Link to home
Start Free TrialLog in
Avatar of McKnife
McKnifeFlag for Germany

asked on

Looking for browser password management for IE9

Hi experts.

Our security policy has decided against IE9's own password management. I should evaluate replacements. The single aspect to look at is

"can we build a bridge between an external application like keepass and IE, without losing the security keepass offers?" What we need is that no script/whatever malware may act as the user and access that information. The user must be asked every time he needs to access the passwords.

There are keepass browser plugins like keepasser or keeform, but kp is incompatible to IE9 and kf is offline for good, I suppose.

Is anyone experienced at this topic and able to offer a solution used by him-/herself? Otherwise we would tell the users to use keepass and copy/paste. The solution may not cost much, as it is a terminal server, maybe a single machine license would suit.
Avatar of simonlimon
simonlimon
Flag of Slovenia image

If you are using Server 2008 R2, maybe credential manager could be used? But I'm not really sure how to use it on a terminal server.

Roboform might be a good idea here: http://www.roboform.com/.
Avatar of McKnife

ASKER

@simon: the credential manager cannot be used here. It can be used for webserver authentication, yes, but not for simple passwords like forums like ee.

@npinfotech: Do you use roboform? It does not seem to me as though it can be configured to ask the user for the masterpassword (or at least for his permission) everytime he tries to access the pw database (everytime meaning on every website and subsequent websites).
McKnife: i definitely use roboform (I wonder how I got along without it).

The way I have it set up is that only certain logins are protected; I have to log in to roboform in order to access the particular entry.  
Avatar of McKnife

ASKER

Hmm... I should have told you before...
we use IE9 as a remoteapp. That means that users connect to a terminalserver and don't see the full session (with desktop, explorer and so on), but only IE.

So whatever one would have to do to configure IE and roboform, it would have to be done from within IE.

The reason why I am telling you: you wrote
> have to log in to roboform in order to access the particular entry.  
and I am not sure how that looks like.
Ah, got it (you actually stated it at the top!).

If the keepass copy/paste is allowed, I don't see why robooform couldn't pass log in information between itself and the terminal/remote app version of ie9.  Roboform is an application, but is accessible through ie9 as a toolbar.  

They do offer a version called RoboForm Everywhere v7.2.8, which is cloud based.

Both the desktop and cloud based versions have a trial period, so I suggest downloading each version to see if they work.  I know their support is great, and they are working on an AD/network integrated version.  

I wish I knew more about the way IE9 runs as a remote app.  
Avatar of McKnife

ASKER

I am testing roboform right now.

I used another forum and saved a passcard. Afterwards, I was able to click the passcard and r'form opens the correct website and logs me in.

Question: Is this operation protected somehow (I mean: as I was not asked for my master password after clicking that passcard, I fear that a script I launch via browser could detect that roboform is in use and read out all passcards - given the fact that the script has the same rights as the user who started it unvoluntarily)?
for every passcard there is a lock button; was the lock enabled on the passcard you used?  (see attachment for what it looks like; it should be  in the upper-right corner of your screen).

User generated image
When you are prompted for your master password, you have the option of entering the password with a software keyboard.  You can also configure a biometric device to be used, like a fingerprint reader.  

The database has a ton of options to encrypt it's passwords, but as far as encrypting transmission from database to browser, I'm not sure.  I'll look into it.  
Avatar of McKnife

ASKER

The lock was enabled - nevertheless if I restart the browser and click on that passcard, I don't have to enter a password. Is that expected behavior?
ASKER CERTIFIED SOLUTION
Avatar of npinfotech
npinfotech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife

ASKER

Hey... that options seems to be it.
Will test it for a while.