30

I am trying to figure out what the best solution is to store different types of passwords:

  • Personal passwords (my personal email, my company's email, all the services I use to buy things like Amazon, etc.)

  • My business passwords (all the tools used to run my business, harvest, Google apps, slack, deploybot, etc.)

  • My client's passwords, their own services which they sometimes share with me to use (like Amazon AWS, some email account they create for me, some other tools they use like Salesforce).

I know that probably I won't find one tool to rule them all, but I would like to hear your advice or experiences to deal with this same situation.

EDIT:

After more than 3 years of my original question, I would like to say that I am using LastPass as recommended by @dotancohen and it really solves most of the use cases I described, even on the free account.

Lautaro Rosales
  • 403
  • 4
  • 7
  • Is this file soley fore your use, or do you want to provide access to others (e.g. so clients could see their passwords whilst not those of other clients)? – JohnLBevan Nov 27 '15 at 08:23
  • access to others will be a nice to have. Meaning that probably we can leave without it, but it will be helpful to provide access to my employees and revoke access if I need to. – Lautaro Rosales Nov 27 '15 at 16:18
  • https://Keepass.info is the best. You can share the KDBX files on Dropbox. – Chloe Nov 27 '15 at 19:14
  • I reviewed Keepass, and the only thing i cannot find was the plugings for the browser that is really something needed at least for me. – Lautaro Rosales Nov 29 '15 at 20:01
  • If the only thing missing from KeePass for you is a browser plugin, what about chromeipass for Chrome/Opera, or KeeFox for Firefox? – Ben Dec 03 '15 at 22:49
  • Just spotted a Reddit on the same (https://www.reddit.com/r/sysadmin/comments/1vdngp/multiuser_keepass_with_granular_security_has/). http://www.teampass.net/ seems good; though is a hosted service (i.e. means trusting your credentials to the vendor). – JohnLBevan Jul 25 '16 at 11:50

8 Answers8

26

The easiest way would be using several databases. Tools like KeePass allow you to store passwords in different files. You could for instance opt to store your passwords in seperate databases based on client or purpose.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • dumb question, but what's a good way to have access to keepass on multiple computers, and possibly smartphone? dropbox? – Neil McGuigan Nov 26 '15 at 19:02
  • 2
    @Neil McGuigan Dropbox (or alternatives) assumes you trust the company with your data. Sure, it's encrypted, but if anyone gets the file it's off-line brute-force attack. You could set-up your own synchronization service (ownCloud possibly) or synchronize your machines in a star topology - [Unison](https://www.cis.upenn.edu/~bcpierce/unison/), [syncthing](https://syncthing.net/), [gut](https://github.com/tillberg/gut) come to mind. In case you missed conflict, KeePass at lest allows cleartext export which you can diff manually. – Torinthiel Nov 26 '15 at 19:35
  • @Torinthiel Even if your files are compromised, they need to break the encryption first, which means breaking the hashing. KeePass basically uses salted SHA256, which is honestly not ideal when taking multi-GPU setups in consideration, but if your master password is not retardedly simple, it should give you enough time to reset all your passwords so they're no longer usable. I personally use 1Password combined with Dropbox. – Nzall Nov 26 '15 at 20:53
  • 3
    @Nate Kerkhofs Changing password to everything I have in keepass? Including credit card PIN, which I cannot change online? Or as OP says, his *client*'s passwords? No, thanks, I'm not taking that chance. And you need to first *know* there's been a breach. If they keep it secret (or don't realize themselves, or it's an inside job, or ...) you don't know you should change your password, and won't do it. – Torinthiel Nov 26 '15 at 21:06
  • 5
    Should point out that you should use VERY strong passwords for each KeePass database (or whatever tool...). Use a long, random passphrase (e.g. Diceware), and if you can lock it with a key file too. – AviD Nov 26 '15 at 22:18
  • 3
    Or increase the number of transformation rounds. It's 41,266,560 for and on my pretty powerful PC it takes 4 seconds to encrypt/decrypt. With an 8 character password using lowercase, uppercase and a number you have 218,340,105,584,896 combinations. Even if you could go down to testing 1,000 keys per second (which would be 40,000 times faster than on my PC) it's over 6 thousand years to check all combinations. Though I have a 46-character password just to be sure ;). – Maurycy Nov 27 '15 at 09:52
  • 2
    @Maurycy Now that you have stated your password length, you'll have to read through [How critical is it to keep your password length secret?](http://security.stackexchange.com/q/92233/2138) – user Nov 27 '15 at 18:15
  • 1
    @MichaelKjörling Fortunately for me I've read that question a few days ago and I know that, while it's best not to share it, at best I only sped the cracking process up by 2% so I am not very concerned. – Maurycy Nov 27 '15 at 18:44
  • @NeilMcGuigan you can also put Boxcryptor as a layer on top of Dropbox so that it gets encrypted on your computer before going to Dropbox. – icc97 Nov 27 '15 at 20:14
  • @icc97 it is already encrypted anyway, seems silly. – ComputerLocus Nov 30 '15 at 20:48
  • @Fogest Dropbox can decrypt your files if they want. If you want to prevent Dropbox from being able to view them then you need to encrypt them before sending. Dropbox themselves recommend this - see the final answer from dropbox here (http://www.techrepublic.com/blog/it-security/dropbox-convenient-absolutely-but-is-it-secure/) – icc97 Dec 01 '15 at 09:18
  • @icc97 The keepass is already encrypted is what I am saying. – ComputerLocus Dec 01 '15 at 19:00
  • @Fogest ah, I see what you mean now. Still, Boxcryptor is very easy to install and it adds another layer of encryption to slow down what Torinthiel was talking about with brute forcing your keepass database. – icc97 Dec 01 '15 at 22:38
12

