Ask Slashdot: Open Source Multi-User Password Management? 198
An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"
Better than the last place I worked at (Score:5, Funny)
It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)
Re: (Score:1)
If only there was +1 sad..
Re:Better than the last place I worked at (Score:5, Interesting)
I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).
Re:Better than the last place I worked at (Score:4, Funny)
Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?
Re: (Score:3)
And the lights were off, and the stairs were broken!
Re:Better than the last place I worked at (Score:5, Funny)
Of course, a filing cabinet isn't the best option, Feynman proved this by breaking into many of them at Los Alamos and leaving little notes. Instead of changing the security systems the military put out a memo saying that Prof Feynman was not to be left alone with a filing cabinet.
Re: (Score:2)
Heh, the best thing that I could come up with in a Wintel-centric environment was an encrypted zip file containing an excel spreadsheet. The master password would be periodically rotated and sent to people in an encrypted email.
We had access to Keepass or something similar, but our management couldn't be bothered to install it from the depot :P
Re: (Score:2)
Oh yeah, but it sucked because opening an excel spreadsheet in a zip file would cause it to be extracted to the temp dir first :P
Re:Better than the last place I worked at (Score:5, Informative)
It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.
I have deployed and administered Network Password Manager [sowsoft.com]. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.
This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.
For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).
Re: (Score:2)
NPM looks interesting, personally, I implemented Password Safe: http://passwordsafe.sourceforge.net/ [sourceforge.net] unfortunately, it does not handle multiple users, though I suppose you could have multiple files with different passwords and a master file with all the passwords.
Re:Better than the last place I worked at (Score:5, Informative)
We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!
(tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)
Re: (Score:2)
Can you actually share a password with several users using phpchain? It seems to me like everyone only has access to their own passwords.
Re: (Score:2)
We just use a shared account for "engineering department (location XYZ)" passwords. You can also have an individual account if you want to have private passwords, and you could put the password for any shared phpChain accounts you need to access in your private phpChain account. We have it running on an internal server, rather then something exposed to the Internet, so the danger of a breach is minimal. (If anybody makes it that far, we are already hosed.) But, the passwords are all stored in an encrypte
Re: (Score:2)
We use phpchain at work for this sort of thing.
Uhm. You are aware that using PHP for anything security related is like making a vault door out of lit sticks of dynamite, right?
Re: (Score:2)
Re: (Score:2)
If you are referring to the questions assumptions, perhaps it would be better phrased as 'statistically, people who use php write horrible code from a security perspective, most of the time'.
Re: (Score:2)
True. However, it's also true that statistically, people who use C++ write horrible code from a security perspective, most of the time. And people who use Perl write horrible code from a security perspective, most of the time. And people who use Java, Python, COBOL, etc., write horrible code from a security perspective -- indeed, horrible code in general -- most of the time.
There is not now, nor will ther
Re: (Score:2)
There is not now, nor will there ever be, a language in which it is difficult to write bad programs.
Don't be silly... there are plenty of languages where it's difficult to write any program.
Re: (Score:2)
Re: (Score:2)
There is nothing inherently dangerous about PHP. But, the phoChain login page is secured behind a normal HTTP / Apache login. So, we have it set up so you have to be logged in as a valid user before you can even see the phpChain login page. It's also on an internal server, so it can't be accessed from the Internet. (Or, if you can, we have far greater security concerns to take
Wallet (Score:5, Informative)
Wallet [eyrie.org] is a Kerberos-based secret management tool. It works well for me.
Re: (Score:3)
Gringotts [shlomifish.org] is a secure notes manager for Linux and other UNIX-like systems. I've been using it to store passwords for more than three years.
KeePassX (Score:5, Informative)
KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.
Multi-user? (Score:2)
Is it multi-user however?
Re: (Score:3)
KeePass 2 can be run on Mono and is multi-user for the databases - you all need the same password to decrypt the database however, but it does allow simultaneous shared access.
Re:Multi-user? (Score:5, Informative)
This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.
As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.
I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.
Re: (Score:2, Informative)
This! KeePass2 on a shared drive
You can go one better than a shared network drive by saving to a URL.
Specifically, setup a subversion server with WebDAV enabled. This way you can always go back to an old version if your db gets corrupted in any way. Subversion hook scripts can be used for implementing a backup plan (we use one to sync our keepass svn repo to a read-only mirror on a remote site.) The apache ldap auth module can be used to control access (this is on top of the actual keepass db password)
Re: (Score:2)
Maybe (Score:2)
Good comment until you said "military grade encryption". There is no such thing and that term is typically used by those who aren't very knowledgable about security. Unfortunately this forces me to discount your opinion on the matter. KeePass2 may very well be a good solution for the problem at hand, but I'm going to need to find some other evidence for that, because whenever someone mentions "military grade encryption" I run away as fast as possible.
