• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 462
  • Last Modified:

How to secure password in a multi user environment

I have a dilemma and I'm not sure what is the best way to go about it.

I want my employees to have access to various websites, some do not have the option of setting multiple login with permissions so there's only 1 login.

I want to use a password manager so it will automatically log in to those sites but all the password managers I have tried so far requires a master password to unlock to use it. That defeats the purpose because then they can export or look into the database and get the password. I also do not want to install a password manager on all 15 of our computers.

I was looking to find a solution that I can manage in a central location (my desktop) and maybe load the login/pw on a USB that anyone can use to access these sites but they can not open the program on the USB to get to the Passwords. I even thought of using a biometric USB so only certain individuals can use it. They would be given the USB in the morning when they start their shift and hand it back at the end of their shift.

If anyone have any ideas on how this can be implemented please share.
0
dropshipinc
Asked:
dropshipinc
1 Solution
 
scrathcyboyCommented:
Windows passwords are designed around a USER model -- not a DEVICE model, like a USB drive.  AS far as websites go, once you enter a login-PW for that site, and you give it to a user, he/she can access it any time, even from home.  So WEB resources are based on knowledge of the login, password, whereas LAN resources, like access to disks and servers and apps, are based on the user name and password.  

Given this as the limits, I don't see any way to do what you want, but knowing this, maybe come back with an alternate idea, see if this can work some way or other.
0
 
Rich RumbleSecurity SamuraiCommented:
If they are web passwords, you could use FireFox's password manager, and give them a USB stick with firefox on it. You should be the only one with the master password. To view the passwords, they would need the master as well as export. If you give them the stick with the usernames, and the visit the websites, after they enter the username, the pass *should* fill in, for 90% of the website's I've seen. This will not work however for NT/AD password auth, that can be stored on the PC in the windows cache, I do not think the M$ cached passwords can be so easily moved.
A company has made a portable firefox *port* so everything can easily be self-contained in one folder... I don't think it'd be too hard to change about:config however and to it yourself
http://portableapps.com/apps/internet/firefox_portable
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020880
http://lifehacker.com/software/passwords/make-firefox-remember-any-password-179334.php
-rich
0
 
ParanormasticCryptographic EngineerCommented:
Another possibility might be some SSO (single sign-on) products.  SafeNet's software has two flavors that can be stored on a smartcard or usb smart token.  Method one is the one you would be looking for : admin "trains" an application or website for what information to recognize, then builds the client to push via GPO, manual install, etc., and then the client enrolls on that application.  In your case, you would also do the enrolling since you would not want them to know the password.  There is not a way to open up to see the password using this method - a forgotten password would have to be reset and updated on the token.  These could be optionally backed up to an encrypted database for recovery, but this doesn't sounds like you would need to enable that option.  Sounds more complicated than it is - you could be up and rolling in just a few minutes.  This would also have an optional 'forgotten token' method so they could use the encrypted backup copy if they forgot their token.

Method 2 would be to have the user enroll their own and this would have access into the saved password list.  This may have been discontinued, but last I knew was still there - iether way is an optional componant and not really what you're looking for.

There are probably other products out there that work similarily, but I know SafeNet's works like this.
0
 
RDAdamsCommented:
You could do something using a webportal.  The webportal would manage the passwords but not sure exactly how to set it up.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now