Looking for secure way to share passwords

Mon Oct 28 17:36:02 MST 2013

Ed,

Team was an simple term for a group of people. These folks are not computer
literate...just beneficiaries of a trust that I administer. So, they want
access to financial information about the trust. One has a hard time
understanding the information on a checking account statement.....the
difference between posting date and transaction date took some explaining.
One still uses a paper calendar, so no online calendar to make
appointments. They can send and receive email and text messages, and that
is all. One just got a facebook account last week. One is still using a
Motorola flip phone from the 80s on Verizon...she is waiting for them to
pay her to upgrade to android/ios... ;-) She also has an original
iPad.....it crashes all the time due to low memory, but that does not cause
enough pain to buy a new one. Pure Luddites, and I don't mean that in a
negative way. Just their lifestyle, and I have to deal with it. Plain text
email with login credentials seemed like a bad idea given their total lack
of understanding about online security, hence my question.

It takes a lot of different folks to fill out a bell shaped curve.....;)

Mark

On Sun, Oct 27, 2013 at 9:13 PM, Ed <plug at 0x1b.com> wrote:

> On Sun, Oct 27, 2013 at 8:25 AM, Mark Phillips
> <mark at phillipsmarketing.biz> wrote:
> > On Sun, Oct 27, 2013 at 2:12 AM, Ed <plug at 0x1b.com> wrote:
> >>
> >> Hi All,
> >>
> >> 1) your compliance officer is having kittens....
> > The compliance officer does not like cats.....the team members are the
> ones
> > having kittens.
> > PasswordSafe is too complicated for them to use.
>
> ok - if your compliance officer is happy, then me too - PasswordSafe
> too complicated... hmm, I would never have guessed that.
>
> >>
> >>
> >> 3) if you need to control access (AAA), you should think about
> nevermind - too complicated, but WF can do that kind of relationship if
> needed
> team gets their own creds for your SAML server, it federates to
> >
> > The credentials I am sharing are not for my servers, but for accounts on
> > servers
> > that I don't manage. Like Wells Fargo.
> >>
> >>
> >> why not keep things simple?
> >
> >
> > I am all for that!!!! ;)
> >>
> >>
> >> It sounds like you could get by with a plain Apache httpd install that
> >> only serves https and requires a client side certificate for access,
> >> there really is no reason to put this info on any other systems. Odds
> >> are good you can serve this up from your office cable/DSL service
> >> without too much trouble.
> >
> >
> > That would work. My biggest concern is that I am not enough of a security
> > expert
> > to guarantee that what I whip up is secure enough. So, I am looking for
> > recommendations
> > for third party solutions that are secure.
>
> Hard to beat a website you host for secure and simple ( ie team
> appropriate access) and PLUG does have a security meeting that could
> pen test your work.
> http://phxlinux.org/meetings/20-linux-security-hackfest.html
> The hardest part might be installing certificates in your team's
> browsers - not an act many users are familiar with, but easily
> cookbooked and should be a one time event. If you run Linux, just load
> Apache-httpd (yum or apt or..) and look at http://localhost - I bet it
> is already up.
>
> If you have access to your team's computers, it might be easier to
> just SSH (remote access) into their systems and keep a file updated on
> their system. Team members would then just be working off a local doc
> file, almost as easy as hitting a bookmark.
>
> If your only worry is that the file be secure in transit, then this
> should be an easy thing.
>
> >>
> >>
> >> And, NO!  none of this is appropriate for real client credentials -
> >> also make your clients pick new random 12 character passwords
> >> (MyPasswordSafe can generate them for you if needed) the odds are good
> >> that the passwords you are sharing with your team are the same
> >> passwords your clients use for personal email and all sorts of other
> >> things too.
> >
> >
> > Since I pass out the credentials and manage them, I control when the
> > passwords change.
> > I just need a secure and easy way to communicate the changes to the team
> > members.
> > Remember, the team members cannot spell "pgp", so it has to be really
> simple
> > for them,
> > but secure enough to keep a Wells Fargo account login safe.
>
> if you're the originator of the credentials then ~ nevermind
>
> >>
> >>
> >> Mark - this is bad, really bad
> >
> >
> > What is bad??? My problem or the proposed solutions?
>
> Didn't understand that these are more like hosted accounts - and not
> true client accounts (street) so no ID theft risk or other chicanery.
> Disclosure of passwords to third parties will violate terms on many
