Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Open Source Multi-User Password Management?

Posted by timothy on from the login-admin-password-blank dept.

An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"

32 of 198 comments (clear)

  1. Better than the last place I worked at by Hamsterdan · · Score: 4, Funny

    It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)

    --
    I've got better things to do tonight than die.
    1. Re:Better than the last place I worked at by jtownatpunk.net · · Score: 4, Interesting

      I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).

    2. Re:Better than the last place I worked at by Anonymous Coward · · Score: 4, Funny

      Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

    3. Re:Better than the last place I worked at by forkazoo · · Score: 4, Informative

      We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

      (tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

    4. Re:Better than the last place I worked at by mortonda · · Score: 2

      And the lights were off, and the stairs were broken!

    5. Re:Better than the last place I worked at by qubezz · · Score: 4, Informative

      It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.

      I have deployed and administered Network Password Manager. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.

      This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.

      For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).

    6. Re:Better than the last place I worked at by History's+Coming+To · · Score: 4, Funny

      It's not a bad idea in principle, I have a client which has lots of outlets and each uses around 10 different login for various services, I supply them with a printout each month and they keep it locked in a safe at head office. There's also a little encryption on it to stop casual usage (the passwords aren't the real passwords, they've been altered using an algorithm that only two company directors know).

      Of course, a filing cabinet isn't the best option, Feynman proved this by breaking into many of them at Los Alamos and leaving little notes. Instead of changing the security systems the military put out a memo saying that Prof Feynman was not to be left alone with a filing cabinet.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    7. Re:Better than the last place I worked at by Mr.+Slippery · · Score: 2

      'statistically, people who use php write horrible code from a security perspective, most of the time'.

      True. However, it's also true that statistically, people who use C++ write horrible code from a security perspective, most of the time. And people who use Perl write horrible code from a security perspective, most of the time. And people who use Java, Python, COBOL, etc., write horrible code from a security perspective -- indeed, horrible code in general -- most of the time.

      There is not now, nor will there ever be, a language in which it is difficult to write bad programs.

      --
      Tom Swiss | the infamous tms | my blog
      You cannot wash away blood with blood
  2. Wallet by tskirvin · · Score: 5, Informative

    Wallet is a Kerberos-based secret management tool. It works well for me.

    1. Re:Wallet by miknix · · Score: 2

      Gringotts is a secure notes manager for Linux and other UNIX-like systems. I've been using it to store passwords for more than three years.

  3. KeePassX by Anonymous Coward · · Score: 5, Informative

    KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

    1. Re:KeePassX by Sam+the+Nemesis · · Score: 3, Interesting

      I keep it on a USB drive.

      Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.

  4. KeePass by st0nerhat · · Score: 5, Informative
    KeePass satisfies all of your criteria:
    • Open Source: It uses an OSI-certified license.
    • Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
    • Secure: Supports multi-factor authentication.
    • Linux-based: Works with Mono.
  5. Re:Why are you even considering this? by Anonymous Coward · · Score: 2, Funny

    Is one an offer letter for you from my firm? because it's been recinded...

  6. Re:GPG + Dropbox by WuphonsReach · · Score: 2

    We create separate files by service and encrypt the contents with GPG (regular old text files with ASCII armored encryption blocks).

    Dead simple, other then the GPG key management and passing around public keys. There's also the issue that every time you add someone new, you need to re-encrypt all the files (but that's a key management / PKI issue).

    Since they're regular text files, they can be emailed, printed, faxed, OCRd, stuffed in envelopes / safes, etc. We stuff ours into a version control system for simplicity.

    It's also a good method to use for personal accounts. Create 1 file per account / service and just encrypt the contents with GPG.

    --
    Wolde you bothe eate your cake, and have your cake?
  7. Password Safe by matt-fu · · Score: 4, Informative

    Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.

    1. Re:Password Safe by lewko · · Score: 4, Informative

      No real surprise. He recommends it because he designed it.

      --
      Do you or your partner snore? - Visit www.snoring.com.au
  8. VIM+OpenSSL by Anonymous Coward · · Score: 3, Interesting

    http://www.vim.org/scripts/script.php?script_id=2012

    Unlike and better than the majority of the password-saferizers out
    there, this keeps your passwords in a file which is both decryptable
    with standardized tools and in a human readable format (assuming
    you typed human readable usernames/passwords in the first place!)

    Ten years from now you'll still be able to decrypt your files, and you
    can share them with people who don't have the editor plugin.

  9. Not the author here... by jjoelc · · Score: 3, Insightful

    I'm not the author, but am also watching this thread for answers...

    I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...

    Any suggestions?

    1. Re:Not the author here... by danbeck · · Score: 2

      Look, it must be all black and white there being the printer admin of your 5 man real estate office, but out in the real world, it never, NEVER works like that.

