Looking for secure way to share passwords

Sat Nov 16 17:21:22 MST 2013

I wanted to provide a summary of what actually transpired regarding a
secure way to share passwords with a team of computer users with very
limited computer skills.

I decided to use Lastpass because
* one does not have to install any software; you can use it just with a
browser.
* it has a built in secure mechanism for sharing user names and passwords
with other Lastpass users
* the user interface is good (not necessarily great, but that in my opinion)

So far, Lastpass is doing its job, and the team is able to use it. There
was one hiccup during the installation that caused some issues with most of
the team members. This issue involves setting up a user's account to
receive shared passwords. The issues were:

* the Lastpass documentation is very good when it comes to describing how
to use Lastpass to share credentials with another user, but is terrible (ie
non-existent) when it comes to telling a user how to setup their account to
receive a shared password.

* A user who wants to receive shared passwords has to, in most cases,
perform an extra setup task to create keys that allow sharing. For IE
users, this happens automatically. For all other browsers and operating
systems (I tests Linux with Chrome, Firefox, Mozilla, and Opera, and on Mac
I tested Firefox and Safari with and without the plugin installed) the user
has to login through the Lastpass web site (not the plugin, even if it is
installed) to get the user's "account home page" to display the link to
"create sharing keys". This feature is not documented in the Lastpass user
manual, or in the forums. It took an email to Lastpass tech support and a
lot of testing to figure this out. Without this step, one cannot share
credentials between Lastpass users.

* Setting up a user's account without the Lastpass plugin is possible, but
again not well documented, and requires a few browser restarts to get it to
work.

However, once set up, sharing credentials with a group is rather easy.

Cheers!

Mark

On Wed, Oct 30, 2013 at 7:48 AM, Stephen <cryptworks at gmail.com> wrote:

> There comes a point where if a team wants a new function or convenience
> they will have to learn something new. So i would go with the best
> documentation friendly solution that actually does the job securely. This
> to me strikes as the best of both worlds.
>
>
> On Wed, Oct 30, 2013 at 7:42 AM, Mark Phillips <mark at phillipsmarketing.biz
> > wrote:
>
>> Jill,
>>
>> Great point!
>>
>> In this particular situation, the "team members" will probably not want
>> to download a plugin, and I don't want to the the help desk for the plugin.
>> However, I don't think that will be a problem. If they forget their
>> password and can't get into their lastpass account, then I would tell them
>> to make another account, and I will share the passwords with the new
>> account. A very kludgey solution to this problem, but if it happens, they
>> may get over their fear of downloading a plugin. On a technical scale of
>> 1-10, where 10 = Linux Admin and 1 = still using a rotatory dial land line
>> , the team members are 2s. ;)
>>
>> Mark
>>
>>
>> On Sun, Oct 27, 2013 at 12:23 PM, jill <lists at bespokess.com> wrote:
>>
>>> I've also successfully used Lastpass with customers with
>>> multi-platform/less-techy requirements.  However there's one thing about
>>> their service that's really important to note - they can't do password
>>> resets for your account the way most web services can.  If you forget
>>> your login to their site and don't use their browser add-on you're SOL
>>> (recovery works off the plugin).  I completely lost a Lastpass account
>>> this way earlier this year.
>>> https://helpdesk.lastpass.com/security-options/account-recovery/
>>>
>>> Make sure your team understands how important it is to keep track of
>>> their Lastpass password, or walk them through how to set up the plugin.
>>>
>>> - Jill
>>>
>>> On 2013-10-26 21:20, Mark Phillips wrote:
>>> > I have a small team, and I am looking for a way to share account info -
>>> > user names and password, and password updates. These are login
>>> credentials
>>> > for financial accounts I manage.
>>> >
>>> > I googled for some ideas, and came up with snail mail, various web
>>> services
>>> > that encrypt/decrypt emails, Lastpass, and safegmail.
>>> >
>>> > The users are technical noobs, so it has to be easy. No software to
>>> > install. Free or inexpensive. They use Windows and Mac, I use Linux.
>>> Only I
>>> > use Gmail, so safegmail is out.
>>> >
>>> > Does anyone have any recommendations for web service solutions? Anyone
>>> use
>>> > Lastpass? Other ideas?
>>> >
>>> > Thanks,
>>> >
>>> > Mark
>>> > ---------------------------------------------------
>>> > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> > To subscribe, unsubscribe, or to change your mail settings:
>>> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> A mouse trap, placed on top of your alarm clock, will prevent you from
> rolling over and going back to sleep after you hit the snooze button.
>
> Stephen
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20131116/eaa05949/attachment.html>