Slashdot Mirror
Ask Slashdot: Open Source Multi-User Password Management?
An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"
Ive been using passpack.com it's been okay, although looking for something cheaper for the value..
lol
It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)
I've got better things to do tonight than die.
Wallet is a Kerberos-based secret management tool. It works well for me.
KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.
I use post it notes - taped to my monitor. I just got tired of all my coworkers asking me for the passwords.
KeepassX in a Dropbox (or some similar sharing) folder works great. More secure encryption than Excel and better for the purpose.
I've used Team Pass (site here) for a few months now. It works well enough. It's at least as secure as an excel sheet. It is however web based, so make sure to lock it down appropriately...
http://keepass.info/ light-weight and easy-to-use password manager.
KeePass?
Works on Windows, Linux, OSX, iPhone, Android, and more.
You can even store the password database on the cloud if you wanted...
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Go to your desk drawer. Inside there will be 3 numbered envelopes...
Keypass nice encryption multiple password inputs and key to text encrypted has keys which can be stored offline. It will do and is free but as it good. I have not done any penetration testing against the db or the keys but as you know anything can be broken given time or a good graphics card :)
I've always found keepass to work well. it's open source and it integrates with remote desktop manager too if you need it.
At work, we use gpg to encrypt our password file for specific recipients, and place that file in a dropbox share. On occasion, we'll generate a snippet of the file and encrypt it for a specific user (junior admin) and place it in the same location.
Arbitrary complexity is often contrary to trustable security. If you really trust your encryption scheme, then it shouldn't matter where you store it (windows share).
all your passwords and I'll keep them safe for you. Just email me when you need them and I'll get them right out to you! I might need to share a few with some third parties and my buddy who goes by BOFH
I'm using the pwsafe command line program with a single master password shared among my team.
We'll take care of it for you.
You can use notepad...
While it's not linux based, or open source, or free, we use Passwordstate (http://www.clickstudios.com.au/) and it's wonderful. It's got a ton of features including auditing and an emergency access password in case you're down completely and need to unlock passwords to restart your systems. I highly recommend it.
My colleagues and I had the same problem at work. We used a spreadsheet and stored it in an access restricted file share. We switched to KeePass and keep the password database file in our IT file share. It's worked out better since it lets you keep notes and metadata with the password entry and has a great password generator. We only have to remember a master password and we can get in to see all of our passwords for our infrastructure.
It's free and cross platform (win, mac, linux).
Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.
We use phpchain at work. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has. Een rolled into mainlIne at this point.
http://www.webpasswordsafe.net is open source and multi-platform... "Web-based, multi-user, secure password safe/manager with delegated access controls"
http://tiddlywiki.com/ http://remotely-helpful.com/TiddlyWiki/TiddlerEncryptionPlugin.html The tiddlywiki is a wiki that runs in a single html file using javascript where each 'page' is called a 'tiddler' The encryption plugin allows you to apply a password to an individual tiddler or group of tiddlers. You can make the tiddlywiki public, they can see all the unencrypted tiddlers but only read the ones for which you have supplied the passwords.
...Lyall
KeePassx - widely available and has a nice auto fill feature in the Linux version.
We use w3pw. It's outdated and it throws some warnings with the latest versions of PHP. We had an in-house php knowledgeable guy who fixed the 4 lines of code that threw warnings. I wrapped the w3pw program inside an LDAP Auth statement on apache so you have to have valid LDAP credentials (like require-group it-admins etc) and then the shared password for the w3pw program. the mysql db is encrypted and the implementation is sound. You cannot change the master password after setting it because it is the encryption key. That's why I put it behind LDAP auth.
There isn't really anything open source that I know of that is good at multi-user password management. I've seen enterprise appliances that offer this, but those are upwards of $10,000 for a glorified 1U rack PC with locking bolts.
The best way I'd go about this is have the two top security guys in the firm build a Linux or BSD box with whole disk encryption that is locked away somewhere.
As an alternative to Linux, one could use Windows and BitLocker, then VMWare Server or Workstation. This provides protection from physical attack, although nothing is 100%.
This box would have multiple VMs on it for isolation.
One VM would have a RDBMS which can encrypt tables/rows/columns that can be backed up somehow, with the keys obviously stored well away. This would allow for database backups without compromising the stored passwords.
The second one would have the backend web application and Web server, each running in different security contexts, so an Apache compromise won't get much.
As for authentication, that exercise is left to the reader. Username and password over SSL is the minimum.
Neither of these are open-source or linux-based, but... Cyber-Ark is the most secure solution I've come across - multi-factor authentication, as well as presenting passwords through a portal rather than granting access to the password file itself. Citrix had a similar solution, Citrix Password Manager, but I believe it is now EOL. For it to provide any real level of security the database needs to be abstracted from the users, otherwise it can easily copied offline and brute forced. "Use a secure password" you say? Of course, but where do you record this 128-bit randomised password?
http://www.vim.org/scripts/script.php?script_id=2012
Unlike and better than the majority of the password-saferizers out
there, this keeps your passwords in a file which is both decryptable
with standardized tools and in a human readable format (assuming
you typed human readable usernames/passwords in the first place!)
Ten years from now you'll still be able to decrypt your files, and you
can share them with people who don't have the editor plugin.
I'm not the author, but am also watching this thread for answers...
I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...
Any suggestions?
You can look at Corporate Vault - http://sourceforge.net/projects/corporatevault/
It's web based and you can create various groups with different level of access
Are you searching for bugs to exploit?
I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."
The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.
The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...
I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.
Semantics is the gravity of abstraction
Is it multi-user however?
Semantics is the gravity of abstraction
Really? Just searching online for the submission's title brings up results and reviews. If you go past the first page of Google's search results you get even more good (even better?) hits.
Password Safe. Works for multiple users from a CIFS share.
Whatever you use, you will have to acknowledge that a single point of failure makes any secure password management system dangerous. At least, an excel file or notepad will add an attack vector to the host. You need to set up a reliable encryption scheme between each user and the host. You should write down your requirements more precisely. I am going to assume each user has access to different set of passwords.
Firstly, each user will have a key/password and will have access to the resources.
Secondly, the files on the host system SHOULD be encrypted, and sent encrypted to the final destination.
Thirdly, you will have to figure out how to get users to decrypt them, and moreover, you should teach them safe practices as deleting the files securely when they shutdown or leave their computers without surveillance AND keeping the decryption key somewhere safe (with them on a USB stick for instance).
Fourthly, the file in itself should be in a easy format to manager/look up, excel kind of sucks, I used it for 6 months with more than 200 servers and clients, it was OK but a pain in the ass, especially when reinstalling hosts, changing IPs and passwords.
It is trivial to achieve this, but it requires putting many pieces together, if you outsource this and want to find a single application, you may bring up potential vectors, and you will lose control over this system. You need to /trust/ the writers of the application to not make any mistake and be trustworthy.
Depending on the environment you are working in, this may or not be acceptable. Very reliable pieces of software can help you achieve yourself this all-in-one solution and let users view your password file in a secure and convenient way. I think you can get it down in one week, putting pieces together with:
- OpenSSH + public key based authentication
- PGP to encrypt files
- a database as a file (sqlite), or an archive of a repository containing the DB if you need to track down changes
- a python GUI and/or text application to easily dig through the database, it will handle upload and deletion of the file and will not write down anything to disk
There are still risks though:
- Where do people keep their keys (SSH + PGP)? on a stick? then it all boils down to the security of the stick.
- Network failure => not passwords, people might then want to get the DB locally. Leak the PGP key and you're owned (workstations are not assumed to be secure in most places).
Most measures are needed because basic security concepts are not respected, you need to enforce them or the company is doomed. Secure each workstation and educate everyone about basic security. Make them sign an agreement which specify how they handle sensitive data. Then and only then you can distribute the DB locally and not encrypted.