For your exact use case, I personally use Lastpass. The killer features of Lastpass include the ability to compartmentalize and separate each client's passwords from each other and from my own. They also have in my opinion the best browser addon integration and the data can be stored and used offline as well.

I like to increase the password PBKDF2 iterations as that makes me just a bit harder to crack than the average user, and I absolutely will not use the service on a computer that I do not control.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
3

Six months ago, I was in the same situation as you are right now. I used to save all passwords in my MySQL database (not safe at all) and I made a Python script to extract them. That was not a good way to solve the purpose at all.
Now I use 1password to manage and secure all my passwords in a single place and encrypt them with a master password.

Vilican
  • 2,723
  • 8
  • 22
  • 35
Sanidhay
  • 191
  • 12
3

For your Personal Passwords, why not use your browser's built in, password manager? In Firefox for example you can also set up a master password which encrypts the database. So you just have to enter it anytime you open your browser.

I didn't see this as an answer so I'm wondering if there are any serious security risks that I'm unaware of.

For the other passwords I'd also suggest KeePass, as mentioned above. It's Cross-Platform and quite mature project, with a lot of functionalities managing passwords. Also storing your clients information (even encrypted) on a third party website, besides being a possible security risk, it might even be illegal for some countries.

gekaklam
  • 161
  • 2
2

I like pass. I realize it's not for everyone (because it's for Linux and doesn't have fancy features like browser integration or mobile support), but the reason I like it is that it's just a wrapper for git and gpg, two projects I fully trust, since they have been vetted by a huge community for years, if not decades. The script itself is short enough to read. You can make use of gpg-agent. It decrypts single passwords on demand and can copy them directly to the clipboard for a limited amount of time. The database is heavily encrypted with my PGP-key and could safely be stored on github, but I choose to sync up multiple computers differently if I needed that.

Volker
  • 1,243
  • 8
  • 12
0

I simply use the excellent password manager included in Google Chrome.

  • Google Chrome is my browser of choice.
  • Password management is built right into it.
    • Convenient and easy.
  • All my web application passwords are saved.
  • Can save multiple credentials for the same site.
    • Allows you to choose between them at sign in time.
  • Integrates with the credentials management system of the underlying operating system.
    • Increased local security.
    • Asks for my local user password before displaying passwords in plaintext.
  • Synchronization with my Google account.
    • Passwords are available everywhere.
  • Works seamlessly on all major desktop and mobile operating systems.
  • Works with Google Smart Lock.
    • Allows me to sign into mobile applications using my saved passwords.
    • Can view and manage my passwords through my Google account.
  • Can provide my own passphrase for password database encryption if I want to.
    • Google can't see the data.
    • Breaks Smart Lock.
  • Includes its own password generator.
    • Improves security in general by making it easy for all users to
      • Generate unique random passwords for every site.
      • Save them.
      • Promptly forget about them.
    • Encourages good password choices and management practices.
    • Reduces susceptibility to phishing attacks.
    • Limits the damage done when a specific password is compromised.
    • Provides increased peace of mind when combined with all the other security practices.
      • For the individual users.
      • For the system administrators responsible for their security.

