our infrastructure.

It's free and cross platform (win, mac, linux).

Password Safe (4, Informative)

matt-fu (96262) | more than 2 years ago | (#39976573)

Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml [sourceforge.net] The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.

Re:Password Safe (0)

Anonymous Coward | more than 2 years ago | (#39977035)

+1 vote just because it's what Bruce Schneier [schneier.com] recommends.

Re:Password Safe (4, Informative)

lewko (195646) | more than 2 years ago | (#39977381)

No real surprise. He recommends it because he designed it.

Re:Password Safe (0)

Anonymous Coward | more than 2 years ago | (#39977265)

+1 for Password Safe.
I have been using it for more than 5 yrs.

I have not tried the Android client yet, but I like the lack of synchronization. I would rather move/copy the file manually than to worry about some security bug.

Re:Password Safe (0)

Anonymous Coward | more than 2 years ago | (#39977389)

The Linux client cant open a database stored on a network drive. The Windows and OSX client can.

Phpchain (0)

Anonymous Coward | more than 2 years ago | (#39976583)

We use phpchain at work. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has. Een rolled into mainlIne at this point.

WebPasswordSafe (1)

Anonymous Coward | more than 2 years ago | (#39976585)

http://www.webpasswordsafe.net is open source and multi-platform... "Web-based, multi-user, secure password safe/manager with delegated access controls"

Re:WebPasswordSafe (0)

Anonymous Coward | more than 2 years ago | (#39976697)

So this can be deployed to a company's intranet. Interesting comparison with other solutions http://webpasswordsafe.blogspot.com/2011/03/webpasswordsafe-vs.html

TiddlyWiki with TiddlerEncryptionPlugin (1)

lyallp (794252) | more than 2 years ago | (#39976593)

http://tiddlywiki.com/ [tiddlywiki.com] http://remotely-helpful.com/TiddlyWiki/TiddlerEncryptionPlugin.html [remotely-helpful.com] The tiddlywiki is a wiki that runs in a single html file using javascript where each 'page' is called a 'tiddler' The encryption plugin allows you to apply a password to an individual tiddler or group of tiddlers. You can make the tiddlywiki public, they can see all the unencrypted tiddlers but only read the ones for which you have supplied the passwords.

KeePassX (0)

Anonymous Coward | more than 2 years ago | (#39976615)

KeePassx - widely available and has a nice auto fill feature in the Linux version.

W3pw (0)

Anonymous Coward | more than 2 years ago | (#39976617)

We use w3pw. It's outdated and it throws some warnings with the latest versions of PHP. We had an in-house php knowledgeable guy who fixed the 4 lines of code that threw warnings. I wrapped the w3pw program inside an LDAP Auth statement on apache so you have to have valid LDAP credentials (like require-group it-admins etc) and then the shared password for the w3pw program. the mysql db is encrypted and the implementation is sound. You cannot change the master password after setting it because it is the encryption key. That's why I put it behind LDAP auth.

This is definitely an "itch"... (1)

mlts (1038732) | more than 2 years ago | (#39976673)

There isn't really anything open source that I know of that is good at multi-user password management. I've seen enterprise appliances that offer this, but those are upwards of $10,000 for a glorified 1U rack PC with locking bolts.

The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.

As an alternative to Linux, one could use Windows and BitLocker, then VMWare Server or Workstation. This provides protection from physical attack, although nothing is 100%.

This box would have multiple VMs on it for isolation.

One VM would have a RDBMS which can encrypt tables/rows/columns that can be backed up somehow, with the keys obviously stored well away. This would allow for database backups without compromising the stored passwords.

The second one would have the backend web application and Web server, each running in different security contexts, so an Apache compromise won't get much.

As for authentication, that exercise is left to the reader. Username and password over SSL is the minimum.

Have a look at Clipperz (0)

Anonymous Coward | more than 2 years ago | (#39976995)

Have a look at Clipperz [clipperz.com] , more specifically their community edition [clipperz.com] . Client side encryption in javascript using standard security algorithms that you can also send over SSL if you want.

Re:This is definitely an "itch"... (1)

hawkinspeter (831501) | more than 2 years ago | (#39977005)

I think you're over complicating things and you haven't considered what happens in a disaster scenario when you need to access the passwords, but don't have access to your usual hardware.

KeePass with the file stored in a DropBox folder would be a lot easier.

Re:This is definitely an "itch"... (1)

Hognoxious (631665) | more than 2 years ago | (#39977293)

The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.

And then don't switch it on, ever.

The most secure I've found (1)

blake1 (1148613) | more than 2 years ago | (#39976681)

Neither of these are open-source or linux-based, but... Cyber-Ark is the most secure solution I've come across - multi-factor authentication, as well as presenting passwords through a portal rather than granting access to the password file itself. Citrix had a similar solution, Citrix Password Manager, but I believe it is now EOL. For it to provide any real level of security the database needs to be abstracted from the users, otherwise it can easily copied offline and brute forced. "Use a secure password" you say? Of course, but where do you record this 128-bit randomised password?

