How do you store and manage passwords at work?

Sp33dFr33k

2[H]4U
Joined
Apr 20, 2002
Messages
2,481
I've been places where used expensive software to manage passwords and I've been some places where it's a spreadsheet on a IT server.

I'm looking for something now that can be hosted internally and doesn't need internet access to work. This would be for no more than 5 users and would store all our of internal login/passwords.

What are you using in your environment?
 

Metraon

Limp Gawd
Joined
Feb 23, 2011
Messages
307
In my case, we do not use shared password ever.

We also use lastpass, wich require internet access, but I heard great things about keepass.
 

hawk82

[H]ard|Gawd
Joined
Oct 2, 2001
Messages
1,473
Authanvil? http://www.scorpionsoft.com/

I personally use keepass, but where 5 people are logging in, I don't see how that would work (1 person updates a password and the other 5 don't see it if the database file isn't updated, file locking, etc).
 
S

shade91

Guest
LastPass Enterprise and SecretServer are the two I'm most familiar with. I'm sure you don't want people having certain access they shouldn't have and Keepass isn't exactly meant for a multi-user environment and a spreadsheet doesn't let you limit such controls.
 

Puterguru

2[H]4U
Joined
May 21, 2001
Messages
3,535
Authanvil? http://www.scorpionsoft.com/

I personally use keepass, but where 5 people are logging in, I don't see how that would work (1 person updates a password and the other 5 don't see it if the database file isn't updated, file locking, etc).

If you save the KeePass extension file in a cloud based platform (Dropbox, Google Drive) then this works great. I've been using KeePass this way for a while. Whenever a change is made its synced automatically.
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,304
If you want a network based version with permission levels use secret server.

If you don't care who sees what, use keepass
 

zero2dash

Supreme [H]ardness
Joined
Oct 23, 2007
Messages
6,087
If you don't care who sees what, use keepass

Assuming you're using a master key (in the least), this is not a problem with KeePass. Only the people who have the master key have access.

If you have some passwords that you want only 1/2 the department to have access to, you make secondary KeePass databases. (We have 3, and I also have my own personal one.)
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,304
Assuming you're using a master key (in the least), this is not a problem with KeePass. Only the people who have the master key have access.

If you have some passwords that you want only 1/2 the department to have access to, you make secondary KeePass databases. (We have 3, and I also have my own personal one.)

Where do you go to make the second password in keepass?
 

zero2dash

Supreme [H]ardness
Joined
Oct 23, 2007
Messages
6,087
Where do you go to make the second password in keepass?

File > Change Master Key.

You can only have 1 master key (for each database), but it can be used in conjunction with the other security methods (user account [not recommended] or key file).

My suggestion would be again to have different KeePass databases. You can take the 1 existing one, copy and paste that file, rename it, and then open it in KP, remove what you don't want those other employees to have, and then change the master key for it as well.

Half the department gets the 'half access' file with 1 master key; the rest of the department (senior/managers etc) gets the full access file with a different master key.

Again, we have 3 here (though mainly only 2 are used). They have them split up with different info in each; one is an Admin KP database, the other is store support, the 3rd is older stuff. My personal one, I have one that I use with everything, and then I have one saved out on the public drives that is only my work entries (but nothing personal) that way the rest of the department can load that if they want without getting all of my other stuff (like my [H] login ;)).
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,477
I use KeePass, but it is only great for one user access at a time.

LastPass fixes that problem and more (allows you to set access levels for children accounts), but costs a subscription fee for their service.
 

nry

Limp Gawd
Joined
Jul 10, 2008
Messages
409
Currently a couple of my clients are using 1password, which really isn't cutting it for business use, but theres only 3 of us using it so almost works out. For personal use I love it and can't see me changing any time soon. But the business side I'm struggling to find a nice solution to multi user password management.

The directors do not want to use a paid service and store everything in the 'cloud' due to potential security risks, be interest to see how others manage this :)

Have been at a few companies which simply store everything in a unencrypted db/excel spreadsheet!
 

zero2dash

Supreme [H]ardness
Joined
Oct 23, 2007
Messages
6,087
I use KeePass, but it is only great for one user access at a time.

?

Not sure how you're using it, but we have ours out on public shares, and usually 3 people have the same db open at the same time. :confused:

That being said, yeah, 2+ can't have it open and all have write access, but you can have 2+ with read access.
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,477
?

Not sure how you're using it, but we have ours out on public shares, and usually 3 people have the same db open at the same time. :confused:

That being said, yeah, 2+ can't have it open and all have write access, but you can have 2+ with read access.
That's what I meant.
 
