I think @chris has install Passman on our instance of NextCloud but not sure if anyone has actually got it working/ had a play around yet? (although I note the demo on that site doesn’t seem to work at all which doesn’t exactly inspire confidence :-/ )
I was also having a poke around StackShare last night and came across Passbolt which sounds good and is seemingly fairly widely used.
I’ve also been in various groups/ project who just whack login credentials into a shared Google Doc which seems to work but others here (eg. @harry) have suggested that is not a good way to proceed.
What are you using to share passwords with multiple people?
As a rule, you never ever store passwords in plain text, always encrypted. I have seen an organisation accidentally share a Google Doc with all their credentials in by mistake. There are many horror stories out there.
You also want to generate super long random passwords. With the right software, you only need to remember one master password and then it’s just a matter of a copy and paste. That’s individual 128+ character passwords for everything.
If you need a pass word that you can remember, it’s best to chose six or more random words with a space between each. You can use KeepassXC for that.
I personally would stay away from browser/server based stuff. For my own stuff, I use KeePassXC and Syncthing to keep in sync between devices. No servers to compromise and everything is decrypted locally.
In terms of sharing within a group:
You could either share a keepass file which is synced between users using something like Nextcloud, Syncthing et al. Only ideal if you want everyone to have access to all credentials.
What we do in Autonomic is have a pass repo in git which is encrypted to member’s PGP keys, including sections only accessible to particular members (e.g. a user password that only that user needs to access). Pass is extremely flexible. We really should document our setup at some point, it’s really cool. Kudos to @decentral1se.
I guess if you want to go fully commercial/proprietary, I hear people use LastPass with degrees of success.
Hope that helps
Feel free to ask any questions folks. Tech nerds love talking about this stuff
Keybase is useful tool just generally, and can also be used to share secrets/passwords between groups of people. It doesn’t integrate with web login forms like Lastpass or Zoho, but it is great in all other respects.
Why 128+ characters? I think I’ve randomly got LastPass doing 32 character random passwords but I guess I may as well increase it (although lots of sites - most bizarrely, I’ve most often seen this on online banking site! - don’t even let you have long passwords!).
I get that the longer the better, just wondering out of interest why you chose to write 128+ and not some other number
Thanks - that is the part of the answer I was really asking for
I use LastPass for my own passwords, but I’m wondering how best to securely share passwords amongst a team of not very technical people, ideally using open source tools?
Why the space between the words? why would eg:
thisisareallylongwellnotthatlongcollectionofwords
be less secure than:
this is a really long well not that long collection of words
?
I guess the spaces make it a bit longer, but they also make the beginning/ ends of the words easier to work out too, no?
128 characters is you the default in Keepass I think
For me it’s easier to remember the shape of the words. I don’t think it would impact security that much as the main factors are the length and randomness.
Within our support co-op we use LastPass.
Shared folders for each client make sharing login credentials a breeze really. If I add a login, then it autofills on my teammates computer when they go to that same URL. Neat!
There are some concerns over it’s cloud-iness, as well as the fact that it was bought up by LogMeIn. But i do actually have a good deal of faith in the whole zero-knowledge architecture so i feel confident that storing all of our MANY passwords in the cloud is not a security risk.
It’s just a bash wrapper around git and gnupg …
So really nothing to go wrong at all and super easy to audit.
You can split keys by teams… So eg… the data centre team can decrypt the system drives, but don’t have access to decryption passphrases for application vm’s.
It’s in Debian so super easy to install and maintained.
If you can get away with it, try not to. It’s generally considered to be much better if you can set it up in such a way that everybody has their own set of login credentials even if they all have equivalent privileges. This way you don’t have to communicate any passwords (which means you don’t risk interception), people can set up things like two factor authentication on their own device (where applicable) and if a password does get leaked, it’s much easier to change the details of a single account than circulate a new password to everybody not to mention easier to audit if something malicious happens.
If you do share passwords, encrypt them with a strong key, and don’t send that key along with the encrypted login credentials - at a minimum, don’t send the decryption key along with the encrypted credentials in the same email for obvious reasons. https://keybase.io/ for instance is supposed to be fairly secure and probably good for sharing passwords.
LastPass seems alright and certainly a convenient mechanism for password sharing, although having a service where a lot of valuable passwords are stored in one place and that it’s a closed service where we don’t actually know the extent of their security procedures causes me some concern just because it’s such an inherently valuable target. I suppose the comforting thing is that if somebody does manage to break LastPass, it’s probably not your credentials that they’re after.
Edit: I’d not come across Keyringer before. It looks good.
Big fan of using Hashicorp Vault for access control. Though, I use lastpass for some personal/non-sensitive sites too.
I knew one company that would share the Keepass DB on a shared drive for relevant persons to open as necessary. Scarily, if you found the URL on the Box.com site, the db would be visible and easily accessible.
I use LastPass for most problems of this kind. It has high usability and is ubiquitous. I hear the concerns about centralisation and so on, but I am balancing this with having something that is usable and people can be easily on-boarded to. The fact this is the only thing and that they have a lot of eyes on them is a double edged sword - while it paints a big target on their back, it also means they have teams of people looking at and maintaining the systems and really worrying about this full time. As we have learnt from recent vulnerabilities, sheer boots on the ground does count for something rather than more loosely maintained projects.
I’d probably be inclined to use Gopass if I was working in a team of technologists or engineers end to end. Its a more team focused version of Pass. I did try to use this with a mixed team and to be frank, it was very hard going and really doesn’t have the usability. For my personal use I am inclined to migrate to this in time from LastPass. I especially like it that it simply wraps GPG.
Keybase is excellent and very user friendly for passing credentials from one person to another. It also has auto-destructing messages (so said passwords get erased) and is open source. I’ve also used Signal for the same reasons - many people seem to find it easy to add to their devices.
In terms of automated systems and shared code at Outlandish we used Ansible’s vault system, checking the passphrase into Git but wrapping the password in GPG using Blackbox - which is itself a simple set of scripts around GPG. Sadly Ansible does not support vaults for multiple users yet.
This worked well, even for automata. Indeed we had a pretty clever system where new machines (e.g. GitLab runners) booting up or being deleted would on board themselves and then off board themselves on deletion. Obviously one problem with this setup is strictly speaking one should rotate all the credentials when off-boarding someone, which we would have to do painstakingly manually - a chance for further security engineering!
Very much hear @jaron’s thought - the proper answer when the answer seems to be “oh I need to share credentials” should be “do you?”.
Also, just as an update, I still currently use Last Pass for my own password management and when I want to share a one time secret with someone I just use:
This is my self-hosted install of PrivateBin which I installed with one click using Cloudron.