In most places you will find many restrictions and will not be able to implement a very secure system, and above ups will always ignore the worst case scenario. Enforce restrictions and make it usable, the more restrictions you need to enforce, the more you should strive to make your solution all-in-one. But it's not one size fits all, it's a challenge and an everyday work to design, implement and monitor security systems.
Have a look at Clipperz, more specifically their community edition. Client side encryption in javascript using standard security algorithms that you can also send over SSL if you want.
http://keepass.info/
GPG alliws everyone to have their own key, and when you encrypt a file you can encrypt it for everyone on your public key chain. so you could just use that to encrypt the excel file everyone's comfortable with
I wrote a web based password manager that might interest you.
It's cheap and you get all the source code on purchase.
http://codecanyon.net/item/password-manager/2145518?ref=michaeldale (includes my referrer link, but you can just delete the ref= part if you wish).
I have a demo version online here: http://www.onlinecompanyportal.com/mrp/
It does categories, multi user, active directory integration and lots more.
Easier than remembering a million passwords is a good implimentation of single signon so you only need one set of credentials. Software/Appliance manufacturers really need to get behind this idea, and users need to start demanding it.
An office document or text file stored in an encrypted truecrypt file works for me.
I use a text file encypted with 2048 bit encryption, save to a gmail account.
It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
I may be a bit OCD about passwords and security - 30 years USAF and NASA have bent my brain a bit. Typing in pwds a lot doesn't bug me cuz I know my pwd mgt tool is safe because it's out of reach of hackers.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
I've checked out and briefly used Mortimer ( https://github.com/aiaio/mortimer ) before and it seems a decent tool.
"mortimer is a password storage application that supports multiple users and basic permissions. The app relies on public key cryptography to facilitate a multi-user password system whose data remains secure even if the database is compromised. Admin users have permission to all password entries on the system. Users may be given permission on a password-group basis."
What's "insecure" about an Excel spreadsheet?
If you're already running windows, edit the file > Properties, click advanced "Encrypt" the file on the file server using Windows EFS.
Add the list of authorized users' certificates so only authorized users can decrypt the file.
Make sure to setup an EFS recovery certificate, export that, and back it up somewhere.
https://github.com/aiaio/mortimer
The password sharing functionality looks really interesting. I gave it a spin a few months back, but it had an annoying bug at the time (move a password out of a folder to the root level and it can disappear from the UI). I'm guessing a competent Ruby dev with a few spare hours could fork it on GitHub, fix it up and make it work real nice.
More information about it here:
http://www.alexanderinteractive.com/blog/2009/02/mortimer-a-rails-password-manager/
http://www.alexanderinteractive.com/blog/2009/08/mortimer-password-manager-redesigned-v1-2/
It's GNU/Linux dammit!
Just write it down and store it in a filing cabinet. If you need it more than one place, xerox and take it home.
Seriously a little typing won't hurt.
Hi Hello JetScootr, have you even listen about Keypass ?. It is a protected program that can save your passwords on a protected database. For windows, linux or mac take a look for keypass
I'd recommend TeamPass http://www.teampass.net/ or Clipperz community edition http://www.clipperz.com/open_source/clipperz_community_edition
Open source? Check. Multi-user? Check. Secure? Only as secure as the box it's on, and the boxes that people use to access it, just like everything else. Linux based? Check.
Gnupg and a flat text file.
I know its browser based but http://lastpass.com/ works on Mac, Windows and Linux along with virtually every tablet/phone OS. You can set up multiple users with multi-factor authentication i.e. yubi key, print out grid, etc it's free and your passwords are encrypted before being uploading to the site only you and the people you share the password would know it not lastpass you can also access the passwords if you are disconnected from the net for a time.
try Yapet: http://www.guengel.ch/myapps/yapet/index.shtml
It s running on a Terminal, can thus be easily accessed via ssh.
