Ed, Team was an simple term for a group of people. These folks are not computer literate...just beneficiaries of a trust that I administer. So, they want access to financial information about the trust. One has a hard time understanding the information on a checking account statement.....the difference between posting date and transaction date took some explaining. One still uses a paper calendar, so no online calendar to make appointments. They can send and receive email and text messages, and that is all. One just got a facebook account last week. One is still using a Motorola flip phone from the 80s on Verizon...she is waiting for them to pay her to upgrade to android/ios... ;-) She also has an original iPad.....it crashes all the time due to low memory, but that does not cause enough pain to buy a new one. Pure Luddites, and I don't mean that in a negative way. Just their lifestyle, and I have to deal with it. Plain text email with login credentials seemed like a bad idea given their total lack of understanding about online security, hence my question. It takes a lot of different folks to fill out a bell shaped curve.....;) Mark On Sun, Oct 27, 2013 at 9:13 PM, Ed wrote: > On Sun, Oct 27, 2013 at 8:25 AM, Mark Phillips > wrote: > > On Sun, Oct 27, 2013 at 2:12 AM, Ed wrote: > >> > >> Hi All, > >> > >> 1) your compliance officer is having kittens.... > > The compliance officer does not like cats.....the team members are the > ones > > having kittens. > > PasswordSafe is too complicated for them to use. > > ok - if your compliance officer is happy, then me too - PasswordSafe > too complicated... hmm, I would never have guessed that. > > >> > >> > >> 3) if you need to control access (AAA), you should think about > nevermind - too complicated, but WF can do that kind of relationship if > needed > team gets their own creds for your SAML server, it federates to > > > > The credentials I am sharing are not for my servers, but for accounts on > > servers > > that I don't manage. Like Wells Fargo. > >> > >> > >> why not keep things simple? > > > > > > I am all for that!!!! ;) > >> > >> > >> It sounds like you could get by with a plain Apache httpd install that > >> only serves https and requires a client side certificate for access, > >> there really is no reason to put this info on any other systems. Odds > >> are good you can serve this up from your office cable/DSL service > >> without too much trouble. > > > > > > That would work. My biggest concern is that I am not enough of a security > > expert > > to guarantee that what I whip up is secure enough. So, I am looking for > > recommendations > > for third party solutions that are secure. > > Hard to beat a website you host for secure and simple ( ie team > appropriate access) and PLUG does have a security meeting that could > pen test your work. > http://phxlinux.org/meetings/20-linux-security-hackfest.html > The hardest part might be installing certificates in your team's > browsers - not an act many users are familiar with, but easily > cookbooked and should be a one time event. If you run Linux, just load > Apache-httpd (yum or apt or..) and look at http://localhost - I bet it > is already up. > > If you have access to your team's computers, it might be easier to > just SSH (remote access) into their systems and keep a file updated on > their system. Team members would then just be working off a local doc > file, almost as easy as hitting a bookmark. > > If your only worry is that the file be secure in transit, then this > should be an easy thing. > > >> > >> > >> And, NO! none of this is appropriate for real client credentials - > >> also make your clients pick new random 12 character passwords > >> (MyPasswordSafe can generate them for you if needed) the odds are good > >> that the passwords you are sharing with your team are the same > >> passwords your clients use for personal email and all sorts of other > >> things too. > > > > > > Since I pass out the credentials and manage them, I control when the > > passwords change. > > I just need a secure and easy way to communicate the changes to the team > > members. > > Remember, the team members cannot spell "pgp", so it has to be really > simple > > for them, > > but secure enough to keep a Wells Fargo account login safe. > > if you're the originator of the credentials then ~ nevermind > > >> > >> > >> Mark - this is bad, really bad > > > > > > What is bad??? My problem or the proposed solutions? > > Didn't understand that these are more like hosted accounts - and not > true client accounts (street) so no ID theft risk or other chicanery. > Disclosure of passwords to third parties will violate terms on many > accounts. Not a problem here as your compliance O is happy. > > still wondering about the usefulness of a