Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Storage for Fun and Profit?

Posted by Cliff on from the accessible-but-secure dept.

adwb asks: "I work for a small company which performs network installations and support for clients in the Seattle area. We have a handful of network admins and programmers who go out to client's offices to solve problems as needed. A problem we have been trying to deal with is the various administrator passwords for different client networks at different domain levels. It seems the easiest solution is not the most secure: just dump every client's administrator password into a text file and store it in a secure network location inside our local domain. Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?" For those of you interested in protecting your personal passwords, an answer might be found in this tidbit from jswinth, but there are issues here, too: "The wired article about Never Forget Another Password talks about the Just1Key service allowing all your passwords to be accessible from any PC. They use an applet and encrypt the password information before it leaves the local PC. What about when you cannot trust the PC, like when using a public terminal? I would hate to have all my passwords compromised because I couldn't remember my password to my free New York Times account at the library."

75 comments

  1. Unless the security is ironclad. . . by Limburgher · · Score: 2, Insightful
    it's just too risky. To satisfy me, the storage should be encrypted, and the access should require SSL.

    At the very least.

    I still don't think I'd trust it.

    --

    You are not the customer.

    1. Re:Unless the security is ironclad. . . by nocomment · · Score: 1

      Something perhaps like LDAP? :-) I think this sounds like a good use.

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
    2. Re:Unless the security is ironclad. . . by Limburgher · · Score: 1

      Except they said multi-domain, indicating that the systems in question auth to multiple locations, possibly including AD, vanilla LDAP, NT4 Domains, NIS, or local accounts. LDAP would only work if all the systems could auth to the same spot, and if that were the case, the question would not have been asked.

      --

      You are not the customer.

    3. Re:Unless the security is ironclad. . . by erlenic · · Score: 1

      I think he meant to store the password in LDAP, then use an LDAP GUI tool to manually lookup the password you need. Although your interpretation would be incredible if it was possible.

    4. Re:Unless the security is ironclad. . . by nocomment · · Score: 1

      I didn't mean authenticate everyones' service to LDAP, I just meant store it there, and they can use any old ldap client to look them up.

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
  2. Roboform! by fm6 · · Score: 4, Informative

    Check out RoboForm. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.

    1. Re:Roboform! by Spoing · · Score: 1
      Check out RoboForm. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.

      Almost perfect. Doesn't support OSX or Linux.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. So.... by ArsonSmith · · Score: 2, Interesting

    You're asking how can I let everyone know the passwords, yet still be secure?

    Sounds like you have an architectural problem not a password problem. Not sure how to fix it, we are cursed with the same thing here. Some is being addressed but it is slow and making sure every application supports a centralized authentication system is the hardest part.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
    1. Re:So.... by Komarosu · · Score: 1

      Of course...because forcing your clients to use your centralized authentication system will be fun...you might want to re-read it...

      Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?"
      --

      "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
    2. Re:So.... by adwb · · Score: 1

      I think you misunderstand the question. We are just looking for a method to store passwords and access them remotely. This data is for humans to read while on-site, not for applications to connect to.

    3. Re:So.... by BrokenHalo · · Score: 1
      This data is for humans to read while on-site, not for applications to connect to.

      In that case, a text file on a USB stick would do the job just fine, wouldn't it? Sometimes the simplest solutions are the best...

  4. Re:Dear Slashdot by Anonymous Coward · · Score: 0

    Use opensource.

  5. USB Keys? by coaxial · · Score: 1

    Have you ever considered USB keys to store the text files? Having them on your person is just as secure as the key to your car. (Well not exactly, but pretty close.)

    I've been wanting to find a Java app (for cross platform compatability. Pretty much everything I will be using will have a JVM) that would store the passwords encrypted on the usb key, but I haven't really looked for one.

    --
    How the fuck do you get get caught overwhemed at the Astrodome when you know exactly how many people are coming, and have days to plan? What a clusterfuck.

    1. Re:USB Keys? by brohan · · Score: 1
      Well, this is actually what I've been doing for a while now. I have a small program called passpack which encrypts all the passwords to one file unlockable via a master password. Also, it has a screen hiding capability so that if someone creeps up behind you you can simply press F8 and its gone. If you want to go the open source direction you can use such applications as Password Safe. Both can be deployed on the network by having a centrally updated file on the internal network

      There is also the matter of physical security here with the usb key. Somebody can nab them off you (Remember how the post-production guys of LOTR transported the movie to the editing studio in digital form on several ipods and almost got mugged on the way there!) Having it attachted to you via a string or something might be useful. Even make it a usb watch and just carry a extension cord around. With usb keys you can frequently forget them, or at least I sometimes do.

