Re: Looking for secure way to share passwords

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Ed
Date:  
To: Main PLUG discussion list
Subject: Re: Looking for secure way to share passwords
Hi All,

1) your compliance officer is having kittens.... they don't call it
the "designated felon" position for nothin'

2) on non-windows systems, PasswordSafe is called MyPasswordSafe - the
file format is identical and you can send the encrypted store as
needed. That and a phone call and your clients' info is wherever your
team needs it. Oh look, more kittens 8)

3) if you need to control access (AAA), you should think about
federating your back office apps with a SAML server - like OpenAM.
Your team gets their own creds for your SAML server, it federates to
the backend servers with your {still secret} client's creds and gives
your team access.

why not keep things simple?

It sounds like you could get by with a plain Apache httpd install that
only serves https and requires a client side certificate for access,
there really is no reason to put this info on any other systems. Odds
are good you can serve this up from your office cable/DSL service
without too much trouble.

And, NO! none of this is appropriate for real client credentials -
also make your clients pick new random 12 character passwords
(MyPasswordSafe can generate them for you if needed) the odds are good
that the passwords you are sharing with your team are the same
passwords your clients use for personal email and all sorts of other
things too.

Mark - this is bad, really bad

On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips
<> wrote:
> I use keypass2 with dropbox for my personal passwords and love it. But it is
> too complicated for my team...:-(
>
> Mark
>
> On Oct 26, 2013 2:58 PM, "Michael Butash" <> wrote:
>>
>> At work we use "password safe" to share common passwords like service
>> accounts, shared vendor accounts, and various other credentials that are not
>> unique to a member. It's kind of a kludge, and of course windoze only, so I
>> have to use vm to access it. quite annoying.
>>
>> I've considered pushing to use keepass instead, as I've used this as well
>> for a good 6 years under linux. Only problem is it's only a file db to be
>> accessed, which makes anyone not on a shared network resource accessing it
>> difficult. Also sadly, even the "official" version iterated to keepass2, a
>> really crap c#/mono application that barely works under linux, and not
>> without frustrations, but older 1.x format with keepassx works great.
>>
>> I have since migrated to LastPass, even paying for the service because
>> I've found it to be more valuable than the $12 a year personally, and their
>> "enterprise version" can have shared access permissions. Perhaps the
>> consumer version can be coaxed to do this too, but I've not had necessity to
>> try. The android integration with dolphin browser (plugin) makes it easy on
>> any platform, mobile or desktop for consistent access means.
>>
>> Secure shared access for me is a random large/complex string that I note
>> as who I've given it to, and only as long as needed before changing it. I
>> don't remember passwords, preferring the ambiguity that if I can remember
>> it, likely others can brute-force it, or torture it out of me.
>>
>> Of course any service like lastpass inside the US, the NSA would simply
>> subpoena and force to give unilateral access to my account anyway (much as
>> they can/do anyone, thank your politicians) at that point, so really
>> confidentiality is all a perception regardless as long as anything is shared
>> externally.
>>
>> -mb
>>
>>
>> On 10/26/2013 02:31 PM, Eric Cope wrote:
>>
>> I use lastpass, although not to share... I can help demo it if you want...
>>
>> Eric
>>
>>
>> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips
>> <> wrote:
>>>
>>> I have a small team, and I am looking for a way to share account info -
>>> user names and password, and password updates. These are login credentials
>>> for financial accounts I manage.
>>>
>>> I googled for some ideas, and came up with snail mail, various web
>>> services that encrypt/decrypt emails, Lastpass, and safegmail.
>>>
>>> The users are technical noobs, so it has to be easy. No software to
>>> install. Free or inexpensive. They use Windows and Mac, I use Linux. Only I
>>> use Gmail, so safegmail is out.
>>>
>>> Does anyone have any recommendations for web service solutions? Anyone
>>> use Lastpass? Other ideas?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss