McKnife
asked on
Looking for browser password management for IE9
Hi experts.
Our security policy has decided against IE9's own password management. I should evaluate replacements. The single aspect to look at is
"can we build a bridge between an external application like keepass and IE, without losing the security keepass offers?" What we need is that no script/whatever malware may act as the user and access that information. The user must be asked every time he needs to access the passwords.
There are keepass browser plugins like keepasser or keeform, but kp is incompatible to IE9 and kf is offline for good, I suppose.
Is anyone experienced at this topic and able to offer a solution used by him-/herself? Otherwise we would tell the users to use keepass and copy/paste. The solution may not cost much, as it is a terminal server, maybe a single machine license would suit.
Our security policy has decided against IE9's own password management. I should evaluate replacements. The single aspect to look at is
"can we build a bridge between an external application like keepass and IE, without losing the security keepass offers?" What we need is that no script/whatever malware may act as the user and access that information. The user must be asked every time he needs to access the passwords.
There are keepass browser plugins like keepasser or keeform, but kp is incompatible to IE9 and kf is offline for good, I suppose.
Is anyone experienced at this topic and able to offer a solution used by him-/herself? Otherwise we would tell the users to use keepass and copy/paste. The solution may not cost much, as it is a terminal server, maybe a single machine license would suit.
If you are using Server 2008 R2, maybe credential manager could be used? But I'm not really sure how to use it on a terminal server.
Roboform might be a good idea here: http://www.roboform.com/.
ASKER
@simon: the credential manager cannot be used here. It can be used for webserver authentication, yes, but not for simple passwords like forums like ee.
@npinfotech: Do you use roboform? It does not seem to me as though it can be configured to ask the user for the masterpassword (or at least for his permission) everytime he tries to access the pw database (everytime meaning on every website and subsequent websites).
@npinfotech: Do you use roboform? It does not seem to me as though it can be configured to ask the user for the masterpassword (or at least for his permission) everytime he tries to access the pw database (everytime meaning on every website and subsequent websites).
McKnife: i definitely use roboform (I wonder how I got along without it).
The way I have it set up is that only certain logins are protected; I have to log in to roboform in order to access the particular entry.
The way I have it set up is that only certain logins are protected; I have to log in to roboform in order to access the particular entry.
ASKER
Hmm... I should have told you before...
we use IE9 as a remoteapp. That means that users connect to a terminalserver and don't see the full session (with desktop, explorer and so on), but only IE.
So whatever one would have to do to configure IE and roboform, it would have to be done from within IE.
The reason why I am telling you: you wrote
> have to log in to roboform in order to access the particular entry.
and I am not sure how that looks like.
we use IE9 as a remoteapp. That means that users connect to a terminalserver and don't see the full session (with desktop, explorer and so on), but only IE.
So whatever one would have to do to configure IE and roboform, it would have to be done from within IE.
The reason why I am telling you: you wrote
> have to log in to roboform in order to access the particular entry.
and I am not sure how that looks like.
Ah, got it (you actually stated it at the top!).
If the keepass copy/paste is allowed, I don't see why robooform couldn't pass log in information between itself and the terminal/remote app version of ie9. Roboform is an application, but is accessible through ie9 as a toolbar.
They do offer a version called RoboForm Everywhere v7.2.8, which is cloud based.
Both the desktop and cloud based versions have a trial period, so I suggest downloading each version to see if they work. I know their support is great, and they are working on an AD/network integrated version.
I wish I knew more about the way IE9 runs as a remote app.
If the keepass copy/paste is allowed, I don't see why robooform couldn't pass log in information between itself and the terminal/remote app version of ie9. Roboform is an application, but is accessible through ie9 as a toolbar.
They do offer a version called RoboForm Everywhere v7.2.8, which is cloud based.
Both the desktop and cloud based versions have a trial period, so I suggest downloading each version to see if they work. I know their support is great, and they are working on an AD/network integrated version.
I wish I knew more about the way IE9 runs as a remote app.
ASKER
I am testing roboform right now.
I used another forum and saved a passcard. Afterwards, I was able to click the passcard and r'form opens the correct website and logs me in.
Question: Is this operation protected somehow (I mean: as I was not asked for my master password after clicking that passcard, I fear that a script I launch via browser could detect that roboform is in use and read out all passcards - given the fact that the script has the same rights as the user who started it unvoluntarily)?
I used another forum and saved a passcard. Afterwards, I was able to click the passcard and r'form opens the correct website and logs me in.
Question: Is this operation protected somehow (I mean: as I was not asked for my master password after clicking that passcard, I fear that a script I launch via browser could detect that roboform is in use and read out all passcards - given the fact that the script has the same rights as the user who started it unvoluntarily)?
for every passcard there is a lock button; was the lock enabled on the passcard you used? (see attachment for what it looks like; it should be in the upper-right corner of your screen).
When you are prompted for your master password, you have the option of entering the password with a software keyboard. You can also configure a biometric device to be used, like a fingerprint reader.
The database has a ton of options to encrypt it's passwords, but as far as encrypting transmission from database to browser, I'm not sure. I'll look into it.
When you are prompted for your master password, you have the option of entering the password with a software keyboard. You can also configure a biometric device to be used, like a fingerprint reader.
The database has a ton of options to encrypt it's passwords, but as far as encrypting transmission from database to browser, I'm not sure. I'll look into it.
ASKER
The lock was enabled - nevertheless if I restart the browser and click on that passcard, I don't have to enter a password. Is that expected behavior?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey... that options seems to be it.
Will test it for a while.
Will test it for a while.