    2. Re:USB Keys? by coaxial · · Score: 1

      Thanks for the links. While they may be useful for some people, it's not really what I'm looking for. I need something that runs on linux, solaris, macosx, and windows. You can't really assume that any of those platforms will have the same libraries, so any dependencies you need to bring with you.

      I guess that's less of an issue with 512 meg USB drives, but then you have four different executables and libraries. That's why I suggested Java. An implementation of java is preinstalled on windows, macsox, and solaris; and it's often installed on linux..

  6. Password Safe by Kj0n · · Score: 1

    Password Safe is an open source application that encrypts all your passwords with a master password, so you only have to remember the master password.

    It is only available for Windows.

    1. Re:Password Safe by CoolHnd30 · · Score: 1

      Figaro's Password manager(http://fpm.sourceforge.net/) is an encrypted password storage solution that can store many passwords, and you could use one password to store it. It only runs on Linux. However, you could use NX (http://www.nomachine.com/ to give users remote access to it.

    2. Re:Password Safe by hetfield_guitar · · Score: 3, Informative

      Password Gorilla http://www.fpx.de/fp/Software/Gorilla/ is an opensource app that works on Mac, Windows and Linux and is compatible with Password Safe's database.

    3. Re:Password Safe by Anonymous Coward · · Score: 0

      Haha, grandparent is PWN3D!!!

  7. Use Gmail by LennyDotCom · · Score: 2, Interesting

    Open a gmail account with an obscure name upload the info and you can access it anywhere

    --
    http://Lenny.com
    1. Re:Use Gmail by Enrico+Pulatzo · · Score: 1

      If I was to do that, I'd be sure to access gmail through https (and even then you may want to have a message with a javascript bookmarklet to encrypt/decrypt passwords rather than leave em in email).

    2. Re:Use Gmail by Anonymous Coward · · Score: 0


      What fucknut modded this interesting?

      An interesting way to have your entire password collection acesable over a public, unencrpted connection maybe.

  8. Activesync and local subnet limited by Marxist+Hacker+42 · · Score: 1

    Here's what I'd do- but then again, I'm just wild about security AND PocketPCs.

    I'd have an access database with an intranet web interface that checks MAC addresses to limit access through the web interface. In addition, I'd use Activesync Access Table Synchronization to synchronize the PocketPCs, but only when they are connected to a machine within your LAN- physical connection, not network connection- sync the table.

    That way, you maintain full access for your people- but no access for anybody else. To save memory on the PocketPCs, limit information to machine name/domain name, IP address, userID with root (administrator) access, and password.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
    1. Re:Activesync and local subnet limited by adwb · · Score: 1

      That is exactly what I had in mind. I'm suprised something like this hasn't already been written and uploaded to SourceForge... or maybe it has but I haven't found it.

  9. ssh keys and sudo by fdawg · · Score: 1

    I am in the same boat; I admin multiple networks owned by different organizations, each with their own admin passwords. My mantra is to never know the super user passwords. If they dont give them to me, I am not the security risk. Instead, I give my user account the ability to sudo (or slide as the case may be), and copy my ssh keys where needed. This way I can have different user account passwords that I wont need to remember, have the ability to become root when needed, and if one of the client sites is compromised, the other clients are still secure. The issue is when my home machine (the machine with the ssh keys) is compromised. Thats when you hire a lawyer and consider moving to warmer climates.

  10. Here's what we do by Anonymous+Crowhead · · Score: 4, Interesting

    We have an ecrypted text file stored locally with all passwords written on it like this:

    1. password

    2. password2

    etc.

    On an ssl, password protected web site not hosted by us, we have a web page with:

    Server x, root, password #1

    Server x, admin, password #2

    etc.

    The people who need it keep all or part of the printed out text file in their wallets. I'm sure someone will point out some flaw, but it is pretty disconnected.

    1. Re:Here's what we do by Sliptwixt · · Score: 1

      I worked for a major news website (linked to by slashdot on occassion). They kept all of the root passwords for every system (about 70 of them) in a plain text file located in a "secret" directory in the home directory of an employee who had not worked there in years. something like /home/jsmith/secret/passwds.lst

      Swear to god. They still do it that way, I'm sure. I mean, they *did* name the directory "secret", so it's secure, right?

