kjuliff
asked on
How does your IT team keep track of passwords?
Hi guys!
What is the best way from you point of view to manage passwords in a company?
I really don't like the idea of having a word/excel document with its specific permissions or one password for everything.
I need something where I can categorize permissions, use forms and most important secure.
What is the best way from you point of view to manage passwords in a company?
I really don't like the idea of having a word/excel document with its specific permissions or one password for everything.
I need something where I can categorize permissions, use forms and most important secure.
Keep track of employees password you mean?
You don't need that. One of the greatest security measures is that the IT staff shouldn't be knowing the password/s of any of the employees in the company! It is solely the responsibility of each employee to remember (and not give away) his/her password/s. Therefore, how to manage it then?
Easy, for each application/system you will have the management console which will allow certain IT staff (not all should have this privelege) to unlock and/or reset the passwords of the employees. Once reset (say to 1234512345) the employee will be forced by the system on next logon to change his password by providing the old password (given by IT which is 1234512345) and then providing a new password and confirming it. An example is Windows passwords (Active Directory). When the user's account is locked out or the employee complains that has forgotten his/her password, IT staff will search Active Directory for that employee's user object and unlock/reset his password.
You don't need that. One of the greatest security measures is that the IT staff shouldn't be knowing the password/s of any of the employees in the company! It is solely the responsibility of each employee to remember (and not give away) his/her password/s. Therefore, how to manage it then?
Easy, for each application/system you will have the management console which will allow certain IT staff (not all should have this privelege) to unlock and/or reset the passwords of the employees. Once reset (say to 1234512345) the employee will be forced by the system on next logon to change his password by providing the old password (given by IT which is 1234512345) and then providing a new password and confirming it. An example is Windows passwords (Active Directory). When the user's account is locked out or the employee complains that has forgotten his/her password, IT staff will search Active Directory for that employee's user object and unlock/reset his password.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Kostasp thank you for shareing your ideas with us but this option is not really what I am trying to acomplish.
@Mutawadi I don't think you understood correctly what I asked. I need a password management solution for the IT Department (switches login, routers, db admins, online accounts on service providers websites e.g. web hosting portal etc.). I don't care about AD users or regular employees.
@LifeN-Ti What I am looking for is a solution like Teampass. A web server on the management vlan and a few security layers on top will be perfect for me. Using the Demo version from their website I noticed an "import" option, was wondering is there any option to export to csv? I Do you know any other solutions like Teampass? Thank you!
@Mutawadi I don't think you understood correctly what I asked. I need a password management solution for the IT Department (switches login, routers, db admins, online accounts on service providers websites e.g. web hosting portal etc.). I don't care about AD users or regular employees.
@LifeN-Ti What I am looking for is a solution like Teampass. A web server on the management vlan and a few security layers on top will be perfect for me. Using the Demo version from their website I noticed an "import" option, was wondering is there any option to export to csv? I Do you know any other solutions like Teampass? Thank you!
We use keepass to handle our passwords. Our department keepass safe is on a network folder.
Keepass is opensource, secure. Multi-OS compatible. (linux,macos, windows, mobile devices) You don't get a centralized password management though.
Featurelist:
Keepass is opensource, secure. Multi-OS compatible. (linux,macos, windows, mobile devices) You don't get a centralized password management though.
Featurelist:
Strong Security
Multiple User Keys
Portable and No Installation Required, Accessibility
Export To TXT, HTML, XML and CSV Files
Import From Many File Formats
Easy Database Transfer
Support of Password Groups
Time Fields and Entry Attachments
Auto-Type, Global Auto-Type Hot Key and Drag&Drop
Intuitive and Secure Clipboard Handling
Searching and Sorting
Multi-Language Support
Strong Random Password Generator
Plugin Architecture
Open Source!
Hi kjuliff,
I see, good then! We are on the same page as that's exactly what we were looking for, I have a background in network security and encryption so was pretty picky and can assure you I went over tens and tens of systems available online and TeamPass came out on top so I'd say that's one of the best, of course solely in my opinion:) A lot of the systems out there did not provide the best encryption, or had reported exploits, etc. There are some other options which are paid but beyond layout not much different, let me see if I can pull up my list from the past and will let you know pretty soon here:)
As for exporting I think you could but it had to be done a per-folder basis or something like that (for us - we have Clients folder, Internal, etc. each with sub-folders within for each client/etc then the info for each system within that - so the organization is good. Logging is fantastic as you can see exactly who looked at, edited, added, etc. everything. But back to exporting I'll jump in and check in a few here and post back shortly!
One thing with TeamPass that threw me off for a few was that the initial Admin account cannot view passwords as it's meant to be just for managing the system and users, so if you go with the system when you first log in don't worry that the passwords area isn't showing anything - you just need to create a manager (or standard) user to view/edit/add/etc passwords.
But overall we have been extremely satisfied with it, simple easy and secure for everyone. If you're putting it on a VPN that's perfect, if you want an extra layer of protection you can toss on an htpasswd or something of that sort. Let me check out that stuff above and will get back to you shortly!
And KeepPass is good as well but like you we required a PHP/Web based solution for the centralized management:)
I see, good then! We are on the same page as that's exactly what we were looking for, I have a background in network security and encryption so was pretty picky and can assure you I went over tens and tens of systems available online and TeamPass came out on top so I'd say that's one of the best, of course solely in my opinion:) A lot of the systems out there did not provide the best encryption, or had reported exploits, etc. There are some other options which are paid but beyond layout not much different, let me see if I can pull up my list from the past and will let you know pretty soon here:)
As for exporting I think you could but it had to be done a per-folder basis or something like that (for us - we have Clients folder, Internal, etc. each with sub-folders within for each client/etc then the info for each system within that - so the organization is good. Logging is fantastic as you can see exactly who looked at, edited, added, etc. everything. But back to exporting I'll jump in and check in a few here and post back shortly!
One thing with TeamPass that threw me off for a few was that the initial Admin account cannot view passwords as it's meant to be just for managing the system and users, so if you go with the system when you first log in don't worry that the passwords area isn't showing anything - you just need to create a manager (or standard) user to view/edit/add/etc passwords.
But overall we have been extremely satisfied with it, simple easy and secure for everyone. If you're putting it on a VPN that's perfect, if you want an extra layer of protection you can toss on an htpasswd or something of that sort. Let me check out that stuff above and will get back to you shortly!
And KeepPass is good as well but like you we required a PHP/Web based solution for the centralized management:)
Interesting, keepass even confuses spyware... like keyloggers:
http://keepass.info/help/v2/autotype_obfuscation.html
preventing them to capture the correct password.
Does teampass come with any malware countermeasures?
http://keepass.info/help/v2/autotype_obfuscation.html
preventing them to capture the correct password.
Does teampass come with any malware countermeasures?
Some different web based password managers as I mentioned above:
PHP Password Manager
http://sourceforge.net/projects/ppma/
Decent, but not as strong encryption as TeamPass
Clipperz Community Edition
http://www.clipperz.com/open_source/clipperz_community_edition
This is a new one that looks pretty interesting, one downside is 128bit encryption instead of 256
LastPass (hosted [not self hosted])
https://lastpass.com/features_compare.php
This one I've heard decent things however I was always weary of storing sensitive data on servers that were not my own.
PassPack (hosted [not self hosted])
http://www.passpack.com/en/home/
If you don't mind storing on a different server I'd say PassPack is far better than LastPass as shown above, ton of security options and pretty cheap however as mentioned above we just wanted it on our own internal servers:)
WebPasswordSafe
http://code.google.com/p/webpasswordsafe/
This one I remember looking into, looks nice bit more polished, however I do not recall being able to find the encryption strength/methods.
-------------------------
I took out a few that had really bad encryption or exploits, we ended up on TeamPass just due to the security and features vs others however the layout looks a bit dated haha, but being open source can always change the look and theme around however you'd like. In the end though just comes down to what you're most comfortable with and like the most:) Let me know if you have any questions!
/edit/
@Tolomir - Yea I definitely liked that feature, but as I believe in this case we wanted a web based solution we could place on a server and access remotely and securely vs a localized storage:) As for the question since TeamPass is a web app it does not beyond advanced PHP/SQL security measures but does not necessary need to either, at least as much as a windows/local app where everything is stored on the computer which is infected (vs on a server which is not). Malware on a server/website is not really an issue especially when on an internal VPN, more of a shared server type scenario and server security usually can thwart that easily enough.
Most malware targets specific processes/apps (whereas this is essentially a website - nothing is stored on the computer itself beyond the URL and if someone chose to save the password which still doesn't give the other end of the malware access) i.e. FTP programs/password managers/etc which are locally installed to try to snag the stored credentials, yes some malware (but this is more of a virus/trojan trait) may target your web history and what you type into the browser, but those are much more invasive and more easily stopped by a good virus scanner and firewall. All in all though it doesn't matter if you store TeamPass on an internal server as even if someone got the URL and credentials to log in, they wouldn't be able to access it because they're not on that internal network:)
PHP Password Manager
http://sourceforge.net/projects/ppma/
Decent, but not as strong encryption as TeamPass
Clipperz Community Edition
http://www.clipperz.com/open_source/clipperz_community_edition
This is a new one that looks pretty interesting, one downside is 128bit encryption instead of 256
LastPass (hosted [not self hosted])
https://lastpass.com/features_compare.php
This one I've heard decent things however I was always weary of storing sensitive data on servers that were not my own.
PassPack (hosted [not self hosted])
http://www.passpack.com/en/home/
If you don't mind storing on a different server I'd say PassPack is far better than LastPass as shown above, ton of security options and pretty cheap however as mentioned above we just wanted it on our own internal servers:)
WebPasswordSafe
http://code.google.com/p/webpasswordsafe/
This one I remember looking into, looks nice bit more polished, however I do not recall being able to find the encryption strength/methods.
-------------------------
I took out a few that had really bad encryption or exploits, we ended up on TeamPass just due to the security and features vs others however the layout looks a bit dated haha, but being open source can always change the look and theme around however you'd like. In the end though just comes down to what you're most comfortable with and like the most:) Let me know if you have any questions!
/edit/
@Tolomir - Yea I definitely liked that feature, but as I believe in this case we wanted a web based solution we could place on a server and access remotely and securely vs a localized storage:) As for the question since TeamPass is a web app it does not beyond advanced PHP/SQL security measures but does not necessary need to either, at least as much as a windows/local app where everything is stored on the computer which is infected (vs on a server which is not). Malware on a server/website is not really an issue especially when on an internal VPN, more of a shared server type scenario and server security usually can thwart that easily enough.
Most malware targets specific processes/apps (whereas this is essentially a website - nothing is stored on the computer itself beyond the URL and if someone chose to save the password which still doesn't give the other end of the malware access) i.e. FTP programs/password managers/etc which are locally installed to try to snag the stored credentials, yes some malware (but this is more of a virus/trojan trait) may target your web history and what you type into the browser, but those are much more invasive and more easily stopped by a good virus scanner and firewall. All in all though it doesn't matter if you store TeamPass on an internal server as even if someone got the URL and credentials to log in, they wouldn't be able to access it because they're not on that internal network:)
ASKER
@LifeN-Ti sound really close to what I need! Tomorrow I'll setup a virtual Linux box and will give it a shot, till then I'll wait for your updates! :) tnx!
@Tolomoir keepass sounds great if is just one user involved but in my case where I have to give different permissions to a few people more it will not do the job but thank you for your post.
@Tolomoir keepass sounds great if is just one user involved but in my case where I have to give different permissions to a few people more it will not do the job but thank you for your post.
You can create a master container and export a named user tree from it. The receiver can import that tree and overwrite the old passwords. We use this especially for vacation replacements.
In case you change passwords weekly or even daily or have to support a larger user group of cause a multiuser solution is of cause the faster way.
---
Btw. I use lastpass for my personal passwords. There is a huge benefit when you work on several machines, with different accounts and locations. Lastpass supports Google Authenticator so you can access it via your mobile phone and one time passwords.
Tolomir
In case you change passwords weekly or even daily or have to support a larger user group of cause a multiuser solution is of cause the faster way.
---
Btw. I use lastpass for my personal passwords. There is a huge benefit when you work on several machines, with different accounts and locations. Lastpass supports Google Authenticator so you can access it via your mobile phone and one time passwords.
Tolomir
Also have a look at password manager pro: http://www.manageengine.com/products/passwordmanagerpro/
It can, for example, use the present domain structure for ACLs on passwords.
It can, for example, use the present domain structure for ACLs on passwords.
ASKER
@LifeN-Ti looks like webpasswordsafe is using Jasypt encryption library. As I said, tomorrow I'll give KeepPass a shot. I will leave this thread open till tomorrow. Tnx! :)
Thank you all for your feedback!
Thank you all for your feedback!
Ahh good catch yea that's lesser than straightup AES256 and doesn't handle data as well, but right on and sounds good! if you have any questions or issues tomorrow just holler will keep an eye out! No problem and good luck!
it's keepass
http://www.keepass.info
There is payware and malware around mis-using the good name of keepass.
[Edit] Even if that is not the question: using excel to manage passwords is a huge security risk. [/edit] Security by obscurity is NO excuse.
Tolomir
http://www.keepass.info
There is payware and malware around mis-using the good name of keepass.
[Edit] Even if that is not the question: using excel to manage passwords is a huge security risk. [/edit] Security by obscurity is NO excuse.
