Looking for secure way to share passwords
Mark Phillips
mark at phillipsmarketing.biz
Sun Oct 27 08:25:53 MST 2013
On Sun, Oct 27, 2013 at 2:12 AM, Ed <plug at 0x1b.com> wrote:
> Hi All,
>
> 1) your compliance officer is having kittens.... they don't call it
> the "designated felon" position for nothin'
>
> 2) on non-windows systems, PasswordSafe is called MyPasswordSafe - the
> file format is identical and you can send the encrypted store as
> needed. That and a phone call and your clients' info is wherever your
> team needs it. Oh look, more kittens 8)
>
The compliance officer does not like cats.....the team members are the ones
having kittens.
PasswordSafe is too complicated for them to use.
>
> 3) if you need to control access (AAA), you should think about
> federating your back office apps with a SAML server - like OpenAM.
> Your team gets their own creds for your SAML server, it federates to
> the backend servers with your {still secret} client's creds and gives
> your team access.
>
The credentials I am sharing are not for my servers, but for accounts on
servers
that I don't manage. Like Wells Fargo.
>
> why not keep things simple?
>
I am all for that!!!! ;)
>
> It sounds like you could get by with a plain Apache httpd install that
> only serves https and requires a client side certificate for access,
> there really is no reason to put this info on any other systems. Odds
> are good you can serve this up from your office cable/DSL service
> without too much trouble.
>
That would work. My biggest concern is that I am not enough of a security
expert
to guarantee that what I whip up is secure enough. So, I am looking for
recommendations
for third party solutions that are secure.
>
> And, NO! none of this is appropriate for real client credentials -
> also make your clients pick new random 12 character passwords
> (MyPasswordSafe can generate them for you if needed) the odds are good
> that the passwords you are sharing with your team are the same
> passwords your clients use for personal email and all sorts of other
> things too.
>
Since I pass out the credentials and manage them, I control when the
passwords change.
I just need a secure and easy way to communicate the changes to the team
members.
Remember, the team members cannot spell "pgp", so it has to be really
simple for them,
but secure enough to keep a Wells Fargo account login safe.
>
> Mark - this is bad, really bad
>
What is bad??? My problem or the proposed solutions?
Thanks,
Mark
>
> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips
> <mark at phillipsmarketing.biz> wrote:
> > I use keypass2 with dropbox for my personal passwords and love it. But
> it is
> > too complicated for my team...:-(
> >
> > Mark
> >
> > On Oct 26, 2013 2:58 PM, "Michael Butash" <michael at butash.net> wrote:
> >>
> >> At work we use "password safe" to share common passwords like service
> >> accounts, shared vendor accounts, and various other credentials that
> are not
> >> unique to a member. It's kind of a kludge, and of course windoze only,
> so I
> >> have to use vm to access it. quite annoying.
> >>
> >> I've considered pushing to use keepass instead, as I've used this as
> well
> >> for a good 6 years under linux. Only problem is it's only a file db to
> be
> >> accessed, which makes anyone not on a shared network resource accessing
> it
> >> difficult. Also sadly, even the "official" version iterated to
> keepass2, a
> >> really crap c#/mono application that barely works under linux, and not
> >> without frustrations, but older 1.x format with keepassx works great.
> >>
> >> I have since migrated to LastPass, even paying for the service because
> >> I've found it to be more valuable than the $12 a year personally, and
> their
> >> "enterprise version" can have shared access permissions. Perhaps the
> >> consumer version can be coaxed to do this too, but I've not had
> necessity to
> >> try. The android integration with dolphin browser (plugin) makes it
> easy on
> >> any platform, mobile or desktop for consistent access means.
> >>
> >> Secure shared access for me is a random large/complex string that I note
> >> as who I've given it to, and only as long as needed before changing it.
> I
> >> don't remember passwords, preferring the ambiguity that if I can
> remember
> >> it, likely others can brute-force it, or torture it out of me.
> >>
> >> Of course any service like lastpass inside the US, the NSA would simply
> >> subpoena and force to give unilateral access to my account anyway (much
> as
> >> they can/do anyone, thank your politicians) at that point, so really
> >> confidentiality is all a perception regardless as long as anything is
> shared
> >> externally.
> >>
> >> -mb
> >>
> >>
> >> On 10/26/2013 02:31 PM, Eric Cope wrote:
> >>
> >> I use lastpass, although not to share... I can help demo it if you
> want...
> >>
> >> Eric
> >>
> >>
> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips
> >> <mark at phillipsmarketing.biz> wrote:
> >>>
> >>> I have a small team, and I am looking for a way to share account info -
> >>> user names and password, and password updates. These are login
> credentials
> >>> for financial accounts I manage.
> >>>
> >>> I googled for some ideas, and came up with snail mail, various web
> >>> services that encrypt/decrypt emails, Lastpass, and safegmail.
> >>>
> >>> The users are technical noobs, so it has to be easy. No software to
> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux.
> Only I
> >>> use Gmail, so safegmail is out.
> >>>
> >>> Does anyone have any recommendations for web service solutions? Anyone
> >>> use Lastpass? Other ideas?
> >>>
> >>> Thanks,
> >>>
> >>> Mark
> >>>
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20131027/808844ee/attachment.html>
More information about the PLUG-discuss
mailing list