    2. Re:Here's what we do by Anonymous+Crowhead · · Score: 1

      I mean, they *did* name the directory "secret", so it's secure, right?

      No, it's only secret if you name it ".secret".

  11. Two open source solutions by lucidvein · · Score: 4, Informative

    http://keepass.sourceforge.net/
    The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another.

    KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Homepage, etc.). You can drag-n-drop passwords into other windows. The powerful auto-type feature will type usernames and passwords for you into other windows. The program can export the database to various formats (like TXT, HTML, XML, CSV, ...). It can also import data from various other formats (Password Safe v2 TXT files, CSV files, ...).

    http://passwordsafe.sourceforge.net/
    Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).

    --

    "I have a cunning plan..."

    1. Re:Two open source solutions by GreyedOut · · Score: 1

      I find KeePass quite useful.

    2. Re:Two open source solutions by Motherfucking+Shit · · Score: 1
      http://keepass.sourceforge.net/
      So that's where OSDN stores the porn collection!
      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    3. Re:Two open source solutions by TCM · · Score: 1

      I use my own method.

      For web forums, shops, misc services etc. I take the username I used, the domain and a secret masterpassword.

      Then, my script basically does this:

      echo -n "$user:$domain:$masterpass" | sha1 | openssl base64

      From the resulting string I take the first 16 characters and use that as a password. Every user/domain pair that I used also gets stored for later retrieval. The secret password is never stored anywhere.

      Can anyone comment on the security of this solution? I figured that using 16 characters from the base64 output gives a stronger password than using 16 characters from the hash directly. But basically, I'm a crypto newbie.

      --
      Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
    4. Re:Two open source solutions by Anonymous Coward · · Score: 0

      Ffffthh! You owe me a new keyboard. :)

  12. Slightly different alternative by ScaryFroMan · · Score: 0
    For those free website logins and such, you can just use BugMeNot to fill in boxes with other dummy accounts.

    It won't do much for real passwords, but at least you don't have to worry about coming up with different passwords for things that don't have to be secure.

    --
    In Soviet Russia, backwards is everything.
  13. What happens when... by jsveiga · · Score: 3, Informative

    an irresistible force meets an immovable object?

    Nothing, because they cannot belong to the same universe.

    The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.

    Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.

    Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.

    A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.

    SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.

    This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.

    1. Re:What happens when... by Anonymous Coward · · Score: 0

      Wrong on many counts.

      - SMS traffic is not encrypted as it passes over the network

      - Network operator staff have access to text archives; access control is not as tightly implemented as it should be.

      - Faking of MSISDN (the originating phone number) for SMS can be readily achieved without the need to compromise a SIM. In fact, such messages can be originated from SMS-sending websites.

      - Finally, SMS messages do not necessarily automatically delete on reading. A lost or stolen phone could compromise the accounts.

      I know this is slashdot, but at least get your facts right before making "authorative" statements.

      PP.

    2. Re:What happens when... by jsveiga · · Score: 1

      - I stand corrected: SMS is not automatically encrypted by the network, but they can be easily encrypted by the "password server", and decrypted on the receiving mobile by a local app (java?). Thank you for your most polite correction.

      - Yes you can fake the originating MIN of the request SMS, but tell me, how do you receive the response without compromising a SIM?? The server will answer only to the CORRECT, known phone. Even if you somehow "sniff" the traffic to get the answer, and if it's not encrypted, the legit phone would get it too, as a sign of breach.

      - If the user does not delete the SMS, and if he doesn't use a PIN to lock the phone, and if he doesn't use a password-protected decryption app, and if he loses the phone, I agree there's a problem. If he writes down the passwords and give them away too.

      - If you count with the cooperation of the cell network staff - or the cooperation of any remote communication system staff - and do not use encryption, then there is no solution for the proposed remote password storage.

      - It was not an "authoritive answer", it was a "possible solution", posted for "peer review" and brainstorming, but it's all my fault for forgetting that this is Slashdot, where everything posted is an "authoritative answer"...

  14. May I suggest... by jo42 · · Score: 1

    Post-It(tm) Notes under the keyboard of the various machines and servers written in an ink that becomes visible only with special glasses?

