Quick question, does anyone have software/combination of tools they
recommend on centrally store various passwords securely?
Thanks.
On a small scale, PasswordSafe from Sourceforge.
Pwman
Quick question, does anyone have software/combination of tools they
recommend on centrally store various passwords securely?
<old school>
ascii text file, gpg encrypted, only opened with emacs crypt++.el
randy
From the network administrator perspective, we prefer to use a 3rd
party/central authentication system where feasible, to reduce the number of
passwords entries in our network from Users*Systems to
Users*Security_Domains, and keep a gpg encrypted file (and a physical copy)
in a safe location of rarely used admin/root passwords that we only
need in an emergency (e.g. when RADIUS goes down).
Jay Nakamura (zeusdadog) writes:
Quick question, does anyone have software/combination of tools they
recommend on centrally store various passwords securely?
Home built app with GELI (FreeBSD) encrypted disk image and automated
versioning of documents/secure stuff wih a VCS. Works fine in a multi
user context, but only one user can access it at a time.
We have used Password Manager XP for quite some time. It supports different user roles, allows security to be set per folder, the encryption levels it supports are insane, and it allows for a "database password" and then user level authentication (which can be tied to NT authentication from the workstation). They also have a client for windows mobile devices. The client also runs in wine exceptionally well. You can configure it to do form filling, and you can define password expiration dates and it will remind you that passwords need changed. Also supports the ability to define a database log, so that all changes can be sent off to a log server. You can also add pretty detailed descriptions to the entry, and you can tie files into the entry as well. Works great for attaching a private key for access to servers via SSH. All of the displayed fields inside of each folder are completely customizable and quite easy to change. It supports multiple users pretty well, however we have had to restore the database from backups once when a user was writing to the database over SSLVPN and the connection dropped. We have used it with a max of about 20 people and it worked great for that number, however as your database gets larger and larger it does take a while to make some changes.
...which has the HUGE advantage of being CLI (so useable over SSH
sessions from network devices) and has tagging for searching large
databases of passes. pwman3 is current version. For most OSs.
I've even used it looped through a multitude of nested VTY+SSH+screen
sessions - one of which was a Dropbear sshd and client on a 20$ plastic
CPE - to save my sorry *ss
For GUIs:-
Keepassx for most OSs, and Keepass2.x on MS Windows
Password Gorilla is a nice one for end-users, most OSs
Bruce's Passwordsafe format is a somewhat de-facto standard for
import/export. Keepass can do a lot of conversion for you.
Some shops use rsync top distribute the masters and set them readonly at
filesystem - level though this tends to preclude regular rotation and
updating.
Beware that some of the commercial offerings are trivially broken or
otherwise borked for "work" use. ymmv
Whatever you use dump the file to a flat file (crypted of course) and
save a statically linked version of the app for those "wow - what
password app did we use way back in 2001?" moments.
Print a copy every month or so and store securely offsite too - all the
usual caveats apply. Once you have a super-duper app for them you tend
to crank the pw complexity up to a level where no-one can remember
anything nor even recognise regular ones; it's mainly cut and paste,
especially if you use X.
Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ?
Gord
Don't recall if it was mention but we use a nice little app called MyPMS
http://lvoware.com/. Put it on an internal system and then people have
to access via a VPN connection to browse into it. That way if a person
is no longer with the company, then their VPN has been turned off and
they don't have access to it anymore. The reason I like the app is it's
OS agnostic for the end user and keeps the data in an SQL DB.
All,
I wasn't expecting the number of suggestions I got! Thanks all.
It looks like keepass is the popular choice by many. We are looking into that.
And those that suggested RADIUS, yes, I am moving towards that
direction for what can be moved to the RADIUS direction. However, we
also managed so many customer's equipment/web site
contents/application/networks as well that we can't use RADIUS in
those instances.
Again, I appreciate having this list to get ideas on various issues I
face everyday.
I offer a free service: Send me all your passwords via encrypted email and I promise to keep them safe for you 
Ok, kidding aside we also use KeePass...
I've used phpchain in the past. It's a freeware you can get off of
sourceforge. It runs on a PHP server and stores the passwords per user,
blowfish encrypted. It hasn't been updated in a while, but I found it
simple, rather helpful, and easy to install and manage.
Jeff
Or if you prefer vim there is the gnupg.vim plugin:
http://www.vim.org/scripts/script.php?script_id=661
I'm not sure if your only considering free software, but if not take a look at password manager pro.
http://www.manageengine.com/products/passwordmanagerpro/download.html
Dan
Jay Nakamura wrote:
Quick question, does anyone have software/combination of tools they
recommend on centrally store various passwords securely?Thanks.
I use opensource, multiplatforms softwares :
Keepass password file in a truecrypt container and it works as heaven and securely.
Keepass for Windows : http://www.keepass.info/
Keepass for Linux/Mac OS : http://www.keepassx.org/
Truecrypt (all platforms) : http://www.truecrypt.org/
Pierre-Yves Maunier
I'm a big fan of 1password, but I'm on mac and iPhone.
I'll second that. 1Password truly is fabulous, though it's strength is
the Auto-website login feature with a hotkey. When in your browser,
Command+Option+\, type some characters of the site or description, hit
enter, and it opens your default browser, goes to the site and logs you
in. Integrates on all browsers: Safari, Firefox, Opera and others.
Supports secure notes, has a well designed strong password generator, can
be synced over the network to multiple other computers via Dropbox (or
whatever you want to use, rsync works too), and has great integration with
the iPhone as well as a browser-based client for use on non-Mac computers.
If you are not using a Mac, or are using a mixed bag of operating systems,
1Password is probably not best.