Re: (Score:2)
The main reason I mentioned it (but never really got into it) was because of a round up of password storage managers from a few weeks ago that all claimed "military grade" encryption, and all were trivial to compromise. I can't seem to locate the article now but KeePass was not included in this round up specifically cause it didn't try to lump itself into this category.
I've been trying to rack my brain to remeber if there was an alternative suggestion section of the roundups, or if KeePass was mentioned.
Re: (Score:3)
KeePass2 is Windows-only (unless you really want to deal with Mono). The original version is now forked and maintained as KeePassX with OSX and Linux builds available, along with the source.
Re: (Score:1)
And webscale. It has to be webscale.
Re: (Score:1)
+1 for KeePass
I started using it in 2009 and haven't looked back.
It works great with my Ubuntu and Windows mix. I keep it on a USB drive.
Re: (Score:3, Interesting)
I keep it on a USB drive.
Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.
Re: (Score:2)
I keep it on a USB drive.
Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.
I keep a master keepass file at my laptop. When I change it, I copy it to my dropbox folder, and there I even make two copies, one to my shared folder, which is shared with my work dropbox account. That means it is synced to my work computer as well. At work I use a different keepass database, and copy that to the same shared folder. I even sync it to the phone via dropbox, but on the phone I rarely update dropbox files. That means I have an old version of the database there. That isn't a big problem though
Re: (Score:2)
My main issue with KeepassX is that it isn't capable of running solely with an extension or bookmarklet, which means that it won't work on every OS I have. I use Lastpass as a result, though I'd prefer something equivalent that is open-source...
KeePass Almost Ubiquitous (Score:2)
KeepassX in a Dropbox folder (Score:2)
KeepassX in a Dropbox (or some similar sharing) folder works great. More secure encryption than Excel and better for the purpose.
Re: (Score:2)
Is it more secure?
Isn't it the same as a excell sheet with a master password on it?
(Ok, keepass is way cheaper than a excell sheet)
Re: (Score:1)
Excel passwords are easy to crack, google for "advanced office password breaker".
Re: (Score:2)
Is it more secure?
Isn't it the same as a excell sheet with a master password on it?
(Ok, keepass is way cheaper than a excell sheet)
I wouldn't know if it's more secure. Do you trust MS on this? Do they have a backdoor? Okay, keepass could have a backdoor as well.
Keepass is better because it's designed for it. It has a password generation tool, and it has some handy options. You have a list of keys, possibly organized in folders. If you open a list, you can set KP to not display usernames and/or passwords. So if someone is looking over your shoulder, they cannot see your password. CTRL-C and you copy your password, and then you can paste
Re: (Score:2)
Keepass is opensource, if a backdoor existed, it would have been found out , reported , and closed for good. That's what open source is good at.
Team Pass (Score:1)
Re: (Score:2)
Of course, the app will probably shit itself the first time someone puts a ' in their password, or else return the wrong information for passwords containing \
You're referring to sql injection or magic quotes, and those who rely on the latter to prevent the former.
If coded properly (ie using prepared statements for the db calls!) this won't be a problem, and it's just as easy to write poor code in other languages.
KeePass (Score:2)
KeePass?
Works on Windows, Linux, OSX, iPhone, Android, and more.
You can even store the password database on the cloud if you wanted...
Re: (Score:2)
sure wish webkeypass wasn't a pile of crap.
Re: (Score:1)
You can even store the password database on the cloud if you wanted...
Why is this a good idea?
Re: (Score:1)
You can even store the password database on the cloud if you wanted...
Why is this a good idea?
What's wrong in keep database on cloud? As long as you are using strong password along with key file, there is remote chance that someone would be able to break-in your database.
Why are you even considering this? (Score:2)
Re: (Score:2, Funny)
Is one an offer letter for you from my firm? because it's been recinded...
KeePass (Score:5, Informative)
Re: (Score:2)
... and I love the password generation capability. Especially options like "exclude lookalike characters" for when I have to look up the password on my phone.
GPG + Dropbox (Score:1)
At work, we use gpg to encrypt our password file for specific recipients, and place that file in a dropbox share. On occasion, we'll generate a snippet of the file and encrypt it for a specific user (junior admin) and place it in the same location.
Arbitrary complexity is often contrary to trustable security. If you really trust your encryption scheme, then it shouldn't matter where you store it (windows share).
Re: (Score:3)
Dead simple, other then the GPG key management and passing around public keys. There's also the issue that every time you add someone new, you need to re-encrypt all the files (but that's a key management / PKI issue).