    1. Re:May I suggest... by aminorex · · Score: 1

      > visible only with special glasses?

      And written in Reformed Egyptian.

      --
      -I like my women like I like my tea: green-
  15. The good old days by jimmypw · · Score: 1

    What i used to do was: Each admin knows the passwords that they need to know. Then the network manager or somone who knows all of the passwords would write them all down on seperate pieces of paper and sealed in individual envolope then put in to a fireproof safe with the rest of the companies sensitive documents. Problem solved at a minimum cost thats also very secure.

  16. Novell: Passwords NEVER Travel the Wire!!! by mosel-saar-ruwer · · Score: 2, Interesting

    They use an applet and encrypt the password information before it leaves the local PC.

    Being an old Novell MCNI/MCNE/etc, I was innundated, inculcated, and imbued by the overarching mantra: PASSWORDS NEVER TRAVEL THE WIRE!!! ONLY HASHES OF PASSWORDS TRAVEL THE WIRE!!!

    1. Re:Novell: Passwords NEVER Travel the Wire!!! by Gothmolly · · Score: 1

      Yes, the hash travels over the wire, in clear text, and is a password equivalent. Why do I care that your password is "darlingwife123" when I can just supply the hash to any network service that requests it?
      Interesting, Novell people are usually the bright ones.

      --
      I want to delete my account but Slashdot doesn't allow it.
    2. Re:Novell: Passwords NEVER Travel the Wire!!! by Clover_Kicker · · Score: 1

      A little salt makes password negotiation both tasty and safe.

    3. Re:Novell: Passwords NEVER Travel the Wire!!! by Geoffreyerffoeg · · Score: 1

      Why should the hash be the same every time? Even garage-door openers implement this kind of challenge-response system.

      Passwords never travel the wire. Only responses to challenges travel the wire, and that only when the challenger is identified as legitimate.

    4. Re:Novell: Passwords NEVER Travel the Wire!!! by T-Ranger · · Score: 1

      Except that you dont send the hash across the wire, you use a chalange and response system (shared secret). The password crosses the wire once - when it is chosen; or for pre chosen / printed passwords, never.

  17. Paper... by joto · · Score: 5, Funny
    You see, there is a form of written communication that predates the computer, and is very secure once you've taken care of the physical security. It is also portable, easy to carry, does not require electricity, or any form of advanced machinery. It will survive in temperatures from far below human tolerance, to +70 celcius. It can be damaged by exposure to water, but because of it's flexible form, can easily be stored in an airtight container. This miracle medium is called: PAPER!

    You write the passwords you need on a piece of paper. If there are lots of passwords to be remembered, an electronic device called a "printer "can transfer the passwords from a computer at your office building to the paper.

    The paper is carried by the admin to whatever clients he need to go to. Once at the client, he fetches this piece of paper, and use his eyes to retrieve the passwords he need. The passwords are typed manually by the admin into the clients computer.

    As your admin finishes his job, the paper containing the passwords can be easily destroyed. A device specifically made for this, called a "paper shredder" exists in many offices, and your admin is likely to find one at the clients office.

    If a client does not have a paper shredder, the admin may choose to use the fallback solution of tearing apart the paper with his hands, followed by flushing it down the toilet. Another solution is to ignite the paper with a device called a "lighter", something that can usually be found at the back entrance of the clients building (just ask one of the smokers there).

    I hope this suggestion helps!

    1. Re:Paper... by My-Kung-Fu-Is-Best · · Score: 1

      Well done... you beat me to it!

  18. Only problem I can see is... by brunes69 · · Score: 3, Insightful

    .. you must have a finite number of clients. Even assuming 500 passwords in that file, it would take anyone with the nerve only a short time to brute force the right password.

  19. Maintainance accounts? by baadger · · Score: 1

    Why don't you setup seperate maintainance admin/appropriate level accounts on all your client networks and then keep the password the same?

    Obviously you'll need to get your clients to agree to this, but it sounds like you already have this level of access anyway.

    Since all these networks are disconnected, it's unlikely anybody will know you are using the same password for all of your clients, and I don't see how this is a worse risk than storing all of them in one location/file.

  20. Not free, but... by curunir · · Score: 1

    Network Password Manager

    Run it on an Windows Server, install the clients on various people's machines. The clients authenticate against your domain controller, so there's almost no configuration necessary.