team that is challenged by > spelling "pgp" ... > > > > > Thanks, > > > > Mark > >> > >> > >> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips > >> wrote: > >> > I use keypass2 with dropbox for my personal passwords and love it. But > >> > it is > >> > too complicated for my team...:-( > >> > > >> > Mark > >> > > >> > On Oct 26, 2013 2:58 PM, "Michael Butash" wrote: > >> >> > >> >> At work we use "password safe" to share common passwords like service > >> >> accounts, shared vendor accounts, and various other credentials that > >> >> are not > >> >> unique to a member. It's kind of a kludge, and of course windoze > only, > >> >> so I > >> >> have to use vm to access it. quite annoying. > >> >> > >> >> I've considered pushing to use keepass instead, as I've used this as > >> >> well > >> >> for a good 6 years under linux. Only problem is it's only a file db > to > >> >> be > >> >> accessed, which makes anyone not on a shared network resource > accessing > >> >> it > >> >> difficult. Also sadly, even the "official" version iterated to > >> >> keepass2, a > >> >> really crap c#/mono application that barely works under linux, and > not > >> >> without frustrations, but older 1.x format with keepassx works great. > >> >> > >> >> I have since migrated to LastPass, even paying for the service > because > >> >> I've found it to be more valuable than the $12 a year personally, and > >> >> their > >> >> "enterprise version" can have shared access permissions. Perhaps the > >> >> consumer version can be coaxed to do this too, but I've not had > >> >> necessity to > >> >> try. The android integration with dolphin browser (plugin) makes it > >> >> easy on > >> >> any platform, mobile or desktop for consistent access means. > >> >> > >> >> Secure shared access for me is a random large/complex string that I > >> >> note > >> >> as who I've given it to, and only as long as needed before changing > it. > >> >> I > >> >> don't remember passwords, preferring the ambiguity that if I can > >> >> remember > >> >> it, likely others can brute-force it, or torture it out of me. > >> >> > >> >> Of course any service like lastpass inside the US, the NSA would > simply > >> >> subpoena and force to give unilateral access to my account anyway > (much > >> >> as > >> >> they can/do anyone, thank your politicians) at that point, so really > >> >> confidentiality is all a perception regardless as long as anything is > >> >> shared > >> >> externally. > >> >> > >> >> -mb > >> >> > >> >> > >> >> On 10/26/2013 02:31 PM, Eric Cope wrote: > >> >> > >> >> I use lastpass, although not to share... I can help demo it if you > >> >> want... > >> >> > >> >> Eric > >> >> > >> >> > >> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips > >> >> wrote: > >> >>> > >> >>> I have a small team, and I am looking for a way to share account > info > >> >>> - > >> >>> user names and password, and password updates. These are login > >> >>> credentials > >> >>> for financial accounts I manage. > >> >>> > >> >>> I googled for some ideas, and came up with snail mail, various web > >> >>> services that encrypt/decrypt emails, Lastpass, and safegmail. > >> >>> > >> >>> The users are technical noobs, so it has to be easy. No software to > >> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux. > >> >>> Only I > >> >>> use Gmail, so safegmail is out. > >> >>> > >> >>> Does anyone have any recommendations for web service solutions? > Anyone > >> >>> use Lastpass? Other ideas? > >> >>> > >> >>> Thanks, > >> >>> > >> >>> Mark > >> >>> > >> >>> > >> >>> --------------------------------------------------- > >> >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> >>> To subscribe, unsubscribe, or to change your mail settings: > >> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> >> > >> >> > >> >> > >> >> > >> >> --------------------------------------------------- > >> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> >> To subscribe, unsubscribe, or to change your mail settings: > >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> >> > >> >> > >> >> > >> >> --------------------------------------------------- > >> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> >> To subscribe, unsubscribe, or to change your mail settings: > >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> > > >> > > >> > --------------------------------------------------- > >> > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> > To subscribe, unsubscribe, or to change your mail settings: > >> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> --------------------------------------------------- > >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> To subscribe, unsubscribe, or to change your mail settings: > >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > >