On Sun, Oct 27, 2013 at 2:12 AM, Ed <plug@0x1b.com> wrote:
Hi All,

1) your compliance officer is having kittens....  they don't call it
the "designated felon" position for nothin'

2) on non-windows systems, PasswordSafe is called MyPasswordSafe - the
file format is identical and you can send the encrypted store as
needed. That and a phone call and your clients' info is wherever your
team needs it. Oh look, more kittens  8)

The compliance officer does not like cats.....the team members are the ones having kittens.
PasswordSafe is too complicated for them to use.

3) if you need to control access (AAA), you should think about
federating your back office apps with a SAML server - like OpenAM.
Your team gets their own creds for your SAML server, it federates to
the backend servers with your {still secret} client's creds and gives
your team access.

The credentials I am sharing are not for my servers, but for accounts on servers
that I don't manage. Like Wells Fargo.

why not keep things simple?

I am all for that!!!! ;)

It sounds like you could get by with a plain Apache httpd install that
only serves https and requires a client side certificate for access,
there really is no reason to put this info on any other systems. Odds
are good you can serve this up from your office cable/DSL service
without too much trouble.

That would work. My biggest concern is that I am not enough of a security expert
to guarantee that what I whip up is secure enough. So, I am looking for recommendations
for third party solutions that are secure.

And, NO!  none of this is appropriate for real client credentials -
also make your clients pick new random 12 character passwords
(MyPasswordSafe can generate them for you if needed) the odds are good
that the passwords you are sharing with your team are the same
passwords your clients use for personal email and all sorts of other
things too.

Since I pass out the credentials and manage them, I control when the passwords change.
I just need a secure and easy way to communicate the changes to the team members.
Remember, the team members cannot spell "pgp", so it has to be really simple for them,
but secure enough to keep a Wells Fargo account login safe.

Mark - this is bad, really bad

What is bad??? My problem or the proposed solutions?

Thanks,

Mark

On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips
<mark@phillipsmarketing.biz> wrote:
> I use keypass2 with dropbox for my personal passwords and love it. But it is
> too complicated for my team...:-(
>
> Mark
>
> On Oct 26, 2013 2:58 PM, "Michael Butash" <michael@butash.net> wrote:
>>
>> At work we use "password safe" to share common passwords like service
>> accounts, shared vendor accounts, and various other credentials that are not
>> unique to a member.  It's kind of a kludge, and of course windoze only, so I
>> have to use vm to access it. quite annoying.
>>
>> I've considered pushing to use keepass instead, as I've used this as well
>> for a good 6 years under linux.  Only problem is it's only a file db to be
>> accessed, which makes anyone not on a shared network resource accessing it
>> difficult.  Also sadly, even the "official" version iterated to keepass2, a
>> really crap c#/mono application that barely works under linux, and not
>> without frustrations, but older 1.x format with keepassx works great.
>>
>> I have since migrated to LastPass, even paying for the service because
>> I've found it to be more valuable than the $12 a year personally, and their
>> "enterprise version" can have shared access permissions.  Perhaps the
>> consumer version can be coaxed to do this too, but I've not had necessity to
>> try.  The android integration with dolphin browser (plugin) makes it easy on
>> any platform, mobile or desktop for consistent access means.
>>
>> Secure shared access for me is a random large/complex string that I note
>> as who I've given it to, and only as long as needed before changing it.  I
>> don't remember passwords, preferring the ambiguity that if I can remember
>> it, likely others can brute-force it, or torture it out of me.
>>
>> Of course any service like lastpass inside the US, the NSA would simply
>> subpoena and force to give unilateral access to my account anyway (much as
>> they can/do anyone, thank your politicians) at that point, so really
>> confidentiality is all a perception regardless as long as anything is shared
>> externally.
>>
>> -mb
>>
>>
>> On 10/26/2013 02:31 PM, Eric Cope wrote:
>>
>> I use lastpass, although not to share... I can help demo it if you want...
>>
>> Eric
>>
>>
>> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips
>> <mark@phillipsmarketing.biz> wrote:
>>>
>>> I have a small team, and I am looking for a way to share account info -
>>> user names and password, and password updates. These are login credentials
>>> for financial accounts I manage.
>>>
>>> I googled for some ideas, and came up with snail mail, various web
>>> services that encrypt/decrypt emails, Lastpass, and safegmail.
>>>
>>> The users are technical noobs, so it has to be easy. No software to
>>> install. Free or inexpensive. They use Windows and Mac, I use Linux. Only I
>>> use Gmail, so safegmail is out.
>>>
>>> Does anyone have any recommendations for web service solutions? Anyone
>>> use Lastpass? Other ideas?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss