Forgot your password?
typodupeerror
Security Cloud Open Source Software

Ask Slashdot: Open Source Multi-User Password Management? 198

Posted by timothy
from the login-admin-password-blank dept.
An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Open Source Multi-User Password Management?

Comments Filter:
  • by Hamsterdan (815291) on Friday May 11, 2012 @11:59PM (#39976273)

    It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)

    • by Anonymous Coward

      If only there was +1 sad..

    • by jtownatpunk.net (245670) on Saturday May 12, 2012 @12:21AM (#39976419)

      I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).

      • by Anonymous Coward on Saturday May 12, 2012 @12:39AM (#39976507)

        Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

      • by History's Coming To (1059484) on Saturday May 12, 2012 @11:01AM (#39978809) Journal
        It's not a bad idea in principle, I have a client which has lots of outlets and each uses around 10 different login for various services, I supply them with a printout each month and they keep it locked in a safe at head office. There's also a little encryption on it to stop casual usage (the passwords aren't the real passwords, they've been altered using an algorithm that only two company directors know).

        Of course, a filing cabinet isn't the best option, Feynman proved this by breaking into many of them at Los Alamos and leaving little notes. Instead of changing the security systems the military put out a memo saying that Prof Feynman was not to be left alone with a filing cabinet.
    • by rwa2 (4391) *

      Heh, the best thing that I could come up with in a Wintel-centric environment was an encrypted zip file containing an excel spreadsheet. The master password would be periodically rotated and sent to people in an encrypted email.

      We had access to Keepass or something similar, but our management couldn't be bothered to install it from the depot :P

      • by rwa2 (4391) *

        Oh yeah, but it sucked because opening an excel spreadsheet in a zip file would cause it to be extracted to the temp dir first :P

      • by qubezz (520511) on Saturday May 12, 2012 @09:17AM (#39978269)

        It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.

        I have deployed and administered Network Password Manager [sowsoft.com]. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.

        This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.

        For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).

        • by Coren22 (1625475)

          NPM looks interesting, personally, I implemented Password Safe: http://passwordsafe.sourceforge.net/ [sourceforge.net] unfortunately, it does not handle multiple users, though I suppose you could have multiple files with different passwords and a master file with all the passwords.

    • We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

      (tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

      • by halfnerd (553515)

        Can you actually share a password with several users using phpchain? It seems to me like everyone only has access to their own passwords.

        • by forkazoo (138186)

          We just use a shared account for "engineering department (location XYZ)" passwords. You can also have an individual account if you want to have private passwords, and you could put the password for any shared phpChain accounts you need to access in your private phpChain account. We have it running on an internal server, rather then something exposed to the Internet, so the danger of a breach is minimal. (If anybody makes it that far, we are already hosed.) But, the passwords are all stored in an encrypte

      • We use phpchain at work for this sort of thing.

        Uhm. You are aware that using PHP for anything security related is like making a vault door out of lit sticks of dynamite, right?

        • by dave420 (699308)
          Incorrect.
          • It was a question, it therefore can not be incorrect.

            If you are referring to the questions assumptions, perhaps it would be better phrased as 'statistically, people who use php write horrible code from a security perspective, most of the time'.
            • 'statistically, people who use php write horrible code from a security perspective, most of the time'.

              True. However, it's also true that statistically, people who use C++ write horrible code from a security perspective, most of the time. And people who use Perl write horrible code from a security perspective, most of the time. And people who use Java, Python, COBOL, etc., write horrible code from a security perspective -- indeed, horrible code in general -- most of the time.

              There is not now, nor will ther

              • by Anguirel (58085)

                There is not now, nor will there ever be, a language in which it is difficult to write bad programs.

                Don't be silly... there are plenty of languages where it's difficult to write any program.

              • haha, good point. I'm glad you left c# out of it :)
        • by forkazoo (138186)

          Uhm. You are aware that using PHP for anything security related is like making a vault door out of lit sticks of dynamite, right?

          There is nothing inherently dangerous about PHP. But, the phoChain login page is secured behind a normal HTTP / Apache login. So, we have it set up so you have to be logged in as a valid user before you can even see the phpChain login page. It's also on an internal server, so it can't be accessed from the Internet. (Or, if you can, we have far greater security concerns to take

  • Wallet (Score:5, Informative)

    by tskirvin (125859) on Saturday May 12, 2012 @12:01AM (#39976287) Homepage

    Wallet [eyrie.org] is a Kerberos-based secret management tool. It works well for me.

    • by miknix (1047580)

      Gringotts [shlomifish.org] is a secure notes manager for Linux and other UNIX-like systems. I've been using it to store passwords for more than three years.

  • KeePassX (Score:5, Informative)

    by Anonymous Coward on Saturday May 12, 2012 @12:02AM (#39976299)

    KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

    • Is it multi-user however?

      • KeePass 2 can be run on Mono and is multi-user for the databases - you all need the same password to decrypt the database however, but it does allow simultaneous shared access.

        • Re:Multi-user? (Score:5, Informative)

          by Kalidor (94097) on Saturday May 12, 2012 @02:06AM (#39976905) Homepage

          This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

          As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

          I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

          • Re: (Score:2, Informative)

            by Anonymous Coward

            This! KeePass2 on a shared drive

            You can go one better than a shared network drive by saving to a URL.
            Specifically, setup a subversion server with WebDAV enabled. This way you can always go back to an old version if your db gets corrupted in any way. Subversion hook scripts can be used for implementing a backup plan (we use one to sync our keepass svn repo to a read-only mirror on a remote site.) The apache ldap auth module can be used to control access (this is on top of the actual keepass db password)

          • I'd also have the no-install portable executable for windows there... I use this with dropbox for my own passwords...
          • by PingXao (153057)

            Good comment until you said "military grade encryption". There is no such thing and that term is typically used by those who aren't very knowledgable about security. Unfortunately this forces me to discount your opinion on the matter. KeePass2 may very well be a good solution for the problem at hand, but I'm going to need to find some other evidence for that, because whenever someone mentions "military grade encryption" I run away as fast as possible.

            • by Kalidor (94097)

              The main reason I mentioned it (but never really got into it) was because of a round up of password storage managers from a few weeks ago that all claimed "military grade" encryption, and all were trivial to compromise. I can't seem to locate the article now but KeePass was not included in this round up specifically cause it didn't try to lump itself into this category.

              I've been trying to rack my brain to remeber if there was an alternative suggestion section of the roundups, or if KeePass was mentioned.

          • by Dynedain (141758)

            KeePass2 is Windows-only (unless you really want to deal with Mono). The original version is now forked and maintained as KeePassX with OSX and Linux builds available, along with the source.

      • by Anonymous Coward

        And webscale. It has to be webscale.

    • by Anonymous Coward

      +1 for KeePass

      I started using it in 2009 and haven't looked back.

      It works great with my Ubuntu and Windows mix. I keep it on a USB drive.

      • Re: (Score:3, Interesting)

        I keep it on a USB drive.

        Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.

        • by rvw (755107)

          I keep it on a USB drive.

          Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.

          I keep a master keepass file at my laptop. When I change it, I copy it to my dropbox folder, and there I even make two copies, one to my shared folder, which is shared with my work dropbox account. That means it is synced to my work computer as well. At work I use a different keepass database, and copy that to the same shared folder. I even sync it to the phone via dropbox, but on the phone I rarely update dropbox files. That means I have an old version of the database there. That isn't a big problem though

    • by Rich0 (548339)

      My main issue with KeepassX is that it isn't capable of running solely with an extension or bookmarklet, which means that it won't work on every OS I have. I use Lastpass as a result, though I'd prefer something equivalent that is open-source...

    • Programs compatible with KeePassX (or ports of KeePassX) exist for pretty much everything: Windows, MacOS, Linux, BSD, Android, iOS but they often have slightly different names (e.g. the program I use on iOS is KyPass) which makes it seem less available than it is.
  • KeepassX in a Dropbox (or some similar sharing) folder works great. More secure encryption than Excel and better for the purpose.

    • by leuk_he (194174)

      Is it more secure?

      Isn't it the same as a excell sheet with a master password on it?

      (Ok, keepass is way cheaper than a excell sheet)

      • by Anonymous Coward

        Excel passwords are easy to crack, google for "advanced office password breaker".

      • by rvw (755107)

        Is it more secure?

        Isn't it the same as a excell sheet with a master password on it?

        (Ok, keepass is way cheaper than a excell sheet)

        I wouldn't know if it's more secure. Do you trust MS on this? Do they have a backdoor? Okay, keepass could have a backdoor as well.

        Keepass is better because it's designed for it. It has a password generation tool, and it has some handy options. You have a list of keys, possibly organized in folders. If you open a list, you can set KP to not display usernames and/or passwords. So if someone is looking over your shoulder, they cannot see your password. CTRL-C and you copy your password, and then you can paste

        • Okay, keepass could have a backdoor as well.

          Keepass is opensource, if a backdoor existed, it would have been found out , reported , and closed for good. That's what open source is good at.

  • I've used Team Pass (site here) [teampass.net] for a few months now. It works well enough. It's at least as secure as an excel sheet. It is however web based, so make sure to lock it down appropriately...
  • KeePass?

    Works on Windows, Linux, OSX, iPhone, Android, and more.

    You can even store the password database on the cloud if you wanted...

    • by ArsonSmith (13997)

      sure wish webkeypass wasn't a pile of crap.

    • by Anonymous Coward

      You can even store the password database on the cloud if you wanted...

      Why is this a good idea?

      • You can even store the password database on the cloud if you wanted...

        Why is this a good idea?

        What's wrong in keep database on cloud? As long as you are using strong password along with key file, there is remote chance that someone would be able to break-in your database.

  • Go to your desk drawer. Inside there will be 3 numbered envelopes...
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Is one an offer letter for you from my firm? because it's been recinded...

  • KeePass (Score:5, Informative)

    by st0nerhat (2540360) on Saturday May 12, 2012 @12:09AM (#39976355)
    KeePass satisfies all of your criteria:
    • Open Source: It uses an OSI-certified license.
    • Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
    • Secure: Supports multi-factor authentication.
    • Linux-based: Works with Mono.
    • ... and I love the password generation capability. Especially options like "exclude lookalike characters" for when I have to look up the password on my phone.

  • At work, we use gpg to encrypt our password file for specific recipients, and place that file in a dropbox share. On occasion, we'll generate a snippet of the file and encrypt it for a specific user (junior admin) and place it in the same location.

    Arbitrary complexity is often contrary to trustable security. If you really trust your encryption scheme, then it shouldn't matter where you store it (windows share).

    • We create separate files by service and encrypt the contents with GPG (regular old text files with ASCII armored encryption blocks).

      Dead simple, other then the GPG key management and passing around public keys. There's also the issue that every time you add someone new, you need to re-encrypt all the files (but that's a key management / PKI issue).

      Since they're regular text files, they can be emailed, printed, faxed, OCRd, stuffed in envelopes / safes, etc. We stuff ours into a version control system
  • Of course, (Score:2, Funny)

    by iplayfast (166447)

    You can use notepad...

  • Password Safe (Score:5, Informative)

    by matt-fu (96262) on Saturday May 12, 2012 @12:55AM (#39976573)
    Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml [sourceforge.net] The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.
    • We use Password Safe in Windows and pwsafe in Linux - they can access the same file if it's on a cifs share.
    • Of the Linux versions

      1) mypasswordsafe [semanticgap.com] is no longer maintained

      2) password gorilla [www.fpx.de] is not particularly fast

      3) pwsafe [wwwpwsafe.org] is still in beta

      Having said that, they all seem to work fine with no major issues. The last one is the most similar to the current Windows version.

      • by Rheingold (2741)

        We use the command-line implementation http://sourceforge.net/projects/pwsafe [sourceforge.net] integrated revision control. It has a 2-way merge feature, which makes it mostly usable with revision control, even though it's a little more tedious than necessary, since you have to manually accept or reject individual changes. For a while I've wanted to implement 3-way merge so that most merges can be automatic but I will probably never get around to doing so.

        The downside of the CLI pwsafe is that it supports only v2 PasswordSa

  • by Anonymous Coward

    http://www.webpasswordsafe.net is open source and multi-platform... "Web-based, multi-user, secure password safe/manager with delegated access controls"

  • http://tiddlywiki.com/ [tiddlywiki.com] http://remotely-helpful.com/TiddlyWiki/TiddlerEncryptionPlugin.html [remotely-helpful.com] The tiddlywiki is a wiki that runs in a single html file using javascript where each 'page' is called a 'tiddler' The encryption plugin allows you to apply a password to an individual tiddler or group of tiddlers. You can make the tiddlywiki public, they can see all the unencrypted tiddlers but only read the ones for which you have supplied the passwords.
  • There isn't really anything open source that I know of that is good at multi-user password management. I've seen enterprise appliances that offer this, but those are upwards of $10,000 for a glorified 1U rack PC with locking bolts.

    The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.

    As an alternative to Linux, one could use Windows and BitLocker, then VMWare Server or Workstation. This provides protec

    • I think you're over complicating things and you haven't considered what happens in a disaster scenario when you need to access the passwords, but don't have access to your usual hardware.

      KeePass with the file stored in a DropBox folder would be a lot easier.
    • The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.

      And then don't switch it on, ever.

  • Neither of these are open-source or linux-based, but... Cyber-Ark is the most secure solution I've come across - multi-factor authentication, as well as presenting passwords through a portal rather than granting access to the password file itself. Citrix had a similar solution, Citrix Password Manager, but I believe it is now EOL. For it to provide any real level of security the database needs to be abstracted from the users, otherwise it can easily copied offline and brute forced. "Use a secure password
  • VIM+OpenSSL (Score:3, Interesting)

    by Anonymous Coward on Saturday May 12, 2012 @01:22AM (#39976689)

    http://www.vim.org/scripts/script.php?script_id=2012 [vim.org]

    Unlike and better than the majority of the password-saferizers out
    there, this keeps your passwords in a file which is both decryptable
    with standardized tools and in a human readable format (assuming
    you typed human readable usernames/passwords in the first place!)

    Ten years from now you'll still be able to decrypt your files, and you
    can share them with people who don't have the editor plugin.

  • by jjoelc (1589361) on Saturday May 12, 2012 @01:23AM (#39976699)

    I'm not the author, but am also watching this thread for answers...

    I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...

    Any suggestions?

    • by Hatta (162192)

      I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database.

      Why should more than one user ever be able to access a password? One user, one account, one password, never disclosed to anyone under any circumstances whatsoever. If you need multiple users, that's what multiple user accounts and permissions are for. Anything else is just begging for trouble.

      • by danbeck (5706)

        Look, it must be all black and white there being the printer admin of your 5 man real estate office, but out in the real world, it never, NEVER works like that.

        A short list of the billion reasons why you would need what the OP is asking for:
        Web services that require a single primary administrative/billing account
        Company twitter accounts and other social media accounts
        Networking equipment that only allows multi-user auth through RADIUS
        admin/root passwords for: databases, servers
        common mail accounts shared by

    • by Dynedain (141758)

      You already have user access groups setup on the filesystem level. If you need different people to have different access to the password database, then split it into multiple databases, and take advantage of your existing filesystem (and hopefully domain) permission structure.

  • by Anonymous Coward

    You can look at Corporate Vault - http://sourceforge.net/projects/corporatevault/

    It's web based and you can create various groups with different level of access

  • Are you searching for bugs to exploit?

  • SFLvault (Score:5, Informative)

    by anarcat (306985) on Saturday May 12, 2012 @01:33AM (#39976751) Homepage

    I have been keeping an eye on this project [savoirfairelinux.com] for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

    The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

    The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

    I have been maintaining a list of FLOSS password managers [koumbit.net] in our public wiki for a while, any suggestions not mentionned there are welcome.

  • I wrote a web based password manager that might interest you.
    It's cheap and you get all the source code on purchase.
    http://codecanyon.net/item/password-manager/2145518?ref=michaeldale [codecanyon.net] (includes my referrer link, but you can just delete the ref= part if you wish).

    I have a demo version online here: http://www.onlinecompanyportal.com/mrp/ [onlinecompanyportal.com]
    It does categories, multi user, active directory integration and lots more.
  • by JetScootr (319545) on Saturday May 12, 2012 @03:44AM (#39977249) Journal
    It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
    To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
    Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
    I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
    This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.
    • I may be a bit OCD about passwords and security - 30 years USAF and NASA have bent my brain a bit. Typing in pwds a lot doesn't bug me cuz I know my pwd mgt tool is safe because it's out of reach of hackers.
    • by pnot (96038) on Saturday May 12, 2012 @06:52AM (#39977729)

      So how does your system apply to the original question -- sharing the passwords among multiple users? Do you all copy out the relevant parts of each other's notebooks and memorize each other's rules? Or do you tell each other the unencrypted passwords and re-encrypt them individually using personal rule-sets?