And it support different password files. The Encryption provided may be
good enough for your needs.
Mod parent up. +5 Hysterical
KeePass is an excellent open source password safe (AES-256 encrypted with ability to customize number of rounds), with a few alternatives to the original version .. one of them is Java based Web service, Web KeePass, that includes ability to share passwords with other people.
The interface itself for Web KeePass is like from the 90s, but otherwise it's pretty decent if you need access to your passwords from online, or need a lot of simultaneous access.
Otherwise, KeePass or KeePassX and several password databases is a good way to go.
Example usage for KeePass:
- For every project/server/zone/whatever that you want to secure separately so only specific people have access to it, create a new password database with a strong random-generated password
- For every group you might want to give access to several password databases secured with strong random-generated passwords, create another password database with the password to the project-specific databases (only if you have a whole lot of them)
- For every user, create a personal password database secured with their own personal password, that would only contain the passwords to the group/project databases they need access to.
Well if we're talking about personal passwords, then can I recommend an ancient Rex6000 for that?
http://en.wikipedia.org/wiki/REX_6000
It's offline so can't be hacked, but you need to make some small mods: you open it, cut the PCMCIA lines so it can't be plugged into the dock anymore, then epoxy the case closed so it can't be opened. You then have a passkey protected notepad to store all your passwords in.
These things last 6-12 months on two tiny batteries, everything is stored in flash so no problem changing the batteries. The pin protect feature lets you protect it with an 8 digit number that needs to be entered to unlock it. And it's so slow at entering the code that it's essentially unhackable (about 5 seconds per try, so about 7 years to go through half the code numbers by brute force).
For backup, I photographed it's screen, Truecrypted the JPGs onto a flash key in the company safe. So I have a backup even if it gets stolen.
It's no longer made, but I bet there's a market for these things so perhaps someone will make them again, or something like them.
I have a smartphone and don't trust it with my important data, my Smartphone came with a Facebook app installed on it, so naturally that means I can't trust the phone for privacy and it was no surprise that Facebook ad grabbed all the contact data of every smartphone. Remember Carrier IQ? I can't trust the phone because I don't trust Carrier IQ and as long as phones come with it installed, I cannot be sure it isn't installed on mine.
Brain 2.0. So Open source and of course crossplatform ^-^
manageengine password manager. it is a true multiuser password management program. the server can run on windows or linux. does scheduled changes of passwords. can verify the passwords are valid and has reports that shut up auditors!
1. Paper based (not printed), locked in a cabinet works when:
- few people close to each other need access
- the keys are not accessed often (basically in case of emergency/reinstall/recovery only)
- key length is an issue (typing a 1 full page of characters is error prone)
2. Shared file
- works for many people (see locking below)
- works for people sitting in remove offices or on the other side of the world
- security is as strong as access policy is:
* free access to encrypted file means offline brute force attack is possible, security is as strong as the encryption algorithm + key length gives you
* limited access makes brute forcing of credentials hard, security is as strong as account policy is (user name/password length, number of tries before locking account)
- many people modifying the file simultaneously raises the issue of locking
* use 1 file per resource, reduces the collision possibility
* revision control allows locking
* editor application locking (everybody should use the same editor, some times needs for cleaning up logs)
So these are your basic possibilities, depending on the amount of people needing access to the keys and where they are. Discussions about some specific software application are basically irrelevant, since encrypting applications are as strong as the PASS PHRASE used to access the keys used for encryption/decryption, meaning that a network drive with strong access and account policy + Notepad is as good as Kerberos/Keypass,GPG or any other encrypting application (ignoring the requirement for file locking).
You may try SHA1_Pass. It runs on Linux, Windows and Macs. It generates passwords based on user input. It does not store passwords. It's open-source and the passwords it generates can be generated with OpenSSL and other Crypto libraries too, so there's no lock-in. http://16s.us/sha1_pass/why/
KeePass
http://sourceforge.net/projects/keepass/
Good program. easy.
