Best Practise and Solutions for Sharing Passwords [closed]

password

I face this problem every time I go to a new startup. First thing I do is make a couple of "Password safes" with a program like this one (or one of its derivatives):

http://passwordsafe.sourceforge.net/

Set strong combinations and throw them up on a network share. Segment by area of responsibility... central infrastructure, production servers, dev/QA, etc.

Once there's enough momentum, and assuming I have the proper Windows environment dependencies, I like to move everyone to this:

http://www.clickstudios.com.au/passwordstate.html

It has features for both shared and personal credentials.


Not to be forgotten is the need to be able to revoke passwords if an employee leaves/is fired. There have been several cases noted in popular media of employees being fired and 'getting back' at their company using passwords that were still active after they left.

This is typically 2 parts:

  1. Knowing all the passwords that need to be changed (otherwise you default to all which is tedious)
  2. Manually changing them or automating the process with a tool or script.

Another important factor is ensuring that password policy is followed when the changes are made - e.g. how do you know that the same password was not used on multiple accounts or that a weak password was not used?


I work in a small IT shop and we've been using Secret Server for the past year to manage our passwords for our network devices and client needs.

They offer an "install edition" or an online/hosted edition. We use the hosted edition for less than $100/yr (5 users) and can access this password information securely via web browser anywhere we go. If you're really worried about security, install it on your own server and only access it via LAN or VPN.

Additionally, my favorite "personal" web-based password manager now offers a "business edition" - PassPack.

I'm not sure how it performs in this scenario versus Secret Server but either solution ought to be much more versatile and secure than scraps of paper, desktop apps or (gasp) remembering things in your head. For the "single point of failure" concern, either of these products allow easy export to CSV.

Related

nginx: Log complete request / response with all headers?
Unusual HEAD requests to nonsense URLs from Chrome
Purpose of Debian "sites-available" and "sites-enabled" directories?
What are the advantages of tape drives?
How to restart rsyslog daemon on ubuntu
How to run cron job on a specific hour every day?
Best Practices in Username Standards: Avoiding Problems
What's the best way to see logged in users in Windows Server 2012?
Windows command prompt: how do I get the output of a command into a environment variable?
How to capture ack or syn packets by Tcpdump?
How can I check /dev/xvda1?
How to [politely?] tell software vendor they don't know what they're talking about