1

What do you guys do for password management?

We are in no way up-to-par when it comes to this topic. Currently, I have a spreadsheet that I keep ALL of our password info in. -I can already hear the groans and facepalms spreading through the room.

So, yeah, it’s not the best, or smartest, or safest manner to manage passwords. But this is the method they were using when I got here, and I just haven’t put my foot down yet to make any changes to the method.

We keep a password-protected spreadsheet that has all of the passwords in it. This is essential for myself and for my boss (who is the biggest reason for this not changing yet). I would like to put together some solution that will still allow us to reference the passwords, but also give some more control to the access of that information.

-Currently, the spreadsheet lives in a folder that is only accessible by myself and my boss. (Defined by permissions in the security tab)

  1. Is that enough? -or is it too easy to get through that layer of security? -My assumption is that it’s not good enough, -but I may also be wrong, and I’m beating a dead horse.

  2. If not, is there anything I can do with Windows Server2008r2 / Windows 7 to better secure that file?

  3. Are there any suggestions for 3rd party solutions to secure this file, while it’s still readily available on the network?

Any additional thoughts are also welcome, you’re not limited to my series of questions there at the end.

9 Spice ups
2

We moved from Excel to KeePass https://keepass.info/

We have a DB for work stuff and I have my own private DB.

We wanted something that’s not on the interwebz :¬)

Same thing, the fire is secured, and you need a password, and to get to the folder you need NTFS&share permissions

9 Spice ups
3

I’d suggest getting some software to help with that. I believe the newer versions of Office have better security (harder to crack, but never tested), but a dedicated software solution will give you options. Some will support multi-factor authentication, allow for sharing, generate passwords for you and lots of other features. You could look into something local like KeePass v2 or maybe an online solution like @LastPass . You’ll see a lot of suggestions, and they’ll have different features and costs.

As for where you have them on the network, I think that is a good idea. I keep my database in a folder location that has limited access and the database has a strong password with multi-factor to protect it further.

3 Spice ups
4

Agree with Neally and Jimmy, Definitely use a password manager, especially as there are good solid free options as well. I use keepass personally hosted on a secure network folder and I’ve given the owners, and our E-commerce director the passwords for it, for business continuity. You can also do password in a sealed envelope deal as well.

Some people host their keepass database on onedrive or similar to get access to it from anywhere, but I just keep it on network and remote in if necessary.

2 Spice ups
5

+1 LastPass

3 Spice ups
6

Lastpass, simple and in all browser present. Plus on mobile with app

3 Spice ups
7

We use Dashlane in our org and our employee love it. Very user-friendly and take security very seriously. Most of our users who used 1password or LastPass were skeptical at first, but completely switched after a day’s use and never looked back. They were, to a person, overwhelming happy with Dashlane.

4 Spice ups
8

As I have posted on multiple threads about this topic.

We use thycotic secret server for password management.

3 Spice ups
9

I use KeePassXC. It’s open source and multi-platform, and related to KeePass.

2 Spice ups
10

My recommendation goes to LastPass

3 Spice ups
11

I use LastPass for my stuff and use PasswordSafe for company related accounts/password. Both make life easy.

2 Spice ups
12

Thanks for all the LastPass recommendations, guys!

Phil - there are a few reasons you may want to consider a password manager over a shared document:

  • It generates new, randomized passwords for you, so you know every password is unique and strong
  • It saves and fills every password, so it’s less likely you’ll forget to save a password and it saves you time as you go about your workday
  • It facilitates encrypted password sharing, in case others outside of you and your boss need access to one of those accounts
  • It’s backed up and synced by default, so you always have access to the password store no matter where you’re working
  • It’s encrypted with a master password only you know - only that encrypted blob is synced with LastPass

Those are just a few reasons people choose a password manager like LastPass. Even NIST is now recommending password management solutions. Happy to answer any questions about LastPass specifically, or password management in general.

1 Spice up
13

Thank you All,

I’ll start checking out some of these solutions. Can anybody share what they like or don’t like about these? -I’ll start whittling down my options.