Tolomir
ASKER
[Edit] I meant Teampass :)
we use excel, excel2010 or above as it uses proper encryption so even if someone manages it to copy it, unless they have a super computer and loads of time, its gonna take forever to brute force it if your pwsd is a combination of letter, numbers and special charc.
lastly just enable windows auditing on it so event view logs everytihng.
using something like LOGParser u can export into sql and create queries to schedule report on user access
lastly just enable windows auditing on it so event view logs everytihng.
using something like LOGParser u can export into sql and create queries to schedule report on user access
@mo_patel,
it's not just access security a real password manager grants you a lot more features. Like password creation. Tree structure. Password History. clipboard security.
it's not just access security a real password manager grants you a lot more features. Like password creation. Tree structure. Password History. clipboard security.
@Tolomir
i agree. a true pwsd manager allows much more, but if your looking for something easy and simple in terms of protecting the pwsd list, excel encryption is just as good in 2010 products and above and enabling windows auditing it will give u history.
i have tried brute force attacks and trust me unless u have a super duper comp you cant get in.
no point in over complicating..........
i agree. a true pwsd manager allows much more, but if your looking for something easy and simple in terms of protecting the pwsd list, excel encryption is just as good in 2010 products and above and enabling windows auditing it will give u history.
i have tried brute force attacks and trust me unless u have a super duper comp you cant get in.
no point in over complicating..........
@mo_patel,
To the contrary, excel protection is extremely easy to get around and that includes 2010+, they are a huge target due to the market share and within a year of any release I can almost guarantee public exploits or macros are out, for example there is a macro available from The Office Experts website which will reset the protection and allow you to create a new password, sure it does not leak the password or brute force but it does allow full access to the protected workbook in a matter of minutes with very little effort essentially resetting the password, there are many other exploits which I know of which do similar things - none crack the password exactly but they do get around it fairly easily. Excel isn't the best for extremely sensitive information for various reasons, one of which is their macro capabilities where you can pretty much hack around anything within given you know what you're doing. Give it a shot yourself, check out the office experts or just google and you'll find plenty of ways around it, I won't post the links here for obvious reasons. Take care,
/edit/
And it is susceptible to brute force, SmartKey/etc I've seen recover passwords easily, just those are more time consuming when there are tens if not hundreds of macros and tools you can use to instantly get around it. Nothing is fully bulletproof of course, however those programs like Excel with such a large target are generally the easiest to get around due to the accessibility of tools and macros and described above, especially when it's something you can nab easily (a file) and work on wherever/whenever/etc. Instead of having to worry about people who actually know what they're doing you have to worry about the teenage kid and just about anyone who can Google and break it within minutes. May want to look into swapping to a program (like KeePass as Tolomir mentioned) or otherwise which is focused on encryption, not spreadsheets ;)
We went a little off topic here, sorry kjuliff haha - good luck installing and getting all setup just post back if you have any issues!
To the contrary, excel protection is extremely easy to get around and that includes 2010+, they are a huge target due to the market share and within a year of any release I can almost guarantee public exploits or macros are out, for example there is a macro available from The Office Experts website which will reset the protection and allow you to create a new password, sure it does not leak the password or brute force but it does allow full access to the protected workbook in a matter of minutes with very little effort essentially resetting the password, there are many other exploits which I know of which do similar things - none crack the password exactly but they do get around it fairly easily. Excel isn't the best for extremely sensitive information for various reasons, one of which is their macro capabilities where you can pretty much hack around anything within given you know what you're doing. Give it a shot yourself, check out the office experts or just google and you'll find plenty of ways around it, I won't post the links here for obvious reasons. Take care,
/edit/
And it is susceptible to brute force, SmartKey/etc I've seen recover passwords easily, just those are more time consuming when there are tens if not hundreds of macros and tools you can use to instantly get around it. Nothing is fully bulletproof of course, however those programs like Excel with such a large target are generally the easiest to get around due to the accessibility of tools and macros and described above, especially when it's something you can nab easily (a file) and work on wherever/whenever/etc. Instead of having to worry about people who actually know what they're doing you have to worry about the teenage kid and just about anyone who can Google and break it within minutes. May want to look into swapping to a program (like KeePass as Tolomir mentioned) or otherwise which is focused on encryption, not spreadsheets ;)
We went a little off topic here, sorry kjuliff haha - good luck installing and getting all setup just post back if you have any issues!
ASKER
It seams that TeamPass almost meets my needs.
Thank you again guys for your feedback!
Thank you again guys for your feedback!
Glad could help! Any questions just holler, the good thing with teampass is being open source you can modify or add to it however you'd like without too much trouble. Good luck & take care!
We use a hidden excel file with an irrelevant name like, thumbs, and we have removed the original type of the file' .xls.
So it is a file called thumbs.jpg
When we want to access it we just "spend" one more mouse click...
Nowadays many -want to be- "hackers" exists in our networks...
For me, the simplest way sometimes its the best
Hope to gave an idea