If you are not using a more robust access control scheme wherever you can, you are doing it wrong. Yes, there are cases where a single user/pass must be shared, but they are probably few in your organization. For those cases, KeePass is effective, if not particularly elegant. It's certainly more secure than an Excel file.
Do yourself a favor and investigate single sign on (SSO) solutions and work your way toward a tiered access control model.
Assuming you're asking for Linux-based implies a certain level of tech-savvy: Passworded network share with a gpg encoded text file.
Its free, opensource (GNU), widely available as a standard package to most platforms, etc. You create a password file, encrypt with gpg, then sign it with each user's key that should have access to it (requires all users to have proper gpg keys setup). When someone leaves, you revoke their key from the file and they can no longer get to it, without having to do much else. If thats too complicated, just do a basic crypt (gpg -c) and share that password around. Then if someone leaves just decrypt and re-encrypt with a new password.
Support TBI Research: http://www.raisinhope.org
Clever. I was all ready to send you all my credentials when I noticed you spelled Maryam Abacha's name wrong...
Passpack is the answer
http://www.passpack.com/
A lab book stored in a company safe.
Good comment until you said "military grade encryption". There is no such thing and that term is typically used by those who aren't very knowledgable about security. Unfortunately this forces me to discount your opinion on the matter. KeePass2 may very well be a good solution for the problem at hand, but I'm going to need to find some other evidence for that, because whenever someone mentions "military grade encryption" I run away as fast as possible.
Password Gorilla is what I chose - after comparing *lots* of passwordmanagers. I wanted a filemanager that be: - free & open source - offline (--> exit Lastpass) - cross platform (I looked at Linux, OSX, Windows and Android, cause that is what my family uses) - not dependent on Mono (--> exit Keepass). Password Gorilla stores passwords in an encrypted file: the password database. Every user has his own file(s). I have a copy of my file on my smartphone, I synch the files regularly. Read all about it and get it here: https://github.com/zdia/gorilla/wiki/ I like it, it does what I want, but to be honest, the GUI looks a bit simple and the syncing of files (across in my case 2 PC's and a phone) is not automized, although I you could write a script for that. It lacks the slick interface of some other passwordmanagers.
I use a card from http://www.passwordcard.org/
Printed it out, laminated it with tape, and keep it in my wallet which is with me at all times. It's extremely handy and needs no internet access to use.
You're nothing; like me.
We use Keepass on a CIFS share. It locks the password file when multiple people have it open so you don't have write problems.
You can also put the file up on a LAMP style website with Web-Keepass.
http://goryachev.com/password-safe.html
Programs compatible with KeePassX (or ports of KeePassX) exist for pretty much everything: Windows, MacOS, Linux, BSD, Android, iOS but they often have slightly different names (e.g. the program I use on iOS is KyPass) which makes it seem less available than it is.
Python and m2crypto. I have it coupled with pexpect to do auto login and commands on multiple machines. Saves me a ton of time from having to look in the excel sheet.
ccrypt passwords.txt
Done.
Personally I recommend a insanly long master password somewhere on paper, in a safe.
And each admin their own password.
I switched to Clipperz a few years ago and love it.
http://www.clipperz.com/open_source/clipperz_community_edition
Have gone through nigh on every password manager over past couple of years, KeePass, Lastpass, Passpack, Roboform. All pretty good at giving you access to your passwords. I'm currently using my1login which I quite like for its security and mobility.
We just recently tackled the sames question for group password management.
We settled on teampass. http://www.teampass.net/ It satisfied all of our requirements (including integration with AD and logging of who access what when).
Its under active development. Although it appears to be just one individual doing the development.
It costs and requires Windows + IIS + MSSQL server (Express) but I haven't found any really equivalent at open source side. http://www.thycotic.com/ But then you need only browser to access it. Its perfect for scenario where you have team of admins etc who need to share tons of password with each other.