On Sun, Oct 27, 2013 at 8:25 AM, Mark Phillips <[email protected]> wrote: > On Sun, Oct 27, 2013 at 2:12 AM, Ed <[email protected]> wrote: >> >> Hi All, >> >> 1) your compliance officer is having kittens.... > The compliance officer does not like cats.....the team members are the ones > having kittens. > PasswordSafe is too complicated for them to use.
ok - if your compliance officer is happy, then me too - PasswordSafe too complicated... hmm, I would never have guessed that. >> >> >> 3) if you need to control access (AAA), you should think about nevermind - too complicated, but WF can do that kind of relationship if needed team gets their own creds for your SAML server, it federates to > > The credentials I am sharing are not for my servers, but for accounts on > servers > that I don't manage. Like Wells Fargo. >> >> >> why not keep things simple? > > > I am all for that!!!! ;) >> >> >> It sounds like you could get by with a plain Apache httpd install that >> only serves https and requires a client side certificate for access, >> there really is no reason to put this info on any other systems. Odds >> are good you can serve this up from your office cable/DSL service >> without too much trouble. > > > That would work. My biggest concern is that I am not enough of a security > expert > to guarantee that what I whip up is secure enough. So, I am looking for > recommendations > for third party solutions that are secure. Hard to beat a website you host for secure and simple ( ie team appropriate access) and PLUG does have a security meeting that could pen test your work. http://phxlinux.org/meetings/20-linux-security-hackfest.html The hardest part might be installing certificates in your team's browsers - not an act many users are familiar with, but easily cookbooked and should be a one time event. If you run Linux, just load Apache-httpd (yum or apt or..) and look at http://localhost - I bet it is already up. If you have access to your team's computers, it might be easier to just SSH (remote access) into their systems and keep a file updated on their system. Team members would then just be working off a local doc file, almost as easy as hitting a bookmark. If your only worry is that the file be secure in transit, then this should be an easy thing. >> >> >> And, NO! none of this is appropriate for real client credentials - >> also make your clients pick new random 12 character passwords >> (MyPasswordSafe can generate them for you if needed) the odds are good >> that the passwords you are sharing with your team are the same >> passwords your clients use for personal email and all sorts of other >> things too. > > > Since I pass out the credentials and manage them, I control when the > passwords change. > I just need a secure and easy way to communicate the changes to the team > members. > Remember, the team members cannot spell "pgp", so it has to be really simple > for them, > but secure enough to keep a Wells Fargo account login safe. if you're the originator of the credentials then ~ nevermind >> >> >> Mark - this is bad, really bad > > > What is bad??? My problem or the proposed solutions? Didn't understand that these are more like hosted accounts - and not true client accounts (street) so no ID theft risk or other chicanery. Disclosure of passwords to third parties will violate terms on many accounts. Not a problem here as your compliance O is happy. still wondering about the usefulness of a team that is challenged by spelling "pgp" ... > > Thanks, > > Mark >> >> >> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips >> <[email protected]> wrote: >> > I use keypass2 with dropbox for my personal passwords and love it. But >> > it is >> > too complicated for my team...:-( >> > >> > Mark >> > >> > On Oct 26, 2013 2:58 PM, "Michael Butash" <[email protected]> wrote: >> >> >> >> At work we use "password safe" to share common passwords like service >> >> accounts, shared vendor accounts, and various other credentials that >> >> are not >> >> unique to a member. It's kind of a kludge, and of course windoze only, >> >> so I >> >> have to use vm to access it. quite annoying. >> >> >> >> I've considered pushing to use keepass instead, as I've used this as >> >> well >> >> for a good 6 years under linux. Only problem is it's only a file db to >> >> be >> >> accessed, which makes anyone not on a shared network resource accessing >> >> it >> >> difficult. Also sadly, even the "official" version iterated to >> >> keepass2, a >> >> really crap c#/mono application that barely works under linux, and not >> >> without frustrations, but older 1.x format with keepassx works great. >> >> >> >> I have since migrated to LastPass, even paying for the service because >> >> I've found it to be more valuable than the $12 a year personally, and >> >> their >> >> "enterprise version" can have shared access permissions. Perhaps the >> >> consumer version can be coaxed to do this too, but I've not had >> >> necessity to >> >> try. The android integration with dolphin browser (plugin) makes it >> >> easy on >> >> any platform, mobile or desktop for consistent access means. >> >> >> >> Secure shared access for me is a random large/complex string that I >> >> note >> >> as who I've given it to, and only as long as needed before changing it. >> >> I >> >> don't remember passwords, preferring the ambiguity that if I can >> >> remember >> >> it, likely others can brute-force it, or torture it out of me. >> >> >> >> Of course any service like lastpass inside the US, the NSA would simply >> >> subpoena and force to give unilateral access to my account anyway (much >> >> as >> >> they can/do anyone, thank your politicians) at that point, so really >> >> confidentiality is all a perception regardless as long as anything is >> >> shared >> >> externally. >> >> >> >> -mb >> >> >> >> >> >> On 10/26/2013 02:31 PM, Eric Cope wrote: >> >> >> >> I use lastpass, although not to share... I can help demo it if you >> >> want... >> >> >> >> Eric >> >> >> >> >> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips >> >> <[email protected]> wrote: >> >>> >> >>> I have a small team, and I am looking for a way to share account info >> >>> - >> >>> user names and password, and password updates. These are login >> >>> credentials >> >>> for financial accounts I manage. >> >>> >> >>> I googled for some ideas, and came up with snail mail, various web >> >>> services that encrypt/decrypt emails, Lastpass, and safegmail. >> >>> >> >>> The users are technical noobs, so it has to be easy. No software to >> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux. >> >>> Only I >> >>> use Gmail, so safegmail is out. >> >>> >> >>> Does anyone have any recommendations for web service solutions? Anyone >> >>> use Lastpass? Other ideas? >> >>> >> >>> Thanks, >> >>> >> >>> Mark >> >>> >> >>> >> >>> --------------------------------------------------- >> >>> PLUG-discuss mailing list - [email protected] >> >>> To subscribe, unsubscribe, or to change your mail settings: >> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> >> PLUG-discuss mailing list - [email protected] >> >> To subscribe, unsubscribe, or to change your mail settings: >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >> >> >> >> >> >> >> --------------------------------------------------- >> >> PLUG-discuss mailing list - [email protected] >> >> To subscribe, unsubscribe, or to change your mail settings: >> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > >> > >> > --------------------------------------------------- >> > PLUG-discuss mailing list - [email protected] >> > To subscribe, unsubscribe, or to change your mail settings: >> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- >> PLUG-discuss mailing list - [email protected] >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
