How to secure password in a multi user environment

I have a dilemma and I'm not sure what is the best way to go about it.

I want my employees to have access to various websites, some do not have the option of setting multiple login with permissions so there's only 1 login.

I want to use a password manager so it will automatically log in to those sites but all the password managers I have tried so far requires a master password to unlock to use it. That defeats the purpose because then they can export or look into the database and get the password. I also do not want to install a password manager on all 15 of our computers.

I was looking to find a solution that I can manage in a central location (my desktop) and maybe load the login/pw on a USB that anyone can use to access these sites but they can not open the program on the USB to get to the Passwords. I even thought of using a biometric USB so only certain individuals can use it. They would be given the USB in the morning when they start their shift and hand it back at the end of their shift.

If anyone have any ideas on how this can be implemented please share.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Windows passwords are designed around a USER model -- not a DEVICE model, like a USB drive.  AS far as websites go, once you enter a login-PW for that site, and you give it to a user, he/she can access it any time, even from home.  So WEB resources are based on knowledge of the login, password, whereas LAN resources, like access to disks and servers and apps, are based on the user name and password.  

Given this as the limits, I don't see any way to do what you want, but knowing this, maybe come back with an alternate idea, see if this can work some way or other.
Rich RumbleSecurity SamuraiCommented:
If they are web passwords, you could use FireFox's password manager, and give them a USB stick with firefox on it. You should be the only one with the master password. To view the passwords, they would need the master as well as export. If you give them the stick with the usernames, and the visit the websites, after they enter the username, the pass *should* fill in, for 90% of the website's I've seen. This will not work however for NT/AD password auth, that can be stored on the PC in the windows cache, I do not think the M$ cached passwords can be so easily moved.
A company has made a portable firefox *port* so everything can easily be self-contained in one folder... I don't think it'd be too hard to change about:config however and to it yourself

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Another possibility might be some SSO (single sign-on) products.  SafeNet's software has two flavors that can be stored on a smartcard or usb smart token.  Method one is the one you would be looking for : admin "trains" an application or website for what information to recognize, then builds the client to push via GPO, manual install, etc., and then the client enrolls on that application.  In your case, you would also do the enrolling since you would not want them to know the password.  There is not a way to open up to see the password using this method - a forgotten password would have to be reset and updated on the token.  These could be optionally backed up to an encrypted database for recovery, but this doesn't sounds like you would need to enable that option.  Sounds more complicated than it is - you could be up and rolling in just a few minutes.  This would also have an optional 'forgotten token' method so they could use the encrypted backup copy if they forgot their token.

Method 2 would be to have the user enroll their own and this would have access into the saved password list.  This may have been discontinued, but last I knew was still there - iether way is an optional componant and not really what you're looking for.

There are probably other products out there that work similarily, but I know SafeNet's works like this.
You could do something using a webportal.  The webportal would manage the passwords but not sure exactly how to set it up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.