Chromium's Security FAQ


Firefox also comes with a great password manager. I use for some specific sites and identities. It's also capable of synchronizing passwords with a Firefox account, making it extremely convenient.

I simply can't justify paying for something like LastPass when browsers such as Firefox|Google Chrom{e,ium} already have all those features built in. They've had them since forever and they keep getting better and better.

pass appeals to the programmer in me. I think it is beautiful in its simplicity and how it is based on GNU Privacy Guard and Git, technologies I personally use and love. Unfortunately, I am currently running Windows.

Matheus Moreira
  • 371
  • 3
  • 16
  • lastpass is free - Chrome's password manager is exposed to anyone with access to the machine – schroeder Dec 22 '15 at 04:18
  • @schroeder, it's not free. Paid LastPass Premium subscription is required for an essential feature like synchronization between multiple devices. You also have to pay if you want to use a security token such as a YubiKey. Chrome supports pretty much all useful features in their comparison matrix, up to Premium features, out of the box. – Matheus Moreira Dec 22 '15 at 04:47
  • @schroeder, if the attacker has _unrestricted physical access_ to the machine, credentials can be compromised without the password manager's aid. One can simply open the email client and use the `Forgot password?` forms of websites to reset passwords. Even so, [Chrome's password manager uses operating system mechanisms](https://www.chromium.org/developers/design-documents/os-x-password-manager-keychain-integration) to frustrate an attacker should the user make the mistake of leaving his machine unlocked and unattended. I mentioned this in my answer. – Matheus Moreira Dec 22 '15 at 04:58
  • Lastpass *is* free when comparing features to the browser password manager. Your link is for Mac OS - Windows machines do not have such protection. When I say "physical access", I am not talking about access to the user account, but simply to the machine itself. Lastpass and other password managers do not have this problem. The point is that it depends on the threat model that concerns you. You cannot dismiss 3rd party password managers simply because you are using a certain threat model. – schroeder Dec 22 '15 at 05:12
  • Can you explain "Lastpass is free when comparing features to the browser password manager"? Personally I use KeePass and sync with cloud storage, but I've been looking for an "easier" solution for family and friends, and last time I checked you needed a paid account to sync between mobile and desktop with Lastpass. I assume (but haven't actually checked) that Chrome's or Firefox's password sync features will also sync to mobile, and for free. – Ben Dec 22 '15 at 18:13
  • @Ben, the password managers of Chrome and Firefox have a synchronization feature which use free services provided by Google and Mozilla. Increased availability and convenience is the point of storing sensitive password data in the cloud, but LastPass requires a paid Premium subscription in order to synchronize data. – Matheus Moreira Dec 22 '15 at 18:36
-1

I find myself thanking agileBits 1 password now and again. It just makes the process of dividing and keeping check of a multitude of passwords so much easier.

I can honestly say that the quality and differentiation of my passwords have increased since I have complex passwords available wherever I am.

The ease of use is a factor in my opinion.

I have chosen to use their Dropbox syncing. They use PBKDF2 on the master password on top of the AES encryption on stored passwords.

Viggos
  • 101
  • 1
-2

The option I use is to have a simple password generator, usually a one liner in bash, that I can copy between machines. Something like that

echo "site" "MYSECRETKEY" | md5sum | head -12c

Its not as fancy as a keepass and has obvious problems, you have to remember the user, you cant change the pass, etc... but it will work quick and dirty for non critical passwords

PerroVerd
  • 105
  • 2
  • 6
    What if someone nabs your secret key from .bash_history on any one of those machines – Krubo Nov 27 '15 at 13:47
  • 1
    Lots of sites don't allow such simple passwords consisting of only lowercase letters and numbers – Volker Nov 27 '15 at 14:44