Web Based (and Encrypted) Password/License/Etc Database [closed]
Looking for a system to store the many credentials I use as a consultant/contract programmer. While I know I could use KeePass or similar for desktop use, or something like PassPack for web based (client side encryption) password storage, even Evernote could be used to create a 'notebook' for each client/project with the sensitive data encrypted - what I'm looking for is a service that provides:
- Storage of different credentials (WPA Keys, Software Licenses, Amazon API keys).
- Secure way to request credentials, without forcing a signup.
I'd probably be okay with storing various data as passwords - the big thing is getting the data. While PassPack has a 'sharing' interface, it would force clients to sign up. I'm looking for something that simplifies public/private key encryption so I can tell a client, "Don't e-mail it to me, just go to ___.com/tjlytle and fill in the form."
Have I missed whatever site does that?
Solution 1:
Having worked for "managed services" firms in the past, I've looked for something like this but never found it. I haven't had the time or inclination to write such a thing since starting my own business, but there's definitely a market for it. It would definitely be handy for internal use inside an IT organization of more than 1 person, too.
I've seen too many kluged "solutions" using things like "Password Safe" that don't have strong (or any) auditing mechanisms. It's a huge pain to change all the passwords in the "safe" when someone leaves the company. Keeping the passwords stored server-side with granular access mechanisms and an audit trail would make life a lot easier in such an eventuality.
Features that I'd like include:
Authentication for individual users to the database such that an audit trail can be generated. Ideally the authentication system would use plain ol' HTTP authentication.
Your "access without signup" ("request" feature) sounds like using a unique URL as a "shortcut" to bypass authentication for a given credential that can access a single password. That sounds pretty straightforward to implement. When you create that one-time use credential you should have some kind of metadata to describe why the credential was created (for reporting).
Reports showing what passwords were accessed by which users to allow only the ncessary passwords to be changed when someone leaves the company. Once the data is in a database back-end this is easy.
Password expiration dates. I'd use these to drive scripts to perform automated password rotation and check-in of new passwords to the system. Often I've got things like service account passwords that I don't want to be subject to operating system password aging requirements but, at the same time, I'd like to have the passwords change once in awhile.
A database back-end with a web CRUD interface all wrapped up in SSL ought to work fine for this.
It shouldn't be too much work to knock together something quick and dirty, but making it really polished and clean (with a nice client API) would probably be some work.
Solution 2:
We use our aforementioned pidCrypt library in pidder (https://www.pidder.com) - a web based platform that focuses on managing and sharing secrets (passwords, messages, identity information, etc.) securely.
We already had a "dropbox" feature on our todo list, albeit with little priority and scheduled for a later release. After stumbling upon this question, we decided to have it implemented at the start of our open beta later this year.
So, while the main features will require registration, there's also going to be a "dropbox" where anyone can send encrypted messages to a registered user provided they know his or her dropbox URL.
Solution 3:
There are at least two online password managers which are free software:
W3PW
http://w3pw.sourceforge.net/
Clipperz
http://www.clipperz.com/open_source/clipperz_community_edition
Both look quite good (haven't used them yet).
The only feature missing, as far as I can tell, is the ability to add a password without having an account (if I understood you correctly).
This should not be too hard to add, though, so it might make sense to build onto one of these products. That's the point of free software, after all :-).
One way would be to implement a feature that lets you limit a user to adding new passwords. Then you could just create a "addpassword" user with default (or empty) password, and send that to clients (or implement a feature to create a URI which preauthenticates you, so you can just send a link). That should work and be secure...