Re:The most secure I've found (0)

Anonymous Coward | more than 2 years ago | (#39976709)

Second on Cyber-Ark, it's not perfect but it's the best I've seen.

Re:The most secure I've found (0)

Anonymous Coward | more than 2 years ago | (#39976857)

I agree, this isn't an Open Source field. You REALLY need that encrypted central database, and a portal.

Some other vendors to consider are Lieberman Software or FoxT, or for AD/Windows centric worlds, Centrify

VIM+OpenSSL (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39976689)

http://www.vim.org/scripts/script.php?script_id=2012 [vim.org]

Unlike and better than the majority of the password-saferizers out
there, this keeps your passwords in a file which is both decryptable
with standardized tools and in a human readable format (assuming
you typed human readable usernames/passwords in the first place!)

Ten years from now you'll still be able to decrypt your files, and you
can share them with people who don't have the editor plugin.

Not the author here... (3, Insightful)

jjoelc (1589361) | more than 2 years ago | (#39976699)

I'm not the author, but am also watching this thread for answers...

I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...

Any suggestions?

Re:Not the author here... (0)

Anonymous Coward | more than 2 years ago | (#39976717)

http://code.google.com/p/webpasswordsafe/

Re:Not the author here... (0)

Anonymous Coward | more than 2 years ago | (#39977321)

Gee, if only there were such thing as a multi-user database...

Just enter the passwords into a database and oh hell why do I bother -- you're not going to listen because your eyes glossed over when I said database.

corporate vault (1)

Anonymous Coward | more than 2 years ago | (#39976711)

You can look at Corporate Vault - http://sourceforge.net/projects/corporatevault/

It's web based and you can create various groups with different level of access

Why are you Anonymous? (0)

G3ckoG33k (647276) | more than 2 years ago | (#39976735)

Are you searching for bugs to exploit?

SFLvault (4, Informative)

anarcat (306985) | more than 2 years ago | (#39976751)

I have been keeping an eye on this project [savoirfairelinux.com] for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

I have been maintaining a list of FLOSS password managers [koumbit.net] in our public wiki for a while, any suggestions not mentionned there are welcome.

Really? (0)

Anonymous Coward | more than 2 years ago | (#39976767)

Really? Just searching online for the submission's title brings up results and reviews. If you go past the first page of Google's search results you get even more good (even better?) hits.

Password Safe (0)

Anonymous Coward | more than 2 years ago | (#39976863)

Password Safe. Works for multiple users from a CIFS share.

Single point of failure (0)

Anonymous Coward | more than 2 years ago | (#39976915)

Whatever you use, you will have to acknowledge that a single point of failure makes any secure password management system dangerous. At least, an excel file or notepad will add an attack vector to the host. You need to set up a reliable encryption scheme between each user and the host. You should write down your requirements more precisely. I am going to assume each user has access to different set of passwords.

Firstly, each user will have a key/password and will have access to the resources.
Secondly, the files on the host system SHOULD be encrypted, and sent encrypted to the final destination.
Thirdly, you will have to figure out how to get users to decrypt them, and moreover, you should teach them safe practices as deleting the files securely when they shutdown or leave their computers without surveillance AND keeping the decryption key somewhere safe (with them on a USB stick for instance).
Fourthly, the file in itself should be in a easy format to manager/look up, excel kind of sucks, I used it for 6 months with more than 200 servers and clients, it was OK but a pain in the ass, especially when reinstalling hosts, changing IPs and passwords.

It is trivial to achieve this, but it requires putting many pieces together, if you outsource this and want to find a single application, you may bring up potential vectors, and you will lose control over this system. You need to /trust/ the writers of the application to not make any mistake and be trustworthy.
Depending on the environment you are working in, this may or not be acceptable. Very reliable pieces of software can help you achieve yourself this all-in-one solution and let users view your password file in a secure and convenient way. I think you can get it down in one week, putting pieces together with:

- OpenSSH + public key based authentication
- PGP to encrypt files
- a database as a file (sqlite), or an archive of a repository containing the DB if you need to track down changes
- a python GUI and/or text application to easily dig through the database, it will handle upload and deletion of the file and will not write down anything to disk

There are still risks though:
- Where do people keep their keys (SSH + PGP)? on a stick? then it all boils down to the security of the stick.
- Network failure => not passwords, people might then want to get the DB locally. Leak the PGP key and you're owned (workstations are not assumed to be secure in most places).
Most measures are needed because basic security concepts are not respected, you need to enforce them or the company is doomed. Secure each workstation and educate everyone about basic security. Make them sign an agreement which specify how they handle sensitive data. Then and only then you can distribute the DB locally and not encrypted.

In most places you will find many restrictions and will not be able to implement a very secure system, and above ups will always ignore the worst case scenario. Enforce restrictions and make it usable, the more restrictions you need to enforce, the more you should strive to make your solution all-in-one. But it's not one size fits all, it's a challenge and an everyday work to design, implement and monitor security systems.

