Solved

How does your IT team keep track of passwords?

Posted on 2013-01-27
22
1,634 Views
Last Modified: 2013-04-02
Hi guys!

What is the best way from you point of view to manage passwords in a company?
I really don't like the idea of having a word/excel document with its specific permissions or one password for everything.

I need something where I can categorize permissions, use forms and most important secure.
0
Comment
Question by:kjuliff
  • 6
  • 5
  • 5
  • +4
22 Comments
 
LVL 13

Expert Comment

by:Alexios
ID: 38824470
Hi
We use a hidden excel file with an irrelevant name like, thumbs, and we have removed the original type of the file' .xls.
So it is a file called thumbs.jpg

When we want to access it we just "spend" one more mouse click...

Nowadays many -want to be- "hackers" exists in our networks...

For me, the simplest way sometimes its the best

Hope to gave an idea
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38824487
Keep track of employees password you mean?

You don't need that. One of the greatest security measures is that the IT staff shouldn't be knowing the password/s of any of the employees in the company! It is solely the responsibility of each employee to remember (and not give away) his/her password/s. Therefore, how to manage it then?

Easy, for each application/system you will have the management console which will allow certain IT staff (not all should have this privelege) to unlock and/or reset the passwords of the employees. Once reset (say to 1234512345) the employee will be forced by the system on next logon to change his password by providing the old password (given by IT which is 1234512345) and then providing a new password and confirming it. An example is Windows passwords (Active Directory). When the user's account is locked out or the employee complains that has forgotten his/her password, IT staff will search Active Directory for that employee's user object and unlock/reset his password.
0
 
LVL 2

Accepted Solution

by:
LifeN-Ti earned 500 total points
ID: 38824489
Hi,
Firstly definitely agree with the above, however in some cases like when you manage tens/hundreds/thousands of clients and require their credentials to make updates/changes/etc remembering them becomes a bit less practical ha, however there are some easy and secure solutions (best by far is second under edit):

Using files in that manner we usually try to avoid as it's easily stolen if your computer is breached hidden or not, if you require access to those passwords on the web/remotely I would recommend TeamPass which thus far has worked fantastic for us on our internal/LAN server.

http://www.teampass.net/

It stores the passwords encrypted with a random key and AES-256 encryption, your team can log in and lookup passwords for anything or add/modify/etc. It's very easy to use and if possible I would recommend putting it on a local/LAN server and setting up a VPN so your team can access remotely while keeping it off the public web, however it is pretty secure so as long as you keep to good password habits for each user even if it's on a public network you can still have confidence that it's safe. I would still recommend taking extra measures like naming the folder something off so it's not easily guessed/found and even protecting it with htpasswd or something of the like, but always remember storing passwords on a web server can be extremely risky especially if you're unsure what you're doing as far as server security and so on but even when you do - it's public - but if you could put TeamPass on a LAN non-public internet connected server then VPN into it that's the way to go as much more secure. If you have any questions just post back!:) Good luck!

/edit/
(This is probably the BEST solution) Another solution we also actively use is similar to your method above, just storing them in a file on your computer, you can keep to that while making it MUCH MUCH more secure by using TrueCrypt:
http://www.truecrypt.org/

TrueCrypt is honestly one of the best solutions out there for storing things securely, you can create an encrypted file container and name it .jpg or whatever you'd like then you just "mount" the file using TrueCrypt and your credentials (password, certificate, etc.) and it then mounts the container as a drive, i.e. you would mount it and it becomes the "M" drive where you can simply copy files into it, edit them on it, save them on it, take them off it, etc. then just unmount. TrueCrypt is one of the best encryption solutions available and is extremely secure giving you ability to use multiple algorithms on top of one another to get the best possible encryption above and beyond what is typical. Even if the file container is stolen or retrieved by anyone, they probably won't be able to decipher what it is or how to open it and even if they opened up truecrypt they wouldn't be able to get in without your password or certificate or however you secure it, the great thing with TrueCrypt is there is no for sure way to tell if it's a truecrypt container so even if they were guessing they wouldn't know if that's what it was - when a password is entered incorrectly it gives the same message as if you're trying to open a normal jpeg or any (non-truecrypt container) file. Would highly recommend this if you just need the passwords on your local network as you can just store the file anywhere on your computer and rest assured it can't be broken by renaming the file etc.

Again - any questions just post back but I would encourage TrueCrypt as the safest/best solution available, and alternatively if you require access to your passwords remotely you could use TeamPass. Although best solution in that case as well would be setting up a VPN you could tunnel into and then just access the truecrypt container/file and mount it remotely on whatever computer you're on, take care!

http://www.truecrypt.org/docs/?s=tutorial (TrueCrypt beginner tutorial/quick start guide)
0
 
LVL 1

Author Comment

by:kjuliff
ID: 38824656
@Kostasp thank you for shareing your ideas with us but this option is not really what I am trying to acomplish.

@Mutawadi I don't think you understood correctly what I asked. I need a password management solution for the IT Department (switches login, routers, db admins, online accounts on service providers websites e.g. web hosting portal etc.). I don't care about AD users or regular employees.

