How to secure password in a multi user environment

Posted on 2008-11-04
Last Modified: 2013-11-08
I have a dilemma and I'm not sure what is the best way to go about it.

I want my employees to have access to various websites, some do not have the option of setting multiple login with permissions so there's only 1 login.

I want to use a password manager so it will automatically log in to those sites but all the password managers I have tried so far requires a master password to unlock to use it. That defeats the purpose because then they can export or look into the database and get the password. I also do not want to install a password manager on all 15 of our computers.

I was looking to find a solution that I can manage in a central location (my desktop) and maybe load the login/pw on a USB that anyone can use to access these sites but they can not open the program on the USB to get to the Passwords. I even thought of using a biometric USB so only certain individuals can use it. They would be given the USB in the morning when they start their shift and hand it back at the end of their shift.

If anyone have any ideas on how this can be implemented please share.
Question by:dropshipinc
    LVL 44

    Expert Comment

    Windows passwords are designed around a USER model -- not a DEVICE model, like a USB drive.  AS far as websites go, once you enter a login-PW for that site, and you give it to a user, he/she can access it any time, even from home.  So WEB resources are based on knowledge of the login, password, whereas LAN resources, like access to disks and servers and apps, are based on the user name and password.  

    Given this as the limits, I don't see any way to do what you want, but knowing this, maybe come back with an alternate idea, see if this can work some way or other.
    LVL 38

    Accepted Solution

    If they are web passwords, you could use FireFox's password manager, and give them a USB stick with firefox on it. You should be the only one with the master password. To view the passwords, they would need the master as well as export. If you give them the stick with the usernames, and the visit the websites, after they enter the username, the pass *should* fill in, for 90% of the website's I've seen. This will not work however for NT/AD password auth, that can be stored on the PC in the windows cache, I do not think the M$ cached passwords can be so easily moved.
    A company has made a portable firefox *port* so everything can easily be self-contained in one folder... I don't think it'd be too hard to change about:config however and to it yourself
    LVL 31

    Expert Comment

    Another possibility might be some SSO (single sign-on) products.  SafeNet's software has two flavors that can be stored on a smartcard or usb smart token.  Method one is the one you would be looking for : admin "trains" an application or website for what information to recognize, then builds the client to push via GPO, manual install, etc., and then the client enrolls on that application.  In your case, you would also do the enrolling since you would not want them to know the password.  There is not a way to open up to see the password using this method - a forgotten password would have to be reset and updated on the token.  These could be optionally backed up to an encrypted database for recovery, but this doesn't sounds like you would need to enable that option.  Sounds more complicated than it is - you could be up and rolling in just a few minutes.  This would also have an optional 'forgotten token' method so they could use the encrypted backup copy if they forgot their token.

    Method 2 would be to have the user enroll their own and this would have access into the saved password list.  This may have been discontinued, but last I knew was still there - iether way is an optional componant and not really what you're looking for.

    There are probably other products out there that work similarily, but I know SafeNet's works like this.
    LVL 17

    Expert Comment

    You could do something using a webportal.  The webportal would manage the passwords but not sure exactly how to set it up.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    The viewer will learn how to back up with the free utility from runtime software, DriveImageXML using Windows 7. Download DriveImageXML from Open folder where it was saved: Start installation by double clicking the install scrip…
    The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now