Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
On a small scale, PasswordSafe from Sourceforge. On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura <zeusdadog@gmail.com> wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Thanks.
-- -- David Storandt CTO TelJet Longhaul LLC 802-922-9503 (new DID) 802-264-3003 (fax) dstorandt@teljet.com
On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote:
Pwman
...which has the HUGE advantage of being CLI (so useable over SSH sessions from network devices) and has tagging for searching large databases of passes. pwman3 is current version. For most OSs. I've even used it looped through a multitude of nested VTY+SSH+screen sessions - one of which was a Dropbear sshd and client on a 20$ plastic CPE - to save my sorry *ss For GUIs:- Keepassx for most OSs, and Keepass2.x on MS Windows Password Gorilla is a nice one for end-users, most OSs Bruce's Passwordsafe format is a somewhat de-facto standard for import/export. Keepass can do a lot of conversion for you. Some shops use rsync top distribute the masters and set them readonly at filesystem - level though this tends to preclude regular rotation and updating. Beware that some of the commercial offerings are trivially broken or otherwise borked for "work" use. ymmv Whatever you use dump the file to a flat file (crypted of course) and save a statically linked version of the app for those "wow - what password app did we use way back in 2001?" moments. Print a copy every month or so and store securely offsite too - all the usual caveats apply. Once you have a super-duper app for them you tend to crank the pw complexity up to a level where no-one can remember anything nor even recognise regular ones; it's mainly cut and paste, especially if you use X. Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ? Gord -- rommon 3 > You have reached the gateway of last resort. Abandon hope all ye who press enter here
Don't recall if it was mention but we use a nice little app called MyPMS http://lvoware.com/. Put it on an internal system and then people have to access via a VPN connection to browse into it. That way if a person is no longer with the company, then their VPN has been turned off and they don't have access to it anymore. The reason I like the app is it's OS agnostic for the end user and keeps the data in an SQL DB. On Thu, 2009-11-19 at 14:07 +0000, gordon b slater wrote:
On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote:
Pwman
...which has the HUGE advantage of being CLI (so useable over SSH sessions from network devices) and has tagging for searching large databases of passes. pwman3 is current version. For most OSs. I've even used it looped through a multitude of nested VTY+SSH+screen sessions - one of which was a Dropbear sshd and client on a 20$ plastic CPE - to save my sorry *ss
For GUIs:- Keepassx for most OSs, and Keepass2.x on MS Windows Password Gorilla is a nice one for end-users, most OSs
Bruce's Passwordsafe format is a somewhat de-facto standard for import/export. Keepass can do a lot of conversion for you. Some shops use rsync top distribute the masters and set them readonly at filesystem - level though this tends to preclude regular rotation and updating.
Beware that some of the commercial offerings are trivially broken or otherwise borked for "work" use. ymmv
Whatever you use dump the file to a flat file (crypted of course) and save a statically linked version of the app for those "wow - what password app did we use way back in 2001?" moments.
Print a copy every month or so and store securely offsite too - all the usual caveats apply. Once you have a super-duper app for them you tend to crank the pw complexity up to a level where no-one can remember anything nor even recognise regular ones; it's mainly cut and paste, especially if you use X.
Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ?
Gord
-- rommon 3 > You have reached the gateway of last resort. Abandon hope all ye who press enter here
http://keepass.info Works great in a multi-user environment. -----Original Message----- From: Jay Nakamura [mailto:zeusdadog@gmail.com] Sent: Wednesday, November 18, 2009 19:57 To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
On 19/11/09 15:34 +0900, Randy Bush wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
<old school>
ascii text file, gpg encrypted, only opened with emacs crypt++.el
From the network administrator perspective, we prefer to use a 3rd party/central authentication system where feasible, to reduce the number of passwords entries in our network from Users*Systems to Users*Security_Domains, and keep a gpg encrypted file (and a physical copy) in a safe location of rarely used admin/root passwords that we only need in an emergency (e.g. when RADIUS goes down). -- Dan White
On Wed, Nov 18, 2009 at 10:34 PM, Randy Bush <randy@psg.com> wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
<old school>
ascii text file, gpg encrypted, only opened with emacs crypt++.el
Or if you prefer vim there is the gnupg.vim plugin: http://www.vim.org/scripts/script.php?script_id=661 :-P -- Dan Young <dyoung@mesd.k12.or.us> Multnomah ESD - Technology Services 503-257-1562
I'm not sure if your only considering free software, but if not take a look at password manager pro. http://www.manageengine.com/products/passwordmanagerpro/download.html Dan On Nov 19, 2009, at 10:53 AM, Dan Young <dyoung@mesd.k12.or.us> wrote:
On Wed, Nov 18, 2009 at 10:34 PM, Randy Bush <randy@psg.com> wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
<old school>
ascii text file, gpg encrypted, only opened with emacs crypt++.el
Or if you prefer vim there is the gnupg.vim plugin: http://www.vim.org/scripts/script.php?script_id=661
:-P
-- Dan Young <dyoung@mesd.k12.or.us> Multnomah ESD - Technology Services 503-257-1562
Jay Nakamura (zeusdadog) writes:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Home built app with GELI (FreeBSD) encrypted disk image and automated versioning of documents/secure stuff wih a VCS. Works fine in a multi user context, but only one user can access it at a time.
We have used Password Manager XP for quite some time. It supports different user roles, allows security to be set per folder, the encryption levels it supports are insane, and it allows for a "database password" and then user level authentication (which can be tied to NT authentication from the workstation). They also have a client for windows mobile devices. The client also runs in wine exceptionally well. You can configure it to do form filling, and you can define password expiration dates and it will remind you that passwords need changed. Also supports the ability to define a database log, so that all changes can be sent off to a log server. You can also add pretty detailed descriptions to the entry, and you can tie files into the entry as well. Works great for attaching a private key for access to servers via SSH. All of the displayed fields inside of each folder are completely customizable and quite easy to change. It supports multiple users pretty well, however we have had to restore the database from backups once when a user was writing to the database over SSLVPN and the connection dropped. We have used it with a max of about 20 people and it worked great for that number, however as your database gets larger and larger it does take a while to make some changes. -----Original Message----- From: Jay Nakamura [mailto:zeusdadog@gmail.com] Sent: Wednesday, November 18, 2009 8:57 PM To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
All, I wasn't expecting the number of suggestions I got! Thanks all. It looks like keepass is the popular choice by many. We are looking into that. And those that suggested RADIUS, yes, I am moving towards that direction for what can be moved to the RADIUS direction. However, we also managed so many customer's equipment/web site contents/application/networks as well that we can't use RADIUS in those instances. Again, I appreciate having this list to get ideas on various issues I face everyday. On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura <zeusdadog@gmail.com> wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Thanks.
I offer a free service: Send me all your passwords via encrypted email and I promise to keep them safe for you :-) Ok, kidding aside we also use KeePass... On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura <zeusdadog@gmail.com> wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Thanks.
I've used phpchain in the past. It's a freeware you can get off of sourceforge. It runs on a PHP server and stores the passwords per user, blowfish encrypted. It hasn't been updated in a while, but I found it simple, rather helpful, and easy to install and manage. Jeff -----Original Message----- From: Jay Nakamura [mailto:zeusdadog@gmail.com] Sent: Wednesday, November 18, 2009 10:57 PM To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
Jay Nakamura wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Thanks.
I use opensource, multiplatforms softwares : Keepass password file in a truecrypt container and it works as heaven and securely. Keepass for Windows : http://www.keepass.info/ Keepass for Linux/Mac OS : http://www.keepassx.org/ Truecrypt (all platforms) : http://www.truecrypt.org/ Pierre-Yves Maunier
I'm a big fan of 1password, but I'm on mac and iPhone. Sent from my iPhone On Nov 19, 2009, at 23:36, Pierre-Yves Maunier <nanog@maunier.org> wrote:
Jay Nakamura wrote:
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely?
Thanks.
I use opensource, multiplatforms softwares :
Keepass password file in a truecrypt container and it works as heaven and securely.
Keepass for Windows : http://www.keepass.info/ Keepass for Linux/Mac OS : http://www.keepassx.org/
Truecrypt (all platforms) : http://www.truecrypt.org/
Pierre-Yves Maunier
On Thu, 19 Nov 2009, John Adams wrote:
I'm a big fan of 1password, but I'm on mac and iPhone.
I'll second that. 1Password truly is fabulous, though it's strength is the Auto-website login feature with a hotkey. When in your browser, Command+Option+\, type some characters of the site or description, hit enter, and it opens your default browser, goes to the site and logs you in. Integrates on all browsers: Safari, Firefox, Opera and others. Supports secure notes, has a well designed strong password generator, can be synced over the network to multiple other computers via Dropbox (or whatever you want to use, rsync works too), and has great integration with the iPhone as well as a browser-based client for use on non-Mac computers. If you are not using a Mac, or are using a mixed bag of operating systems, 1Password is probably not best. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
participants (17)
-
Blake Pfankuch -
Bret Clark -
Dan Bellazetin -
Dan White -
Dan Young -
Darren Bolding -
Darryl Dunkin -
David Storandt -
gordon b slater -
Jason Granat -
Jay Nakamura -
Jeffrey Negro -
John Adams -
Peter Beckman -
Phil Regnauld -
Pierre-Yves Maunier -
Randy Bush