@LifeN-Ti What I am looking for is a solution like Teampass. A web server on the management vlan and a few security layers on top will be perfect for me. Using the Demo version from their website I noticed an "import" option, was wondering is there any option to export to csv? I Do you know any other solutions like Teampass? Thank you!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38824667
We use keepass to handle our passwords. Our department keepass safe is on a network folder.

Keepass is opensource, secure. Multi-OS compatible. (linux,macos, windows, mobile devices) You don't get a centralized password management though.

keepass main window
Featurelist:

Strong Security
Multiple User Keys
Portable and No Installation Required, Accessibility
Export To TXT, HTML, XML and CSV Files
Import From Many File Formats
Easy Database Transfer
Support of Password Groups
Time Fields and Entry Attachments
Auto-Type, Global Auto-Type Hot Key and Drag&Drop
Intuitive and Secure Clipboard Handling
Searching and Sorting
Multi-Language Support
Strong Random Password Generator
Plugin Architecture
Open Source!
0
 
LVL 2

Expert Comment

by:LifeN-Ti
ID: 38824685
Hi kjuliff,
I see, good then! We are on the same page as that's exactly what we were looking for, I have a background in network security and encryption so was pretty picky and can assure you I went over tens and tens of systems available online and TeamPass came out on top so I'd say that's one of the best, of course solely in my opinion:) A lot of the systems out there did not provide the best encryption, or had reported exploits, etc. There are some other options which are paid but beyond layout not much different, let me see if I can pull up my list from the past and will let you know pretty soon here:)

As for exporting I think you could but it had to be done a per-folder basis or something like that (for us - we have Clients folder, Internal, etc. each with sub-folders within for each client/etc then the info for each system within that - so the organization is good. Logging is fantastic as you can see exactly who looked at, edited, added, etc. everything. But back to exporting I'll jump in and check in a few here and post back shortly!

One thing with TeamPass that threw me off for a few was that the initial Admin account cannot view passwords as it's meant to be just for managing the system and users, so if you go with the system when you first log in don't worry that the passwords area isn't showing anything - you just need to create a manager (or standard) user to view/edit/add/etc passwords.

But overall we have been extremely satisfied with it, simple easy and secure for everyone. If you're putting it on a VPN that's perfect, if you want an extra layer of protection you can toss on an htpasswd or something of that sort. Let me check out that stuff above and will get back to you shortly!

And KeepPass is good as well but like you we required a PHP/Web based solution for the centralized management:)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38824702
Interesting, keepass even confuses spyware... like keyloggers:

http://keepass.info/help/v2/autotype_obfuscation.html

preventing them to capture the correct password.


Does teampass come with any malware countermeasures?
0
 
LVL 2

Expert Comment

by:LifeN-Ti
ID: 38824727
Some different web based password managers as I mentioned above:

PHP Password Manager
http://sourceforge.net/projects/ppma/
Decent, but not as strong encryption as TeamPass

Clipperz Community Edition
http://www.clipperz.com/open_source/clipperz_community_edition
This is a new one that looks pretty interesting, one downside is 128bit encryption instead of 256

LastPass (hosted [not self hosted])
https://lastpass.com/features_compare.php
This one I've heard decent things however I was always weary of storing sensitive data on servers that were not my own.

PassPack (hosted [not self hosted])
http://www.passpack.com/en/home/
If you don't mind storing on a different server I'd say PassPack is far better than LastPass as shown above, ton of security options and pretty cheap however as mentioned above we just wanted it on our own internal servers:)

WebPasswordSafe
http://code.google.com/p/webpasswordsafe/
This one I remember looking into, looks nice bit more polished, however I do not recall being able to find the encryption strength/methods.

-------------------------

I took out a few that had really bad encryption or exploits, we ended up on TeamPass just due to the security and features vs others however the layout looks a bit dated haha, but being open source can always change the look and theme around however you'd like. In the end though just comes down to what you're most comfortable with and like the most:) Let me know if you have any questions!

/edit/
@Tolomir - Yea I definitely liked that feature, but as I believe in this case we wanted a web based solution we could place on a server and access remotely and securely vs a localized storage:) As for the question since TeamPass is a web app it does not beyond advanced PHP/SQL security measures but does not necessary need to either, at least as much as a windows/local app where everything is stored on the computer which is infected (vs on a server which is not). Malware on a server/website is not really an issue especially when on an internal VPN, more of a shared server type scenario and server security usually can thwart that easily enough.

Most malware targets specific processes/apps (whereas this is essentially a website - nothing is stored on the computer itself beyond the URL and if someone chose to save the password which still doesn't give the other end of the malware access) i.e. FTP programs/password managers/etc which are locally installed to try to snag the stored credentials, yes some malware (but this is more of a virus/trojan trait) may target your web history and what you type into the browser, but those are much more invasive and more easily stopped by a good virus scanner and firewall. All in all though it doesn't matter if you store TeamPass on an internal server as even if someone got the URL and credentials to log in, they wouldn't be able to access it because they're not on that internal network:)
0
 
LVL 1

Author Comment

by:kjuliff
ID: 38824750
@LifeN-Ti sound really close to what I need! Tomorrow I'll setup a virtual Linux box and will give it a shot, till then I'll wait for your updates! :) tnx!

