Ask Slashdot: Open Source Multi-User Password Management?

An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"

Better than the last place I worked at

[Hamsterdan]

It was all done on a network drive in Notepad. (Ironic thing is it was a security-related department)

Re:Better than the last place I worked at

[jtownatpunk.net]

I once had a job where the list was kept on a printed page stored in a locked filing cabinet (no, it wasn't in the basement).

Re:Better than the last place I worked at

Was it in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

Re:Better than the last place I worked at

[forkazoo]

We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

(tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

Re:Better than the last place I worked at

[qubezz]

It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.

I have deployed and administered Network Password Manager. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.

This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.

For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).

Re:Better than the last place I worked at

[History's+Coming+To]

It's not a bad idea in principle, I have a client which has lots of outlets and each uses around 10 different login for various services, I supply them with a printout each month and they keep it locked in a safe at head office. There's also a little encryption on it to stop casual usage (the passwords aren't the real passwords, they've been altered using an algorithm that only two company directors know).

Of course, a filing cabinet isn't the best option, Feynman proved this by breaking into many of them at Los Alamos and leaving little notes. Instead of changing the security systems the military put out a memo saying that Prof Feynman was not to be left alone with a filing cabinet.

Wallet

[tskirvin]

Wallet is a Kerberos-based secret management tool. It works well for me.

KeePassX

KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

KeePass

[st0nerhat]

KeePass satisfies all of your criteria:

• Open Source: It uses an OSI-certified license.
• Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
• Secure: Supports multi-factor authentication.
• Linux-based: Works with Mono.

Password Safe

[matt-fu]

Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.

Re:Password Safe

[lewko]

No real surprise. He recommends it because he designed it.

SFLvault

[anarcat]

I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.

Re:Multi-user?

[Kalidor]

This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

My password tool is completely unhackable...

[JetScootr]

It's called pencil and paper. I have a notebook, and all pwds are encoded there. I have 4 simple rules for modifying what I write into what I type in. An example rule you could use is "Real pwds use only even digits; Passwords are written with all ten digits, odd digits are ignored". 2-4 simple rules will make it unhackable even for someone with physical control of passbook. (Never write down the rules - keep them in yer head).
To keep the rules fresh, use different passwords and uids for every single app or website possible. You'll always be rehearsing the rules in yer head, you won't forget them.
Here's an example from my current set: pwd= "RhinoPott=amus" Rule 1,3
I'll bet you can't guess the real password in 10,000 tries. You don't know rules 1 or 3, which modify what's written. Go ahead, give me 10000 tries in a text file - I'll let you know if you get it.
This really really works - I've been doing this way since the 1980's, and haven't misplaced a properly coded pwd yet.

Re:Delete the spreadsheet.

[lewko]

I love having the password on my monitor. However I didn't like the appearance of all those Post-it notes stuck to it. So instead I changed all my passwords to "Samsung".