Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Open Source Multi-User Password Management?

Posted by timothy on from the login-admin-password-blank dept.

An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"

19 of 198 comments (clear)

  1. Better than the last place I worked at by Hamsterdan · · Score: 4, Funny

    It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)

    --
    I've got better things to do tonight than die.
    1. Re:Better than the last place I worked at by jtownatpunk.net · · Score: 4, Interesting

      I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).

    2. Re:Better than the last place I worked at by Anonymous Coward · · Score: 4, Funny

      Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

    3. Re:Better than the last place I worked at by forkazoo · · Score: 4, Informative

      We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

      (tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

    4. Re:Better than the last place I worked at by qubezz · · Score: 4, Informative

      It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.

      I have deployed and administered Network Password Manager. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.

      This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.

      For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).

    5. Re:Better than the last place I worked at by History's+Coming+To · · Score: 4, Funny

      It's not a bad idea in principle, I have a client which has lots of outlets and each uses around 10 different login for various services, I supply them with a printout each month and they keep it locked in a safe at head office. There's also a little encryption on it to stop casual usage (the passwords aren't the real passwords, they've been altered using an algorithm that only two company directors know).

      Of course, a filing cabinet isn't the best option, Feynman proved this by breaking into many of them at Los Alamos and leaving little notes. Instead of changing the security systems the military put out a memo saying that Prof Feynman was not to be left alone with a filing cabinet.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
  2. Wallet by tskirvin · · Score: 5, Informative

    Wallet is a Kerberos-based secret management tool. It works well for me.

  3. KeePassX by Anonymous Coward · · Score: 5, Informative

    KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

    1. Re:KeePassX by Sam+the+Nemesis · · Score: 3, Interesting

      I keep it on a USB drive.

      Better still, I keep my DB on Dropbox, so it is available anywhere I go - no need to carry USB pen drive.

  4. KeePass by st0nerhat · · Score: 5, Informative
    KeePass satisfies all of your criteria:
    • Open Source: It uses an OSI-certified license.
    • Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
    • Secure: Supports multi-factor authentication.
    • Linux-based: Works with Mono.
  5. Password Safe by matt-fu · · Score: 4, Informative

    Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.

    1. Re:Password Safe by lewko · · Score: 4, Informative

      No real surprise. He recommends it because he designed it.

      --
      Do you or your partner snore? - Visit www.snoring.com.au
  6. VIM+OpenSSL by Anonymous Coward · · Score: 3, Interesting

    http://www.vim.org/scripts/script.php?script_id=2012

    Unlike and better than the majority of the password-saferizers out
    there, this keeps your passwords in a file which is both decryptable
    with standardized tools and in a human readable format (assuming
    you typed human readable usernames/passwords in the first place!)

    Ten years from now you'll still be able to decrypt your files, and you
    can share them with people who don't have the editor plugin.

  7. Not the author here... by jjoelc · · Score: 3, Insightful

    I'm not the author, but am also watching this thread for answers...

    I'd love to find something truly multi-user... Multi user in the sense that not every user would have access to all of the passwords stored in the database. Where I could set up groups and which passwords were available to a user would depend on the group they were a part of. For example, I might not mind all employees being able to look up the keys for the wireless network, but only those in the IT department having access to the admin logins for the wireless router... There are many many other examples, but hopefully you understand the gist...

    Any suggestions?

  8. SFLvault by anarcat · · Score: 4, Informative

    I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

    The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

    The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

    I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.

    --
    Semantics is the gravity of abstraction
  9. Re:Multi-user? by Kalidor · · Score: 4, Informative

    This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

    As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

    I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

    --

    Code softly but carry a big magnet.

  10. My password tool is completely unhackable... by JetScootr · · Score: 4, Interesting

    It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
    To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
    Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
    I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
    This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.

    --
    Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
    1. Re:My password tool is completely unhackable... by pnot · · Score: 3, Interesting

      So how does your system apply to the original question -- sharing the passwords among multiple users? Do you all copy out the relevant parts of each other's notebooks and memorize each other's rules? Or do you tell each other the unencrypted passwords and re-encrypt them individually using personal rule-sets?

  11. Re:Delete the spreadsheet. by lewko · · Score: 5, Funny

    I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".

    --
    Do you or your partner snore? - Visit www.snoring.com.au