Password Management within an Organisation

Although I've seen many implementations of solutions to this problem, I believe that the most complete, if not perhaps the most convenient, was a Git repository restricted to super users only containing encrypted text files of passwords by environment. Managing the password rotation on the devices, mixed servers and dedicated devices such as modems, was handled separately.

This solution greatly simplified the distribution of new passwords as a simple update needed to be performed by users to receive the latest revision of the passwords as well as providing a traceable history of previous passwords for record keeping.

As I recall the files were GPG encrypted, but there are numerous solutions and viable approaches to handling the files themselves.

The obvious downside to this approach is that, especially when passwords have changed, you are decrypting one or more files searching for the required password(s). Of course, as with anything, the more frequently you use a password the more likely you are to memorize it and, depending on the device(s) in question, access may be an infrequent event which is not greatly hindered by having to go through a somewhat more lengthy process to gain the appropriate password.

If you are also interested in strategies and/or scripts for generating and/or changing passwords on servers and/or other devices I would be glad to share those that I employ as well.

--

I would be glad to.

I will assume that you are familiar with file encryption, PGP or otherwise. If this is erroneous please feel free to ask and I will be happy to provide some examples.

Setting up a Git repository is relatively straightforward and will display similarities to most any content management solution with which you may be experienced. One note with Git: it is, by design, fully open and, as such, will require additional steps to restrict access to specific files or repositories. This can be accomplished relatively simply by leveraging file system acl's (just one possible solution). That being said, I would certainly recommend that you use a solution with which you are comfortable and familiar, especially if alternate content management solutions are already in use at your organization.

The file(s) will, by definition, represent a password database correlating device identifier(s), such as hostname, to passwords and, potentially, to user names. For example: router-1.internetdomainwebsite.com administrator soopersekretpasswerd. Ideally you will never store the file unencrypted, however, following this strategy does make retrieving passwords relatively inconvenient. For this reason I recommend scripting an accessor to work within your encryption framework, perhaps taking an identifier as a search term and writing only the requested password to a file for one-time use by the requester.

Any device that supports password changes can be scripted. Since most devices support changing passwords from a CLI, I would recommend taking a look at the Expect language and/or its libraries for Perl, Python, or the language of your choice. I personally use a script that accepts the desired username, accepts the current password, accepts and verifies the desired password, then changes and verifies the change on all hosts passed or provided when prompted. Its fairly bare-bones Perl with Expect.


I run a digital agency and we often have to manage a range of passwords and share them between our team of developers/managers etc. so have been doing research on the best way to manage this. (We previously used KeePass synced over Dropbox, but it was becoming unmanageable.)

We've decided on a cloud/hosted solution that can be accessed from our computers as well as mobile devices when we're out of the office.

These are some of the options that made our shortlist:

  • LastPass
    Individual entries can be shared with a free account, but it requires a premium ($12/year) account to share a single folder, or enterprise account ($24/year) to share multiple folders.

  • 1Password
    $3-8 per user per month, depending on plan

  • Passpack
    Free for 1 user, $18/year for 3 users, $48/year for 15 users.
    Unfortunately the user-interface isn't as friendly as it could be, but apparently a redesign is supposed to be happening in 2014.

  • Dashlane
    Free basic account, or $40/user/month to sync across devices and share more than 5 items.

    See: Security analysis of Dashlane

  • CommonKey
    Free for teams of 3, or $20/month + $2/user/month for company/enterprise features.

  • Mitro
    Free, and great UI, but low on features.

  • Meldium (now owned by LogMeIn)
    Starting at $29/month for 20 users.

  • RoboForm Enterprise
    $37.95 per licence, once-off.

I can't comment on the security of each of them, but most now (thankfully!) perform encryption on the client side, so that even the developers and company admins can't access your passwords.

LastPass seems to meet most of our needs so we're currently trialing that. We originally had Passpack recommended to us, but found the interface pretty clunky and it refused to import our KeePass file containing a couple hundred accounts.

Please comment if you have extra details or any worthy additions to this list and I'll try and update it.

See also: How safe are password managers like LastPass?


As per your comment, that you're talking about systems and devices that insist on shared users / single-user-mode:

First off, try to avoid / minimize this as much as possible.

Second, avoid and minimize this as much as possible.

Third, this should definitely be a consideration when evaluating products/services - if it has such an inherent insecurity, you might not want it after all. It's likely that there are other issues there too...

Fourth, double check with the vendor/provider to see if there is a way to configure it securely.

Fifth, consider building a thin "proxy" type application, that will enforce user authentication, and then use its own single account for the device, with its own internal random password.

Sixth - if aaaalll the above are not relevant / don't work (seriously??) - I have seen places that have an ACLed, encrypted folder - or better, a cryptosafe - with access granted only to the admins, and in it stored file/s with the randomly generated passwords.
Depending on your culture/type of org, it might be better to print out the passwords and store them in in ACTUAL safe, protected by your security officers, and the combination given only to the admins....