• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1024
  • Last Modified:

Looking for browser password management for IE9

Hi experts.

Our security policy has decided against IE9's own password management. I should evaluate replacements. The single aspect to look at is

"can we build a bridge between an external application like keepass and IE, without losing the security keepass offers?" What we need is that no script/whatever malware may act as the user and access that information. The user must be asked every time he needs to access the passwords.

There are keepass browser plugins like keepasser or keeform, but kp is incompatible to IE9 and kf is offline for good, I suppose.

Is anyone experienced at this topic and able to offer a solution used by him-/herself? Otherwise we would tell the users to use keepass and copy/paste. The solution may not cost much, as it is a terminal server, maybe a single machine license would suit.
0
McKnife
Asked:
McKnife
  • 5
  • 5
1 Solution
 
simonlimonCommented:
If you are using Server 2008 R2, maybe credential manager could be used? But I'm not really sure how to use it on a terminal server.

0
 
npinfotechCommented:
Roboform might be a good idea here: http://www.roboform.com/.
0
 
McKnifeAuthor Commented:
@simon: the credential manager cannot be used here. It can be used for webserver authentication, yes, but not for simple passwords like forums like ee.

@npinfotech: Do you use roboform? It does not seem to me as though it can be configured to ask the user for the masterpassword (or at least for his permission) everytime he tries to access the pw database (everytime meaning on every website and subsequent websites).
0
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

 
npinfotechCommented:
McKnife: i definitely use roboform (I wonder how I got along without it).

The way I have it set up is that only certain logins are protected; I have to log in to roboform in order to access the particular entry.  
0
 
McKnifeAuthor Commented:
Hmm... I should have told you before...
we use IE9 as a remoteapp. That means that users connect to a terminalserver and don't see the full session (with desktop, explorer and so on), but only IE.

So whatever one would have to do to configure IE and roboform, it would have to be done from within IE.

The reason why I am telling you: you wrote
> have to log in to roboform in order to access the particular entry.  
and I am not sure how that looks like.
0
 
npinfotechCommented:
Ah, got it (you actually stated it at the top!).

If the keepass copy/paste is allowed, I don't see why robooform couldn't pass log in information between itself and the terminal/remote app version of ie9.  Roboform is an application, but is accessible through ie9 as a toolbar.  

They do offer a version called RoboForm Everywhere v7.2.8, which is cloud based.

Both the desktop and cloud based versions have a trial period, so I suggest downloading each version to see if they work.  I know their support is great, and they are working on an AD/network integrated version.  

I wish I knew more about the way IE9 runs as a remote app.  
0
 
McKnifeAuthor Commented:
I am testing roboform right now.

I used another forum and saved a passcard. Afterwards, I was able to click the passcard and r'form opens the correct website and logs me in.

Question: Is this operation protected somehow (I mean: as I was not asked for my master password after clicking that passcard, I fear that a script I launch via browser could detect that roboform is in use and read out all passcards - given the fact that the script has the same rights as the user who started it unvoluntarily)?
0
 
npinfotechCommented:
for every passcard there is a lock button; was the lock enabled on the passcard you used?  (see attachment for what it looks like; it should be  in the upper-right corner of your screen).

passcard lock
When you are prompted for your master password, you have the option of entering the password with a software keyboard.  You can also configure a biometric device to be used, like a fingerprint reader.  

The database has a ton of options to encrypt it's passwords, but as far as encrypting transmission from database to browser, I'm not sure.  I'll look into it.  
0
 
McKnifeAuthor Commented:
The lock was enabled - nevertheless if I restart the browser and click on that passcard, I don't have to enter a password. Is that expected behavior?
0
 
npinfotechCommented:
yeah, the default timeout is set for 120 minutes until you're logged out.  you can make it something like 1 minute if you like.
0
 
McKnifeAuthor Commented:
Hey... that options seems to be it.
Will test it for a while.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now