<div dir="ltr"><div>Ed,<br><br></div>Team was an simple term for a group of people. These folks are not computer literate...just beneficiaries of a trust that I administer. So, they want access to financial information about the trust. One has a hard time understanding the information on a checking account statement.....the difference between posting date and transaction date took some explaining. One still uses a paper calendar, so no online calendar to make appointments. They can send and receive email and text messages, and that is all. One just got a facebook account last week. One is still using a Motorola flip phone from the 80s on Verizon...she is waiting for them to pay her to upgrade to android/ios... ;-) She also has an original iPad.....it crashes all the time due to low memory, but that does not cause enough pain to buy a new one. Pure Luddites, and I don't mean that in a negative way. Just their lifestyle, and I have to deal with it. Plain text email with login credentials seemed like a bad idea given their total lack of understanding about online security, hence my question. <br>
<br>It takes a lot of different folks to fill out a bell shaped curve.....;)<br><br>Mark<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Oct 27, 2013 at 9:13 PM, Ed <span dir="ltr"><<a href="mailto:plug@0x1b.com" target="_blank">plug@0x1b.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Sun, Oct 27, 2013 at 8:25 AM, Mark Phillips<br>
<<a href="mailto:mark@phillipsmarketing.biz">mark@phillipsmarketing.biz</a>> wrote:<br>
> On Sun, Oct 27, 2013 at 2:12 AM, Ed <<a href="mailto:plug@0x1b.com">plug@0x1b.com</a>> wrote:<br>
>><br>
>> Hi All,<br>
>><br>
>> 1) your compliance officer is having kittens....<br>
</div><div class="im">> The compliance officer does not like cats.....the team members are the ones<br>
> having kittens.<br>
> PasswordSafe is too complicated for them to use.<br>
<br>
</div>ok - if your compliance officer is happy, then me too - PasswordSafe<br>
too complicated... hmm, I would never have guessed that.<br>
<div class="im"><br>
>><br>
>><br>
>> 3) if you need to control access (AAA), you should think about<br>
</div>nevermind - too complicated, but WF can do that kind of relationship if needed<br>
<div class="im">team gets their own creds for your SAML server, it federates to<br>
><br>
</div><div class="im">> The credentials I am sharing are not for my servers, but for accounts on<br>
> servers<br>
> that I don't manage. Like Wells Fargo.<br>
>><br>
>><br>
>> why not keep things simple?<br>
><br>
><br>
> I am all for that!!!! ;)<br>
>><br>
>><br>
>> It sounds like you could get by with a plain Apache httpd install that<br>
>> only serves https and requires a client side certificate for access,<br>
>> there really is no reason to put this info on any other systems. Odds<br>
>> are good you can serve this up from your office cable/DSL service<br>
>> without too much trouble.<br>
><br>
><br>
> That would work. My biggest concern is that I am not enough of a security<br>
> expert<br>
> to guarantee that what I whip up is secure enough. So, I am looking for<br>
> recommendations<br>
> for third party solutions that are secure.<br>
<br>
</div>Hard to beat a website you host for secure and simple ( ie team<br>
appropriate access) and PLUG does have a security meeting that could<br>
pen test your work.<br>
<a href="http://phxlinux.org/meetings/20-linux-security-hackfest.html" target="_blank">http://phxlinux.org/meetings/20-linux-security-hackfest.html</a><br>
The hardest part might be installing certificates in your team's<br>
browsers - not an act many users are familiar with, but easily<br>
cookbooked and should be a one time event. If you run Linux, just load<br>
Apache-httpd (yum or apt or..) and look at <a href="http://localhost" target="_blank">http://localhost</a> - I bet it<br>
is already up.<br>
<br>
If you have access to your team's computers, it might be easier to<br>
just SSH (remote access) into their systems and keep a file updated on<br>
their system. Team members would then just be working off a local doc<br>
file, almost as easy as hitting a bookmark.<br>
<br>
If your only worry is that the file be secure in transit, then this<br>
should be an easy thing.<br>
<div class="im"><br>
>><br>
>><br>
>> And, NO! none of this is appropriate for real client credentials -<br>
>> also make your clients pick new random 12 character passwords<br>
>> (MyPasswordSafe can generate them for you if needed) the odds are good<br>
>> that the passwords you are sharing with your team are the same<br>
>> passwords your clients use for personal email and all sorts of other<br>
>> things too.<br>
><br>
><br>
> Since I pass out the credentials and manage them, I control when the<br>
> passwords change.<br>
> I just need a secure and easy way to communicate the changes to the team<br>
> members.<br>
> Remember, the team members cannot spell "pgp", so it has to be really simple<br>
> for them,<br>
> but secure enough to keep a Wells Fargo account login safe.<br>
<br>
</div>if you're the originator of the credentials then ~ nevermind<br>
<div class="im"><br>
>><br>
>><br>
>> Mark - this is bad, really bad<br>
><br>
><br>
> What is bad??? My problem or the proposed solutions?<br>
<br>
</div>Didn't understand that these are more like hosted accounts - and not<br>
true client accounts (street) so no ID theft risk or other chicanery.<br>
Disclosure of passwords to third parties will violate terms on many<br>