Keepass for the win! (1)

AnRkey (1330615) | more than 2 years ago | (#39977013)

http://keepass.info/ [keepass.info]

GPG (0)

Anonymous Coward | more than 2 years ago | (#39977041)

GPG alliws everyone to have their own key, and when you encrypt a file you can encrypt it for everyone on your public key chain. so you could just use that to encrypt the excel file everyone's comfortable with

My Password Manager (1)

mwdmeyer (803276) | more than 2 years ago | (#39977079)

I wrote a web based password manager that might interest you.
It's cheap and you get all the source code on purchase.
http://codecanyon.net/item/password-manager/2145518?ref=michaeldale [codecanyon.net] (includes my referrer link, but you can just delete the ref= part if you wish).

I have a demo version online here: http://www.onlinecompanyportal.com/mrp/ [onlinecompanyportal.com]
It does categories, multi user, active directory integration and lots more.

Single Signon (0)

Anonymous Coward | more than 2 years ago | (#39977093)

Easier than remembering a million passwords is a good implimentation of single signon so you only need one set of credentials. Software/Appliance manufacturers really need to get behind this idea, and users need to start demanding it.

Truecrypt (0)

Anonymous Coward | more than 2 years ago | (#39977101)

An office document or text file stored in an encrypted truecrypt file works for me.

My password tool is completely unhackable... (4, Interesting)

JetScootr (319545) | more than 2 years ago | (#39977249)

It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.

PS: Re:My password (1)

JetScootr (319545) | more than 2 years ago | (#39977287)

I may be a bit OCD about passwords and security - 30 years USAF and NASA have bent my brain a bit. Typing in pwds a lot doesn't bug me cuz I know my pwd mgt tool is safe because it's out of reach of hackers.

Mortimer (1)

eadz (412417) | more than 2 years ago | (#39977301)

I've checked out and briefly used Mortimer ( https://github.com/aiaio/mortimer ) before and it seems a decent tool.

"mortimer is a password storage application that supports multiple users and basic permissions. The app relies on public key cryptography to facilitate a multi-user password system whose data remains secure even if the database is compromised. Admin users have permission to all password entries on the system. Users may be given permission on a password-group basis."

"Facebook"emoticon code (0)

maishea013 (2637599) | more than 2 years ago | (#39977367)

As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times. http://facebookemoticoncode.blogspot.in/p/latest-facemoods-emoticon-code-for.html [blogspot.in]

Awesome tool (-1, Flamebait)

lewko (195646) | more than 2 years ago | (#39977373)

Dear Sir,

Good day and compliments. This post will definitely come to you as a huge surprise, but I implore you to take the time to go through it carefully as the decision you make will go off a long way to determine the future and continued existence of the entire members of my family.

Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998.

I have developed an amazing password storage website and wish to bestow it upon you.

Windows Encrypting File System (0)

mysidia (191772) | more than 2 years ago | (#39977405)

What's "insecure" about an Excel spreadsheet?

If you're already running windows, edit the file > Properties, click advanced "Encrypt" the file on the file server using Windows EFS.

Add the list of authorized users' certificates so only authorized users can decrypt the file.

Make sure to setup an EFS recovery certificate, export that, and back it up somewhere.

Mortimer (1)

Boltronics (180064) | more than 2 years ago | (#39977413)

https://github.com/aiaio/mortimer [github.com]

The password sharing functionality looks really interesting. I gave it a spin a few months back, but it had an annoying bug at the time (move a password out of a folder to the root level and it can disappear from the UI). I'm guessing a competent Ruby dev with a few spare hours could fork it on GitHub, fix it up and make it work real nice.

More information about it here:
http://www.alexanderinteractive.com/blog/2009/02/mortimer-a-rails-password-manager/ [alexanderinteractive.com]
http://www.alexanderinteractive.com/blog/2009/08/mortimer-password-manager-redesigned-v1-2/ [alexanderinteractive.com]

Paper!! (0)

Anonymous Coward | more than 2 years ago | (#39977455)

Just write it down and store it in a filing cabinet. If you need it more than one place, xerox and take it home.

Seriously a little typing won't hurt.

Keypass is a good solution (0)

Anonymous Coward | more than 2 years ago | (#39977475)

Hi Hello JetScootr, have you even listen about Keypass ?. It is a protected program that can save your passwords on a protected database. For windows, linux or mac take a look for keypass

Teampass and Clipperz (0)

Anonymous Coward | more than 2 years ago | (#39977487)

I'd recommend TeamPass http://www.teampass.net/ or Clipperz community edition http://www.clipperz.com/open_source/clipperz_community_edition

Gnupg (1)

ZorkZero (6507) | more than 2 years ago | (#39977509)

Open source? Check. Multi-user? Check. Secure? Only as secure as the box it's on, and the boxes that people use to access it, just like everything else. Linux based? Check.

Gnupg and a flat text file.

LastPass might just work here. (0)

Anonymous Coward | more than 2 years ago | (#39977537)

I know its browser based but http://lastpass.com/ works on Mac, Windows and Linux along with virtually every tablet/phone OS. You can set up multiple users with multi-factor authentication i.e. yubi key, print out grid, etc it's free and your passwords are encrypted before being uploading to the site only you and the people you share the password would know it not lastpass you can also access the passwords if you are disconnected from the net for a time.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?