14

Online vs. offline is dependent on how comfortable you are with having that info online and that and what the service has in place to keep that data safe. At this point, online services are quite solid. LastPass has had a few vulnerabilities pop-up, but they’ve been quick to fix them.

2 Spice ups
15

What Jimmy said, and then open-source versus closed-source. Lastpass and Thycotic are closed-source subscription services with user management and permissions and enterprise features as well

Keepass is an open-source project, and as such has less features, but there are a multitude of forks or plugins available for keepass to add features, but may or may not work out of the box. Do get the benefit of better code-review and such overall, plus it will always work, even without internet access.

1 Spice up
16

As other, we use KeePass ( https://keepass.info/ ), we have 2 files, one with passwords and one with licenses (i also have a third one personal for me!), we keep them in our onedrive business account so we can access them everywhere.

What i like:

  • Free

  • Secure (uses SHA-256)

  • It has autocomplete. So, for example, lets say you need to access your spiceworks account. I open KeePass, open the login page for spiceworks in the browser and select autocomplete in KeePass, the user and passwords get automatically written which is great for long passwords but also the password is never show!, so it doesn’t matter if you have a pair of eyes above your shoulder, they wont see anything!

  • Speaking of autocompletition, KeePass has this great feature called two-channels auto-type obfuscation that helps against keyloggers (you can read more about it here: Two-Channel Auto-Type Obfuscation - KeePass ).

  • You can add custom strings for extra information (for example, security questions for recovery)

  • But you can add more than text to your KeePass database, you can atach files too!

  • It also keeps a history of your changes so you can always view or return to a previous version of each password.

  • And if you forget to close it it will close in a certain mount of time (configurable).

  • It will also clear your clipboard after closing.

  • It has plugins to integrate with all your browsers.

  • It has apps for mobile too!

What i dont like:

  • Not starting used it before. It’s one of those things you didn’t know you needed in your life until you start using it.

My advice is this: download KeePass, get all your passwords in it and once you have it working, and you get all of it’s features, then show all the cool things you can make to your boss.

1 Spice up
17

I was using keepass and recently switched to Thycotic Secret Server.

@jordan-thycotic

2 Spice ups
18

Thank you to everyone who recommended Thycotic Secret Server!

Hey, Khaos thanks for the great questions. I’ve provided my answers below in bold.

  1. Is that enough? -or is it too easy to get through that layer of security? -My assumption is that it’s not good enough, -but I may also be wrong, and I’m beating a dead horse.

ANSWER: It sounds like you know you need the additional layer of security. What’s important to understand are the high risks around data loss and accountability. Using a spreadsheet is extremely insecure and puts your organization at high risk. Here’s a great guide on the “Top Reasons Why Using Excel to Store Passwords Creates Needless Risk” to share with your manager.

  1. If not, is there anything I can do with Windows Server2008r2 / Windows 7 to better secure that file?

ANSWER: As others mentioned, I would highly recommend a password management solution. Using a privileged password management tool you can create, share, and automatically change enterprise passwords. You can assign user permissions at any level, and track password usage with full audit reports. While it may just be the two of you now, you will want to think about all of these points as you grow and are expected to meet compliance requirements, plus from a time-saving standpoint, you will drastically see an increase in productivity using a true password manager.

Important considerations when choosing a solution:

Do you want on-prem or cloud password management?

How many people are on your team?

What about a solutions disaster recovery options?

What tools are you using today and do they integrate seamlessly with your password manager?

I hope this helps with your search! And since it wasn’t mentioned, we do offer a free solution for our enterprise password management tool if budget is a concern.
I’d love to discuss this project with you further if you are interested. Please let me know if you any questions. Best, Jordan

1 Spice up
19

Also dont forget about password best practices

2 Spice ups
20

I used LastPass for over 2 years and it is OK but does come with a host of it’s own issues (some weeks 25% of tickets were LastPass issues and their support is weak at best). Unless your users are pretty savvy with figuring tech out stick to Keepass safe or Dashlane. Much easier to manage and just as secure.

1 Spice up