@Tolomoir keepass sounds great if is just one user involved but in my case where I have to give different permissions to a few people more it will not do the job but thank you for your post.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38824773
You can create a master container and export a named user tree from it. The receiver can import that tree and overwrite the old passwords. We use this especially for vacation replacements.

In case you change passwords weekly or even daily or have to support a larger user group of cause a multiuser solution is of cause the faster way.

---
Btw. I use lastpass for my personal passwords. There is a huge benefit when you work on several machines, with different accounts and locations. Lastpass supports Google Authenticator so you can access it via your mobile phone and one time passwords.

Tolomir
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 53

Expert Comment

by:McKnife
ID: 38824804
Also have a look at password manager pro: http://www.manageengine.com/products/passwordmanagerpro/
It can, for example, use the present domain structure for ACLs on passwords.
0
 
LVL 1

Author Comment

by:kjuliff
ID: 38824956
@LifeN-Ti looks like webpasswordsafe is using Jasypt encryption library. As I said, tomorrow I'll give KeepPass a shot. I will leave this thread open till tomorrow. Tnx! :)

Thank you all for your feedback!
0
 
LVL 2

Expert Comment

by:LifeN-Ti
ID: 38824980
Ahh good catch yea that's lesser than straightup AES256 and doesn't handle data as well, but right on and sounds good! if you have any questions or issues tomorrow just holler will keep an eye out! No problem and good luck!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38825004
it's keepass

http://www.keepass.info

There is payware and malware around mis-using the good name of keepass.

[Edit] Even if that is not the question: using excel to manage passwords is a huge security risk. [/edit] Security by obscurity is NO excuse.

Tolomir
0
 
LVL 1

Author Comment

by:kjuliff
ID: 38825562
[Edit] I meant Teampass :)
0
 
LVL 6

Expert Comment

by:mo_patel
ID: 38826256
we use excel, excel2010 or above as it uses proper encryption so even if someone manages it to copy it, unless they have a super computer and loads of time, its gonna take forever to brute force it if your pwsd is a combination of letter, numbers and special charc.

lastly just enable windows auditing on it so event view logs everytihng.

using something like LOGParser u can export into sql and create queries to schedule report on user access
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38826296
@mo_patel,

it's not just access security a real password manager grants you a lot more features. Like password creation. Tree structure. Password History. clipboard security.
0
 
LVL 6

Expert Comment

by:mo_patel
ID: 38826414
@Tolomir

i agree. a true pwsd manager allows much more, but if your looking for something easy and simple in terms of protecting the pwsd list, excel encryption is just as good in 2010 products and above and enabling windows auditing it will give u history.

i have tried brute force attacks and trust me unless u have a super duper comp you cant get in.

no point in over complicating..........
0
 
LVL 2

Expert Comment

by:LifeN-Ti
ID: 38828500
@mo_patel,
To the contrary, excel protection is extremely easy to get around and that includes 2010+, they are a huge target due to the market share and within a year of any release I can almost guarantee public exploits or macros are out, for example there is a macro available from The Office Experts website which will reset the protection and allow you to create a new password, sure it does not leak the password or brute force but it does allow full access to the protected workbook in a matter of minutes with very little effort essentially resetting the password, there are many other exploits which I know of which do similar things - none crack the password exactly but they do get around it fairly easily. Excel isn't the best for extremely sensitive information for various reasons, one of which is their macro capabilities where you can pretty much hack around anything within given you know what you're doing. Give it a shot yourself, check out the office experts or just google and you'll find plenty of ways around it, I won't post the links here for obvious reasons. Take care,

/edit/
And it is susceptible to brute force, SmartKey/etc I've seen recover passwords easily, just those are more time consuming when there are tens if not hundreds of macros and tools you can use to instantly get around it. Nothing is fully bulletproof of course, however those programs like Excel with such a large target are generally the easiest to get around due to the accessibility of tools and macros and described above, especially when it's something you can nab easily (a file) and work on wherever/whenever/etc. Instead of having to worry about people who actually know what they're doing you have to worry about the teenage kid and just about anyone who can Google and break it within minutes. May want to look into swapping to a program (like KeePass as Tolomir mentioned) or otherwise which is focused on encryption, not spreadsheets ;)

We went a little off topic here, sorry kjuliff haha - good luck installing and getting all setup just post back if you have any issues!
0
 
LVL 1

Author Closing Comment

by:kjuliff
ID: 38829563
It seams that TeamPass almost meets my needs.
Thank you again guys for your feedback!
0
 
LVL 2

Expert Comment

by:LifeN-Ti
ID: 38829585
Glad could help! Any questions just holler, the good thing with teampass is being open source you can modify or add to it however you'd like without too much trouble. Good luck & take care!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now