    • by Cow Jones (615566)

      Yes, rules like that are not uncommon. They have their uses in environments where you can't use proper encryption. However, I can see several disadvantages to your method:

      For one, the dependency on a single physical storage medium (paper notebook) is a mixed blessing. On the one hand, it denies remote attackers the option to download a complete list of hashes, but on the other hand, it also denies you the possibility of retrieving your passwords when you don't have the notebook with you. Notebooks can al

    • by Phroggy (441)

      My company has people in (at least) three different cities who need to access various passwords (and we sometimes work from home, especially when something breaks in the middle of the night). Your solution wouldn't work for us at all.

    • It's called pencil and paper

      Unhackable ? If somebody steals it from you, you will experience an original case of denial-of-service... And how do you manage backups (just in case you lost your notebook) ?

      If your set of rules are really safe, why not simply write everything in an electronic note ?

  • by eadz (412417)

    I've checked out and briefly used Mortimer ( https://github.com/aiaio/mortimer ) before and it seems a decent tool.

    "mortimer is a password storage application that supports multiple users and basic permissions. The app relies on public key cryptography to facilitate a multi-user password system whose data remains secure even if the database is compromised. Admin users have permission to all password entries on the system. Users may be given permission on a password-group basis."

  • What's "insecure" about an Excel spreadsheet?

    If you're already running windows, edit the file > Properties, click advanced "Encrypt" the file on the file server using Windows EFS.

    Add the list of authorized users' certificates so only authorized users can decrypt the file.

    Make sure to setup an EFS recovery certificate, export that, and back it up somewhere.

  • https://github.com/aiaio/mortimer [github.com]

    The password sharing functionality looks really interesting. I gave it a spin a few months back, but it had an annoying bug at the time (move a password out of a folder to the root level and it can disappear from the UI). I'm guessing a competent Ruby dev with a few spare hours could fork it on GitHub, fix it up and make it work real nice.

    More information about it here:
    http://www.alexanderinteractive.com/blog/2009/02/mortimer-a-rails-password-manager/ [alexanderinteractive.com]
    http://www.alexanderinte [alexanderinteractive.com]

  • by ZorkZero (6507)

    Open source? Check. Multi-user? Check. Secure? Only as secure as the box it's on, and the boxes that people use to access it, just like everything else. Linux based? Check.

    Gnupg and a flat text file.

  • try Yapet: http://www.guengel.ch/myapps/yapet/index.shtml [guengel.ch]

    It s running on a Terminal, can thus be easily accessed via ssh.
    And it support different password files. The Encryption provided may be
    good enough for your needs.

  • by Jawnn (445279) on Saturday May 12, 2012 @10:13AM (#39978565)
    If you are not using a more robust access control scheme wherever you can, you are doing it wrong. Yes, there are cases where a single user/pass must be shared, but they are probably few in your organization. For those cases, KeePass is effective, if not particularly elegant. It's certainly more secure than an Excel file.
    Do yourself a favor and investigate single sign on (SSO) solutions and work your way toward a tiered access control model.
  • by Tmack (593755)
    As many others above have posted, though none got any mod points for (yet)...

    Its free, opensource (GNU), widely available as a standard package to most platforms, etc. You create a password file, encrypt with gpg, then sign it with each user's key that should have access to it (requires all users to have proper gpg keys setup). When someone leaves, you revoke their key from the file and they can no longer get to it, without having to do much else. If thats too complicated, just do a basic crypt (gpg -c) a

  • I use a card from http://www.passwordcard.org/ [passwordcard.org]

    Printed it out, laminated it with tape, and keep it in my wallet which is with me at all times. It's extremely handy and needs no internet access to use.

  • We use Keepass [keepass.info] on a CIFS share. It locks the password file when multiple people have it open so you don't have write problems.

    You can also put the file up on a LAMP style website with Web-Keepass [sourceforge.net].

    • by jon3k (691256)
      Apparently the new version will even allow you to synchronize multiple users (just found it earlier in this thread): http://keepass.info/help/base/multiuser.html [keepass.info]

      With KeePass 2.x, a database can be stored on a shared network drive and used by multiple users. When attempting to save, KeePass first checks whether the file on disk has been modified since it was loaded. If yes, KeePass asks whether to synchronize or overwrite the file (see image on the right). By synchronizing, changes made by other users (file on disk) and changes made by the current user are merged. After the synchronization process has finished, the current user also sees the changes made by others (i.e. the data in the current KeePass instance is up-to-date). If there is a conflict (multiple users edited the same entry), KeePass uses the latest version of the entry based on the last modification time.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...