> accounts. Not a problem here as your compliance O is happy.
>
> still wondering about the usefulness of a team that is challenged by
> spelling "pgp"  ...
>
> >
> > Thanks,
> >
> > Mark
> >>
> >>
> >> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips
> >> <mark at phillipsmarketing.biz> wrote:
> >> > I use keypass2 with dropbox for my personal passwords and love it. But
> >> > it is
> >> > too complicated for my team...:-(
> >> >
> >> > Mark
> >> >
> >> > On Oct 26, 2013 2:58 PM, "Michael Butash" <michael at butash.net> wrote:
> >> >>
> >> >> At work we use "password safe" to share common passwords like service
> >> >> accounts, shared vendor accounts, and various other credentials that
> >> >> are not
> >> >> unique to a member.  It's kind of a kludge, and of course windoze
> only,
> >> >> so I
> >> >> have to use vm to access it. quite annoying.
> >> >>
> >> >> I've considered pushing to use keepass instead, as I've used this as
> >> >> well
> >> >> for a good 6 years under linux.  Only problem is it's only a file db
> to
> >> >> be
> >> >> accessed, which makes anyone not on a shared network resource
> accessing
> >> >> it
> >> >> difficult.  Also sadly, even the "official" version iterated to
> >> >> keepass2, a
> >> >> really crap c#/mono application that barely works under linux, and
> not
> >> >> without frustrations, but older 1.x format with keepassx works great.
> >> >>
> >> >> I have since migrated to LastPass, even paying for the service
> because
> >> >> I've found it to be more valuable than the $12 a year personally, and
> >> >> their
> >> >> "enterprise version" can have shared access permissions.  Perhaps the
> >> >> consumer version can be coaxed to do this too, but I've not had
> >> >> necessity to
> >> >> try.  The android integration with dolphin browser (plugin) makes it
> >> >> easy on
> >> >> any platform, mobile or desktop for consistent access means.
> >> >>
> >> >> Secure shared access for me is a random large/complex string that I
> >> >> note
> >> >> as who I've given it to, and only as long as needed before changing
> it.
> >> >> I
> >> >> don't remember passwords, preferring the ambiguity that if I can
> >> >> remember
> >> >> it, likely others can brute-force it, or torture it out of me.
> >> >>
> >> >> Of course any service like lastpass inside the US, the NSA would
> simply
> >> >> subpoena and force to give unilateral access to my account anyway
> (much
> >> >> as
> >> >> they can/do anyone, thank your politicians) at that point, so really
> >> >> confidentiality is all a perception regardless as long as anything is
> >> >> shared
> >> >> externally.
> >> >>
> >> >> -mb
> >> >>
> >> >>
> >> >> On 10/26/2013 02:31 PM, Eric Cope wrote:
> >> >>
> >> >> I use lastpass, although not to share... I can help demo it if you
> >> >> want...
> >> >>
> >> >> Eric
> >> >>
> >> >>
> >> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips
> >> >> <mark at phillipsmarketing.biz> wrote:
> >> >>>
> >> >>> I have a small team, and I am looking for a way to share account
> info
> >> >>> -
> >> >>> user names and password, and password updates. These are login
> >> >>> credentials
> >> >>> for financial accounts I manage.
> >> >>>
> >> >>> I googled for some ideas, and came up with snail mail, various web
> >> >>> services that encrypt/decrypt emails, Lastpass, and safegmail.
> >> >>>
> >> >>> The users are technical noobs, so it has to be easy. No software to
> >> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux.
> >> >>> Only I
> >> >>> use Gmail, so safegmail is out.
> >> >>>
> >> >>> Does anyone have any recommendations for web service solutions?
> Anyone
> >> >>> use Lastpass? Other ideas?
> >> >>>
> >> >>> Thanks,
> >> >>>
> >> >>> Mark
> >> >>>
> >> >>>
> >> >>> ---------------------------------------------------
> >> >>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> >>> To subscribe, unsubscribe, or to change your mail settings:
> >> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> ---------------------------------------------------
> >> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> >> To subscribe, unsubscribe, or to change your mail settings:
> >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >> >>
> >> >>
> >> >>
> >> >> ---------------------------------------------------
> >> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> >> To subscribe, unsubscribe, or to change your mail settings:
> >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >> >
> >> >
> >> > ---------------------------------------------------
> >> > PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> > To subscribe, unsubscribe, or to change your mail settings:
> >> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20131028/6e356ec4/attachment.html>