Since they're regular text files, they can be emailed, printed, faxed, OCRd, stuffed in envelopes / safes, etc. We stuff ours into a version control system
Of course, (Score:2, Funny)
You can use notepad...
Password Safe (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Of the Linux versions
1) mypasswordsafe [semanticgap.com] is no longer maintained
2) password gorilla [www.fpx.de] is not particularly fast
3) pwsafe [wwwpwsafe.org] is still in beta
Having said that, they all seem to work fine with no major issues. The last one is the most similar to the current Windows version.
Re: (Score:2)
We use the command-line implementation http://sourceforge.net/projects/pwsafe [sourceforge.net] integrated revision control. It has a 2-way merge feature, which makes it mostly usable with revision control, even though it's a little more tedious than necessary, since you have to manually accept or reject individual changes. For a while I've wanted to implement 3-way merge so that most merges can be automatic but I will probably never get around to doing so.
The downside of the CLI pwsafe is that it supports only v2 PasswordSa
Re:Password Safe (Score:5, Informative)
No real surprise. He recommends it because he designed it.
WebPasswordSafe (Score:1)
http://www.webpasswordsafe.net is open source and multi-platform... "Web-based, multi-user, secure password safe/manager with delegated access controls"
TiddlyWiki with TiddlerEncryptionPlugin (Score:1)
This is definitely an "itch"... (Score:1)
There isn't really anything open source that I know of that is good at multi-user password management. I've seen enterprise appliances that offer this, but those are upwards of $10,000 for a glorified 1U rack PC with locking bolts.
The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.
As an alternative to Linux, one could use Windows and BitLocker, then VMWare Server or Workstation. This provides protec
Re: (Score:2)
KeePass with the file stored in a DropBox folder would be a lot easier.
Re: (Score:2)
And then don't switch it on, ever.
The most secure I've found (Score:1)
VIM+OpenSSL (Score:3, Interesting)
http://www.vim.org/scripts/script.php?script_id=2012 [vim.org]
Unlike and better than the majority of the password-saferizers out
there, this keeps your passwords in a file which is both decryptable
with standardized tools and in a human readable format (assuming
you typed human readable usernames/passwords in the first place!)
Ten years from now you'll still be able to decrypt your files, and you
can share them with people who don't have the editor plugin.
Not the author here... (Score:4, Insightful)
I'm not the author, but am also watching this thread for answers...
I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...
Any suggestions?
Re: (Score:2)
I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database.
Why should more than one user ever be able to access a password? One user, one account, one password, never disclosed to anyone under any circumstances whatsoever. If you need multiple users, that's what multiple user accounts and permissions are for. Anything else is just begging for trouble.
Re: (Score:2)
Look, it must be all black and white there being the printer admin of your 5 man real estate office, but out in the real world, it never, NEVER works like that.
A short list of the billion reasons why you would need what the OP is asking for:
Web services that require a single primary administrative/billing account
Company twitter accounts and other social media accounts
Networking equipment that only allows multi-user auth through RADIUS
admin/root passwords for: databases, servers
common mail accounts shared by
Re: (Score:2)
1) That's what sudo is for.
2) That sounds like a database with a broken permissions system.
Re: (Score:2)
You already have user access groups setup on the filesystem level. If you need different people to have different access to the password database, then split it into multiple databases, and take advantage of your existing filesystem (and hopefully domain) permission structure.
corporate vault (Score:1)
You can look at Corporate Vault - http://sourceforge.net/projects/corporatevault/
It's web based and you can create various groups with different level of access
Why are you Anonymous? (Score:1)
Are you searching for bugs to exploit?
SFLvault (Score:5, Informative)
I have been keeping an eye on this project [savoirfairelinux.com] for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."
The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.
The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...
I have been maintaining a list of FLOSS password managers [koumbit.net] in our public wiki for a while, any suggestions not mentionned there are welcome.
My Password Manager (Score:1)
It's cheap and you get all the source code on purchase.
http://codecanyon.net/item/password-manager/2145518?ref=michaeldale [codecanyon.net] (includes my referrer link, but you can just delete the ref= part if you wish).
I have a demo version online here: http://www.onlinecompanyportal.com/mrp/ [onlinecompanyportal.com]
It does categories, multi user, active directory integration and lots more.
Re: (Score:1)
My password tool is completely unhackable... (Score:5, Interesting)
To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.
PS: Re:My password (Score:2)
Re:My password tool is completely unhackable... (Score:4, Interesting)
So how does your system apply to the original question -- sharing the passwords among multiple users? Do you all copy out the relevant parts of each other's notebooks and memorize each other's rules? Or do you tell each other the unencrypted passwords and re-encrypt them individually using personal rule-sets?
