Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Storage for Fun and Profit?

Posted by Cliff on from the accessible-but-secure dept.

adwb asks: "I work for a small company which performs network installations and support for clients in the Seattle area. We have a handful of network admins and programmers who go out to client's offices to solve problems as needed. A problem we have been trying to deal with is the various administrator passwords for different client networks at different domain levels. It seems the easiest solution is not the most secure: just dump every client's administrator password into a text file and store it in a secure network location inside our local domain. Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?" For those of you interested in protecting your personal passwords, an answer might be found in this tidbit from jswinth, but there are issues here, too: "The wired article about Never Forget Another Password talks about the Just1Key service allowing all your passwords to be accessible from any PC. They use an applet and encrypt the password information before it leaves the local PC. What about when you cannot trust the PC, like when using a public terminal? I would hate to have all my passwords compromised because I couldn't remember my password to my free New York Times account at the library."

6 of 75 comments (clear)

  1. Roboform! by fm6 · · Score: 4, Informative

    Check out RoboForm. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.

  2. Two open source solutions by lucidvein · · Score: 4, Informative

    http://keepass.sourceforge.net/
    The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another.

    KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Homepage, etc.). You can drag-n-drop passwords into other windows. The powerful auto-type feature will type usernames and passwords for you into other windows. The program can export the database to various formats (like TXT, HTML, XML, CSV, ...). It can also import data from various other formats (Password Safe v2 TXT files, CSV files, ...).

    http://passwordsafe.sourceforge.net/
    Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).

    --

    "I have a cunning plan..."

  3. What happens when... by jsveiga · · Score: 3, Informative

    an irresistible force meets an immovable object?

    Nothing, because they cannot belong to the same universe.

    The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.

    Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.

    Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.

    A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.

    SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.

    This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.

  4. Re:Password Safe by hetfield_guitar · · Score: 3, Informative

    Password Gorilla http://www.fpx.de/fp/Software/Gorilla/ is an opensource app that works on Mac, Windows and Linux and is compatible with Password Safe's database.

  5. Keychain Access by zhenga · · Score: 2, Informative

    Apple's Keychain Access is pretty nice to store and manage passwords, secure notes, and certificates.
    I use it very often to store notes, beats Stickies imho and easier to backup as well :)

    It's possible to create a Shared Keychain as well. Then all users on the machine can access that keychain if they know its password.

    I think most part of the Keychain Access is Opensource (correct me if i'm wrong!):
    http://darwinsource.opendarwin.org/10.4/libsecurit y_keychain-78/lib/

    So any takers on making keychains crossplatform? (I hope there are ;)

  6. kedpm by Noksagt · · Score: 3, Informative

    I whole-heartedly suggest the use of Ked Password Manager. It has both a graphical and a command line interface. You can therefore keep the paradigm of using it from the network--just ssh in to your server, and run kedpm (instead of catting the password). The files are encrypted with blowfish to a single password. The database is compatible with Figaro's Password Manager. kedpm is in python and, properly packaged, will run on darn-near anything. Including a USB thumbdrive if you want to take your passwords with you.