    It allows you to store passwords in a hierarchical fashion with a file-manager-style interface. You set permissions just like you would a normal windows shared file/folder.

    --
    "Don't blame me, I voted for Kodos!"
  21. How about the obvious? by Chemisor · · Score: 1

    Why not just set all the passwords to the same value and then tell everyone what it is? It's not like you're gaining any security by having multiple passwords; everyone knows them all anyway.

  22. The obvious answer: Don't by hackwrench · · Score: 1

    Start with the idea of the customer's authorized representative entering the password when your tech gets on-site.

    Second idea, Have the client create an account as needed for your Tech that gets deleted when your tech is done. At the very least have an account that gets disabled when not needed.

    1. Re:The obvious answer: Don't by adwb · · Score: 1

      Many of these clients don't even know how to create a user account. That's why the hired us.

    2. Re:The obvious answer: Don't by danielrose · · Score: 1

      Then create the account yourself.
      For example create a root/admin account with the same username at each site (f.x "MyCOTech")
      Set the same password and bingo problem solved..

      --
      i hate pansy republicans
  23. pms by gnarlin · · Score: 1

    password management system. Gives you encryption and a master password.
    Just put it on a server that you have ssh access to. It's a neat little program.
    http://passwordms.sourceforge.net/

    --
    A bad analogy is like a leaky screwdriver.
  24. Keychain Access by zhenga · · Score: 2, Informative

    Apple's Keychain Access is pretty nice to store and manage passwords, secure notes, and certificates.
    I use it very often to store notes, beats Stickies imho and easier to backup as well :)

    It's possible to create a Shared Keychain as well. Then all users on the machine can access that keychain if they know its password.

    I think most part of the Keychain Access is Opensource (correct me if i'm wrong!):
    http://darwinsource.opendarwin.org/10.4/libsecurit y_keychain-78/lib/

    So any takers on making keychains crossplatform? (I hope there are ;)

  25. Keyring for Palm OS by Turtle+Master · · Score: 1

    I use Keyring. It's very convenient to have it on the palm, and there are desktop editors for it as well (there are a couple of windows conduits, and a couple of java apps that work fine on macos or linux).

  26. The Old-Fashioned Way by dshaw858 · · Score: 1

    Write them down, and put them in a safe.

    Ta-da!

    - dshaw

    1. Re:The Old-Fashioned Way by Anonymous Coward · · Score: 0

      Damn striaght. or just unplug the freakin network cable!

  27. Doy by Apreche · · Score: 1

    You can make multiple root/Administrator accounts on a machine. In Linux just make more users with uid 0. In Windows just add to the Administrator group.

    For everyone one on your staff who should have access, create an account on the machine for them. Give them the same username everywhere. They can keep track of their own passwords. If they want the same password at every client it's ok because they remember it. If they have a different password at every client there are plenty of handy palm/blackberry applications that encrypt/store for a single person easily.

    --
    The GeekNights podcast is going strong. Listen!
  28. Why not ask? by minus9 · · Score: 3, Interesting

    "We have a handful of network admins and programmers who go out to client's offices to solve problems as needed."

    This is how I would do it...

    The people who go out on site, ask the client what the password is. If they are trusted then the password will be provided. If they are some halfwit who wants to "dump every client's administrator password into a text file" then they will be told to get the fuck away from my network and leave the building.

    They could also carry the passwords in a file using a modern concept called encryption, a new invention, only a few thousand years old.

    To think that I have recently been modding posters down for bitching about slashdot no longer being "News for nerds"

    There are also sites on the internet which can provide links to software which can fulfill this need.

    Sorry for being such a sarcastic twat but slashdot is sinking to the level of "My processor is running out of memory, should I buy a bigger monitor?"

    People come here to get away from this stupid crap.

  29. kedpm by Noksagt · · Score: 3, Informative

    I whole-heartedly suggest the use of Ked Password Manager. It has both a graphical and a command line interface. You can therefore keep the paradigm of using it from the network--just ssh in to your server, and run kedpm (instead of catting the password). The files are encrypted with blowfish to a single password. The database is compatible with Figaro's Password Manager. kedpm is in python and, properly packaged, will run on darn-near anything. Including a USB thumbdrive if you want to take your passwords with you.