S

shade91

Guest
Something is wrong when your company is too cheap to spring for $10/month for an enterprise-grade solution.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
At work we use a program called PINs. At home I wrote a simple php/mysql web interface. I originally used PINs too but when I switched to Linux I decided I wanted something web based so it works from anywhere. (well, I have to VPN to my network if I'm not on it). It's kinda crude though, my login password is basically the encryption key. So if I change my password I have to re-encrypt everything. Probably a better way of doing it.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
Don't have them on a computer at all. Make laminated password cards, like these:

http://www.passwordcard.org/en

And keep in mind you can start your password with any character on the card, in any direction (forwards, backwards, diagonal). Make them ubiquitous so if someone loses one, they can just grab another. All they need to remember is where the passwords they use start and in what direction they go. The cards are useless to anyone else if they are lost or stolen; they can left out out in plain view for anyone to see. Just don't be dumb and mark your password beginnings on the card.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Don't have them on a computer at all. Make laminated password cards, like these:

http://www.passwordcard.org/en

And keep in mind you can start your password with any character on the card, in any direction (forwards, backwards, diagonal). Make them ubiquitous so if someone loses one, they can just grab another. All they need to remember is where the passwords they use start and in what direction they go. The cards are useless to anyone else if they are lost or stolen; they can left out out in plain view for anyone to see. Just don't be dumb and mark your password beginnings on the card.

That is brilliant, yet, so simple! You just have to remember the line/direction (which is not that hard if you use it every day) and you are set. Heck, if you want to always use the same line/direction you just change the card once in a while.
 
Joined
Apr 28, 2006
Messages
632
I use MS OneNote. I keep not only the passwords, but other useful stuff like How-To or Network maps, or Vendor information. It is nice cause everything you could possibly need is in one place pretty much. If I were to just up and quit today my replacement would pretty much have everything they need to know in my OneNote.
 

Sp33dFr33k

2[H]4U
Joined
Apr 20, 2002
Messages
2,481
I've taken a look at AuthAnvil. That may work well for us. Most of the other tools seem to focus solely on storing passwords for websites (maybe I'm wrong about that). We just need a vault to store passwords locally that can then be accessed by a few people. Have two factor authentication would be a good feature as well.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,861
In my case, we do not use shared password ever.

We also use lastpass, wich require internet access, but I heard great things about keepass.

wasn't last pass compromised earlier this year or last

Cloud = bad idea to host your passwords.

Keepass or other locally hosted system.
 

J-Will

[H]ard|Gawd
Joined
Jan 10, 2009
Messages
1,728
Encrypted Excel File


Just kidding, I dont know what we use. But we consult clients to use CyberArc
 

Tytalus

Supreme [H]ardness
Joined
Nov 1, 2006
Messages
4,257
PasswordSafe for me. I use it in combination with PasswdSafe and PasswdSafeSync on my Android device, utilizing Google Drive for storing the password file and all backups. Sync it across 4 devices without issue!
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
Display them on national TV for all to see. The Brazilian World Cup's security center did the latest in about half a dozen such events:

brazilfail.png


http://www.esecurityplanet.com/wire...team-accidentally-reveals-wi-fi-password.html
 

Thuleman

Supreme [H]ardness
Joined
Apr 13, 2004
Messages
5,833
Don't have them on a computer at all. Make laminated password cards, like these:

http://www.passwordcard.org/en

And keep in mind you can start your password with any character on the card, in any direction (forwards, backwards, diagonal).

So I printed one of them out, showed it to a colleague of mine and he said:

"Dude, that's like 40 characters on a line, that's way too long to type in all the time."

Then there was an awkward pause, during which I tried to get over being stunned, which was followed by me saying:

"Well, you could just use the first 8 characters if that's what you want to do."

Which was followed by another awkward pause after which he said "Oh..." and I said "Yea ...." and that was the end of that discussion. Good times!
 

OSUmaxx

n00b
Joined
May 9, 2014
Messages
30
We recently moved from KeePass to PasswordState, which is server based.

How do you like it so far? Does it do a good job of providing a way to allow many users access to the program while only allowing them to view their own passwords? From reading their site, it looks promising.
 

/usr/sbin

Successfully Trolled by Megalith
Joined
Jul 18, 2010
Messages
3,927
I used to keep strong passwords for work like: Kd4!!dns78F$0ad91. I'd change it once in a while .

Then the brilliant IT director made the policy that everyone has to change their PW every 30 days. Now my password is "Happy1", when that expires, "Happy2" and so on.
 
Top