Re: (Score:3)
Yes, rules like that are not uncommon. They have their uses in environments where you can't use proper encryption. However, I can see several disadvantages to your method:
For one, the dependency on a single physical storage medium (paper notebook) is a mixed blessing. On the one hand, it denies remote attackers the option to download a complete list of hashes, but on the other hand, it also denies you the possibility of retrieving your passwords when you don't have the notebook with you. Notebooks can al
Re: (Score:2)
My company has people in (at least) three different cities who need to access various passwords (and we sometimes work from home, especially when something breaks in the middle of the night). Your solution wouldn't work for us at all.
Re: (Score:2)
It's called pencil and paper
Unhackable ? If somebody steals it from you, you will experience an original case of denial-of-service... And how do you manage backups (just in case you lost your notebook) ?
If your set of rules are really safe, why not simply write everything in an electronic note ?
Mortimer (Score:2)
I've checked out and briefly used Mortimer ( https://github.com/aiaio/mortimer ) before and it seems a decent tool.
"mortimer is a password storage application that supports multiple users and basic permissions. The app relies on public key cryptography to facilitate a multi-user password system whose data remains secure even if the database is compromised. Admin users have permission to all password entries on the system. Users may be given permission on a password-group basis."
Windows Encrypting File System (Score:1)
What's "insecure" about an Excel spreadsheet?
If you're already running windows, edit the file > Properties, click advanced "Encrypt" the file on the file server using Windows EFS.
Add the list of authorized users' certificates so only authorized users can decrypt the file.
Make sure to setup an EFS recovery certificate, export that, and back it up somewhere.
Mortimer (Score:2)
https://github.com/aiaio/mortimer [github.com]
The password sharing functionality looks really interesting. I gave it a spin a few months back, but it had an annoying bug at the time (move a password out of a folder to the root level and it can disappear from the UI). I'm guessing a competent Ruby dev with a few spare hours could fork it on GitHub, fix it up and make it work real nice.
More information about it here:
http://www.alexanderinteractive.com/blog/2009/02/mortimer-a-rails-password-manager/ [alexanderinteractive.com]
http://www.alexanderinte [alexanderinteractive.com]
Gnupg (Score:1)
Open source? Check. Multi-user? Check. Secure? Only as secure as the box it's on, and the boxes that people use to access it, just like everything else. Linux based? Check.
Gnupg and a flat text file.
Yet another Password Encryption Tool (Score:1)
try Yapet: http://www.guengel.ch/myapps/yapet/index.shtml [guengel.ch]
It s running on a Terminal, can thus be easily accessed via ssh.
And it support different password files. The Encryption provided may be
good enough for your needs.
Wrong question (Score:3)
Do yourself a favor and investigate single sign on (SSO) solutions and work your way toward a tiered access control model.
GPG (Score:2)
Its free, opensource (GNU), widely available as a standard package to most platforms, etc. You create a password file, encrypt with gpg, then sign it with each user's key that should have access to it (requires all users to have proper gpg keys setup). When someone leaves, you revoke their key from the file and they can no longer get to it, without having to do much else. If thats too complicated, just do a basic crypt (gpg -c) a
Non electrical means (Score:2)
I use a card from http://www.passwordcard.org/ [passwordcard.org]
Printed it out, laminated it with tape, and keep it in my wallet which is with me at all times. It's extremely handy and needs no internet access to use.
Keepass (Score:2)
We use Keepass [keepass.info] on a CIFS share. It locks the password file when multiple people have it open so you don't have write problems.
You can also put the file up on a LAMP style website with Web-Keepass [sourceforge.net].
Re: (Score:2)
With KeePass 2.x, a database can be stored on a shared network drive and used by multiple users. When attempting to save, KeePass first checks whether the file on disk has been modified since it was loaded. If yes, KeePass asks whether to synchronize or overwrite the file (see image on the right). By synchronizing, changes made by other users (file on disk) and changes made by the current user are merged. After the synchronization process has finished, the current user also sees the changes made by others (i.e. the data in the current KeePass instance is up-to-date). If there is a conflict (multiple users edited the same entry), KeePass uses the latest version of the entry based on the last modification time.
Re:Delete the spreadsheet. (Score:5, Funny)
I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".
Re: (Score:2)
I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".
But what if you buy another monitor?
Re: (Score:2)
Re: (Score:2)
I look forward to the royalty cheques, but where have you used it?
Re: (Score:2)
We use phpchain at work. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has. Een rolled into mainlIne at this point.
NEAT! Thanks for the contribution! To repay the favor, I offer you my services. if someone accidentally deletes your passwords, just email me and I'll forward you a copy. [spiderlabs.com]
> PHP
> Secure
Choose one.
Re: (Score:2)
Re: (Score:2)
But how? All we will see is a bunch of stars...