TR Forums

It seems like these are all the rage today. I've been recently looking for a good one to break away from the password excel chains that have bound me for so long. It's funny because our own TR posted information regarding insecurities found in online/web based options like LastPass and similar offerings. I'm curious to hear some down to earth opinions from other I.T. proffesionals who have found something that meets their security demands and perhaps their need to access those passwords while mobile.

I came across an option for software that lets you totally bypass the need to store your Keepass in the "Cloud" (AKA Dropbox or Google Drive). Its called "Pleasant Password Server" http://www.pleasantsolutions.com/passwordserver/. The website seems sort of in its infancy, and as someone state either here on TR in comments or elsewhere that it feels like a software consulting company that made their own in house password manager and then decided to market it a bit. Not that its a bad thing, my time tracking software (HarvestApp) was created by that same principal is is excellent.

So I'm curious if anyone has tried this program to host their KeePass DB on their own in house server for local only share and/or web and remote capabilities. Ideally I'd be able to access this via my Android phone or any web browser. Obviously a certain amount of network hardening for the server in question is advised if its to be accessible outside of the network. Open to thoughts and ideas about this or other offerings.

OH, and I'd like to be able to store software licenses within the software for multiple client accounts, so that we don't have to wonder about whether we are staying legal with our licensing. Obviously from what I've seen KeePass can be made to do this, but as I said before I'm totally open to other offerings.

This is something I've been looking into for a while. I've mainly been looking into self-hosted, web based password managers.

TeamPass (http://www.teampass.net/): I've tried to get this one running for a while. My problem is the AD integration keeps breaking and the documentation is spotty. When it was working, it was pretty nice, but I got tired of fighting it.

Team Password Manager (http://teampasswordmanager.com/): This is the next one I'm going to try since they have AD integration.

SimpleSafe (https://www.simplesafe.net/): This one is more free form then other password managers that I've looked at, and it is what I like about it. It doesn't have AD integration, so it's kind of behind the other two. It is the one I like the most though.

SimpleVault (http://simplevault.sourceforge.net/): It's an interesting concept. Access is based on passwords, so there aren't any users.

RatticDB (http://rattic.org/): Rattic is another interesting one. RatticDB doesn't encrypt the passwords, so the devs suggest the Db be installed on an encrypted filesystem.

Then there are the command line password managers which can be used from a shell account. Most of them are just frontends for gpg.

mdp (http://tamentis.com/projects/mdp/)
pass (http://www.passwordstore.org/)
gpgpwd (http://random.zerodogg.org/gpgpwd/)

For a hosted service, Clipperz (https://clipperz.is/) looks interesting.

Dunno, other web-based password managers seem to have the occasional vulnerability, so my gut would be to trust a cloud service to secure their cloud service more than I'd trust my own network securing capabilities. In the event of some catastrophic vulnerability with DropBox, or even if you accidentally the database to all your friends, a good enough password with KeePass will likely still give you plenty of time to change all your passwords, even if you're specifically targeted by an adversary with high quantities of computing resources. (Added convenience features, like browser add ins, seem like they provide another attack vector as well, so I avoid those.)

I use KeePass. The database is only shared on two machines that are on my home network. I do not use add-ons or the like that automatically fill in webpages, etc. I also do not share the database on my smartphone.

The services/sites that I use unique passwords on I would not login from a remote location, including my phone. The services that do not require a unique password share a set of common passwords, therefore not requiring the password manager.

But then again... I really don't understand the need to say login to your bank website from your smartphone or pay a bill that way. If you do then I'd say you need to adjust your usage habits more than you need a fancy password manager.

Just a friendly word of caution, be very careful with this. Having all of your passwords in one place is inherantly risky and web-based/shared raise the potential impact of exposure. I'm sure it's a risk you've already thought of and are willing to accept, but it's still a scary prospect that warrents at least a second thought before you chose a solution, especially if you go with a web-based one.

Losergamer04 wrote:

Just a friendly word of caution, be very careful with this. Having all of your passwords in one place is inherantly risky and web-based/shared raise the potential impact of exposure.

It is a risk, but keeping a team and multiple devices in sync is worth the trade off. In a business setting, it's extremely handy to have data in one, searchable place, rather then spread out across a bunch of files.

The OP should have an appropriate DR policy in place, and a password manager with with two-factor authentication would be preferred. I haven't found any that offer two-factor authentication, so that's pretty much out.

It is my opinion that this subject is important enough that it should be looked at from another perspective. I was just sharing that because I thought it was relevant and important to think of it in that light. These are the keys to your life/busniness we are talking about. They should receive more than just a passing thought regarding security.

I'm not advocating a single solution over another. It's based on the needs of the busniness or person and the risk they are willing to accept.

Well, even with the risks of something like a Dropbox+Keepass, or even web-pased password manager, it enables other strong security practices -- and so in my opinion the known reduction in risk is far greater than the potential increase in risk, e.g.:

1) It allows a different password for every site, so a single compromised site has 0% chance of affecting any other site.
2) It also allows a strong password for every site, so a leaked hash from one site is unlikely to cause you any harm before you have a chance to change your password.
3) It lets you change your passwords, especially for important sites, much more often because there's no (mental) penalty for doing so.
4) And if you only have to remember one good password (for the key store), that one password can be far stronger because you're not trying to remember a bunch of them.

(Sorry, I know this is going a little off astray from the original question about team solutions.....)

We could go WAY off topic, but let's not. I didn't mean to get us off the original point. Let me try to get what I was saying out a little more clearly. The impact from having a single master username and password that can expose all of your passwords in a public-facing website is very, very high. I'm not saying it shouldn't be done, just to think about that and be careful. I like my fellow girbles and don't want to see anything bad happen.

Losergamer04 wrote:

These are the keys to your life/busniness we are talking about. They should receive more than just a passing thought regarding security.

I'm not advocating a single solution over another. It's based on the needs of the busniness or person and the risk they are willing to accept.

Indeed.

A little bit extra convenience can make things a lot easier and leads to better practices. If things are too hard, people aren't going to use the security tools, and they are going to route around them, thus defeating the purpose of the security.

Losergamer04 wrote:

We could go WAY off topic, but let's not. I didn't mean to get us off the original point. The impact from having a single master username and password that can expose all of your passwords in a public-facing website is very, very high. I'm not saying it shouldn't be done, just to think about that and be careful.

The OP did ask about hardening, so we're not too off topic.

I wouldn't want to put anything in a public facing webpage without auditing the application or having more security then just a password. They could be doing better then just relying on HTTPS to keep thing secure.