accounts. Not a problem here as your compliance O is happy.<br>
<br>
still wondering about the usefulness of a team that is challenged by<br>
spelling "pgp" ...<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> Thanks,<br>
><br>
> Mark<br>
>><br>
>><br>
>> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips<br>
>> <<a href="mailto:mark@phillipsmarketing.biz">mark@phillipsmarketing.biz</a>> wrote:<br>
>> > I use keypass2 with dropbox for my personal passwords and love it. But<br>
>> > it is<br>
>> > too complicated for my team...:-(<br>
>> ><br>
>> > Mark<br>
>> ><br>
>> > On Oct 26, 2013 2:58 PM, "Michael Butash" <<a href="mailto:michael@butash.net">michael@butash.net</a>> wrote:<br>
>> >><br>
>> >> At work we use "password safe" to share common passwords like service<br>
>> >> accounts, shared vendor accounts, and various other credentials that<br>
>> >> are not<br>
>> >> unique to a member. It's kind of a kludge, and of course windoze only,<br>
>> >> so I<br>
>> >> have to use vm to access it. quite annoying.<br>
>> >><br>
>> >> I've considered pushing to use keepass instead, as I've used this as<br>
>> >> well<br>
>> >> for a good 6 years under linux. Only problem is it's only a file db to<br>
>> >> be<br>
>> >> accessed, which makes anyone not on a shared network resource accessing<br>
>> >> it<br>
>> >> difficult. Also sadly, even the "official" version iterated to<br>
>> >> keepass2, a<br>
>> >> really crap c#/mono application that barely works under linux, and not<br>
>> >> without frustrations, but older 1.x format with keepassx works great.<br>
>> >><br>
>> >> I have since migrated to LastPass, even paying for the service because<br>
>> >> I've found it to be more valuable than the $12 a year personally, and<br>
>> >> their<br>
>> >> "enterprise version" can have shared access permissions. Perhaps the<br>
>> >> consumer version can be coaxed to do this too, but I've not had<br>
>> >> necessity to<br>
>> >> try. The android integration with dolphin browser (plugin) makes it<br>
>> >> easy on<br>
>> >> any platform, mobile or desktop for consistent access means.<br>
>> >><br>
>> >> Secure shared access for me is a random large/complex string that I<br>
>> >> note<br>
>> >> as who I've given it to, and only as long as needed before changing it.<br>
>> >> I<br>
>> >> don't remember passwords, preferring the ambiguity that if I can<br>
>> >> remember<br>
>> >> it, likely others can brute-force it, or torture it out of me.<br>
>> >><br>
>> >> Of course any service like lastpass inside the US, the NSA would simply<br>
>> >> subpoena and force to give unilateral access to my account anyway (much<br>
>> >> as<br>
>> >> they can/do anyone, thank your politicians) at that point, so really<br>
>> >> confidentiality is all a perception regardless as long as anything is<br>
>> >> shared<br>
>> >> externally.<br>
>> >><br>
>> >> -mb<br>
>> >><br>
>> >><br>
>> >> On 10/26/2013 02:31 PM, Eric Cope wrote:<br>
>> >><br>
>> >> I use lastpass, although not to share... I can help demo it if you<br>
>> >> want...<br>
>> >><br>
>> >> Eric<br>
>> >><br>
>> >><br>
>> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips<br>
>> >> <<a href="mailto:mark@phillipsmarketing.biz">mark@phillipsmarketing.biz</a>> wrote:<br>
>> >>><br>
>> >>> I have a small team, and I am looking for a way to share account info<br>
>> >>> -<br>
>> >>> user names and password, and password updates. These are login<br>
>> >>> credentials<br>
>> >>> for financial accounts I manage.<br>
>> >>><br>
>> >>> I googled for some ideas, and came up with snail mail, various web<br>
>> >>> services that encrypt/decrypt emails, Lastpass, and safegmail.<br>
>> >>><br>
>> >>> The users are technical noobs, so it has to be easy. No software to<br>
>> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux.<br>
>> >>> Only I<br>
>> >>> use Gmail, so safegmail is out.<br>
>> >>><br>
>> >>> Does anyone have any recommendations for web service solutions? Anyone<br>
>> >>> use Lastpass? Other ideas?<br>
>> >>><br>
>> >>> Thanks,<br>
>> >>><br>
>> >>> Mark<br>
>> >>><br>
>> >>><br>
>> >>> ---------------------------------------------------<br>
>> >>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> >>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> >>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>> >><br>
>> >><br>
>> >><br>
>> >><br>
>> >> ---------------------------------------------------<br>
>> >> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> >> To subscribe, unsubscribe, or to change your mail settings:<br>
>> >> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>> >><br>
>> >><br>
>> >><br>
>> >> ---------------------------------------------------<br>
>> >> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> >> To subscribe, unsubscribe, or to change your mail settings:<br>
>> >> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>> ><br>
>> ><br>
>> > ---------------------------------------------------<br>
>> > PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> > To subscribe, unsubscribe, or to change your mail settings:<br>
>> > <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
>> ---------------------------------------------------<br>
>> PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
>> To subscribe, unsubscribe, or to change your mail settings:<br>
>> <a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
><br>
><br>
</div></div></blockquote></div><br></div>