  30. Palm Pilot by CastrTroy · · Score: 1

    I keep all my passwords encrypted on GNU Keyring, on my old trusty Palm m100. It's not much good for that and addresses. It encrypts everything with DES3, and I guard it with a long password, that would be hard to brute force. It's probably the best device that I can think of to store passwords, since you can take it anywhere you go.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Palm Pilot by NaDrew · · Score: 1

      Similarly, I use Strip on my Treo 650, and used it on a succession of Visors before (finally) upgrading. After HotSyncing, I use POSE to emulate Palm OS on my PC so I can see the passwords and accounts right there.

      --
      Vista:XPSP2::ME:98SE
  31. how much would you pay for the answer? by museumpeace · · Score: 1

    I have a proprietary solution.

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  32. Here's My Idea by Ensayia · · Score: 1

    I would say create a means of doing this from scratch, something that doesn't have known flaws, backdoors, or exploitations. The leaking of information at that extreme is a big boo-boo to fix.

  33. Tools to the rescue! by DeltaHat · · Score: 1

    Sounds like a perfect use for a tool my friend told me about. It's from a little know company called Claria Hope this helps.

  34. KeePass Password Safe by Shadow_139 · · Score: 1

    KeePass is what you are looking for I have been using it for years now and it fucking cool.

    It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" while SHA-256 is used as password hash.

    You can Group your list with details on each password: Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment.

    It fully open-source (OSI certified) runs under Windows and PocketPC with NO INSTALLATION NEEDED so will run off USB key or Network, etc All in all a very cool and sweet program for anybody with alot of Username/Passwords/URL/IPs to remember and a most have for all System/Network Admins.....

    Or check out this oldish Ask /. Posting.....

  35. What??? by Anonymous Coward · · Score: 0

    How do you figure that? And, why is this moderated insightful?

    The scheme that he describes is excellent and is the least likely to be compromised. If the master file on the server is compromised, they only have a list of hosts and nothing else. If someone's wallet is stolen they only have a list of passwords, more likely random strings.

    The only way to compromise this scheme is to steal someone's wallet AND compromise the website. The likely hood of this is extremely low! It's a good system.

  36. Pathetic! by Anonymous Coward · · Score: 0

    You don't know ANYTHING about password hashing and encryption, do you? Not even CHAP is as weak as you describe.

    For the record, it is highly likely that the hash that travels the wire is NEVER the same hash twice. Novell does not send clear text hashes, they encrypt via RSA.

    You == Clueless twit.

  37. Wrong. by brunes69 · · Score: 1

    All you need is the second file (the one with the passwords). You don't need to know the hosts, this can be deduced simply by looking at what clients his company has, which is usually very easy to get information (usually it is even in press releases!). Then all you do is try each password in succession till you find the right one. There would be such a small number to attempt it would be almost trivial.

  38. Work it out... by Anonymous Coward · · Score: 0

    I am in the same boat. Some time ago I started a WISP and in the beginning it was not a problem since it was only myself, later we got more machines and additional hands. It became inpossible to remember all the passwords, so I worked out a little maths thingy, take the machine name, function, location, and os into account and combine that with a custom encrypt calculation and you end up with something like, u24b2.HTFrQgw.b9 noway you'll ever remeber it yet you can work it out in a momement. If someone leaves the comapany change your math thingy. Easy. And do not work it out with a pen an paper... and it requires slightly more than one brain cell, if you appoint a new person and after day 2 they still can not work out a password, start looking for someone new...

  39. I wasn't happy with anything out there.. by Bubba · · Score: 0

    So I wrote my own password storage program. Written in Perl; uses AES encryption. Setup a few aliases "getpass" and "addpass" and you've got password management. Simple, yet effective.

    http://bubba.org/fcrypt

  40. Enterprise Password Safe by chiger_bite · · Score: 1

    My organization is in a similar situation with sharing administrative passwords. The politics dictate that I share specific account information with specific users. I was given a set of specifications which included a central repository of passwords, web interface, no 'master' password, and access control for each password entered. I really don't have the time to modify an open source package like http://w3pw.sourceforge.net/ or http://pasonda.sourceforge.net/, so I found http://www.argosytelcrest.co.uk/pwsafe/. As long as I can secure the server it runs on for internal use only, this will suffice for our needs (given the political environment and red tape I have to endure). Many will frown on applications like this, but people wouldn't be coding apps like this if there wasn't a need. Sure it may be an organizational design issue, but it's better than sending passwords through email or writing them down so the users can forget them in a restaurant, considering I have no control over the organization's design.