      A short list of the billion reasons why you would need what the OP is asking for:
      Web services that require a single primary administrative/billing account
      Company twitter accounts and other social media accounts
      Networking equipment that only allows multi-user auth through RADIUS
      admin/root passwords for: databases, servers
      common mail accounts shared by multiple users
      common account of any random type used by more than one person that doesn't allow multi-user access
      Non-enterprise wireless access points
      Proprietary commercial software that requires a primary admin account
      Random bits of secure information that aren't necessarily a password, but need to be accessed by multiple users

      See, when you have to worry about more than out of toner messages on your HP Laserjet II, or our 5 XP laptops you connected to that AD controller, it's not all cut and dry.

  10. SFLvault by anarcat · · Score: 4, Informative

    I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

    The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

    The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

    I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.

    --
    Semantics is the gravity of abstraction
  11. Re:Multi-user? by Electricity+Likes+Me · · Score: 2

    KeePass 2 can be run on Mono and is multi-user for the databases - you all need the same password to decrypt the database however, but it does allow simultaneous shared access.

  12. Re:Multi-user? by Kalidor · · Score: 4, Informative

    This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

    As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

    I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

    --

    Code softly but carry a big magnet.

  13. My password tool is completely unhackable... by JetScootr · · Score: 4, Interesting

    It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
    To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
    Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
    I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
    This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.

    --
    Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
    1. Re:My password tool is completely unhackable... by pnot · · Score: 3, Interesting

      So how does your system apply to the original question -- sharing the passwords among multiple users? Do you all copy out the relevant parts of each other's notebooks and memorize each other's rules? Or do you tell each other the unencrypted passwords and re-encrypt them individually using personal rule-sets?

    2. Re:My password tool is completely unhackable... by Cow+Jones · · Score: 2

      Yes, rules like that are not uncommon. They have their uses in environments where you can't use proper encryption. However, I can see several disadvantages to your method:

      For one, the dependency on a single physical storage medium (paper notebook) is a mixed blessing. On the one hand, it denies remote attackers the option to download a complete list of hashes, but on the other hand, it also denies you the possibility of retrieving your passwords when you don't have the notebook with you. Notebooks can also get lost or misplaced, they can be stolen, and they can burn. There's no easy way to make automatic backups of your password list.

      More relevant to your particular system is that your rules can be reverse engineered. If someone does have access to the list, they only need a few compromised accounts (or planted passwords) to decypher the rest. If they're lucky, they may get away with a single known password. A rule like "ignore all the odd digits" can easily be cracked when the attacker knows the actual password and your garbled reminder - especially when you write down which rules you applied to it.

      All in all, you're better off with a digital format and strong encryption. For passwords which are so sensitive that you can't even trust something like KeePassX (and your OS, and all the drivers on your system, etc etc) - don't write them down anywhere.

      I use KeePassX, myself. The database file is in a Subversion repository. But I have to admit that one part of my setup is completely insecure: I periodically print out a full list of passwords, put it in a sealed envelope, and place it in a relative's safe. This way, if something happens to me, they can access (and close, if necessary) all of my accounts.

      --

      Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
  14. Re:Delete the spreadsheet. by lewko · · Score: 5, Funny

    I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".

    --
    Do you or your partner snore? - Visit www.snoring.com.au
  15. Re:Multi-user? by Anonymous Coward · · Score: 2, Informative

    This! KeePass2 on a shared drive

    You can go one better than a shared network drive by saving to a URL.
    Specifically, setup a subversion server with WebDAV enabled. This way you can always go back to an old version if your db gets corrupted in any way. Subversion hook scripts can be used for implementing a backup plan (we use one to sync our keepass svn repo to a read-only mirror on a remote site.) The apache ldap auth module can be used to control access (this is on top of the actual keepass db password)

  16. Re:Delete the spreadsheet. by Prosthetic_Lips · · Score: 2

    Or the IT department gets a new shipment in, and replaces yours during the night? You'll come in and none of your passwords work. "I keep typing Vizio and it doesn't work!"

  17. Re:KeePass by Prosthetic_Lips · · Score: 2

    ... and I love the password generation capability. Especially options like "exclude lookalike characters" for when I have to look up the password on my phone.

  18. Wrong question by Jawnn · · Score: 2

    If you are not using a more robust access control scheme wherever you can, you are doing it wrong. Yes, there are cases where a single user/pass must be shared, but they are probably few in your organization. For those cases, KeePass is effective, if not particularly elegant. It's certainly more secure than an Excel file.
    Do yourself a favor and investigate single sign on (SSO) solutions and work your way toward a tiered access control model.

  19. Re:Multi-user? by Dynedain · · Score: 2

    KeePass2 is Windows-only (unless you really want to deal with Mono). The original version is now forked and maintained as KeePassX with OSX and Linux builds available, along with the source.

    --
    I'm out of my mind right now, but feel free to leave a message.....