How do you share passwords amongst your team?


#1

I think @chris has install Passman on our instance of NextCloud but not sure if anyone has actually got it working/ had a play around yet? (although I note the demo on that site doesn’t seem to work at all which doesn’t exactly inspire confidence :-/ )

I was also having a poke around StackShare last night and came across Passbolt which sounds good and is seemingly fairly widely used.

I’ve also been in various groups/ project who just whack login credentials into a shared Google Doc which seems to work but others here (eg. @harry) have suggested that is not a good way to proceed.

What are you using to share passwords with multiple people?


#2

As a rule, you never ever store passwords in plain text, always encrypted. I have seen an organisation accidentally share a Google Doc with all their credentials in by mistake. There are many horror stories out there.

You also want to generate super long random passwords. With the right software, you only need to remember one master password and then it’s just a matter of a copy and paste. That’s individual 128+ character passwords for everything.

If you need a pass word that you can remember, it’s best to chose six or more random words with a space between each. You can use KeepassXC for that.

I personally would stay away from browser/server based stuff. For my own stuff, I use KeePassXC and Syncthing to keep in sync between devices. No servers to compromise and everything is decrypted locally.

In terms of sharing within a group:
You could either share a keepass file which is synced between users using something like Nextcloud, Syncthing et al. Only ideal if you want everyone to have access to all credentials.

What we do in Autonomic is have a pass repo in git which is encrypted to member’s PGP keys, including sections only accessible to particular members (e.g. a user password that only that user needs to access). Pass is extremely flexible. We really should document our setup at some point, it’s really cool. Kudos to @lwm.

I guess if you want to go fully commercial/proprietary, I hear people use LastPass with degrees of success.

Hope that helps :smile:

Feel free to ask any questions folks. Tech nerds love talking about this stuff :nerd_face:


#3

Keybase is useful tool just generally, and can also be used to share secrets/passwords between groups of people. It doesn’t integrate with web login forms like Lastpass or Zoho, but it is great in all other respects.


#4

Yes, I’ve recently started using it and like it.

Why 128+ characters? I think I’ve randomly got LastPass doing 32 character random passwords but I guess I may as well increase it (although lots of sites - most bizarrely, I’ve most often seen this on online banking site! - don’t even let you have long passwords!).

I get that the longer the better, just wondering out of interest why you chose to write 128+ and not some other number :slight_smile:

Thanks - that is the part of the answer I was really asking for :slight_smile:

I use LastPass for my own passwords, but I’m wondering how best to securely share passwords amongst a team of not very technical people, ideally using open source tools?

Why the space between the words? why would eg:

thisisareallylongwellnotthatlongcollectionofwords

be less secure than:

this is a really long well not that long collection of words

?

I guess the spaces make it a bit longer, but they also make the beginning/ ends of the words easier to work out too, no? :slight_smile:


#5

128 characters is you the default in Keepass I think :rofl:

For me it’s easier to remember the shape of the words. I don’t think it would impact security that much as the main factors are the length and randomness.


#6

There is an open source version of last pass called bitwarden is worth checking out


#7

Within our support co-op we use LastPass.
Shared folders for each client make sharing login credentials a breeze really. If I add a login, then it autofills on my teammates computer when they go to that same URL. Neat!
There are some concerns over it’s cloud-iness, as well as the fact that it was bought up by LogMeIn. But i do actually have a good deal of faith in the whole zero-knowledge architecture so i feel confident that storing all of our MANY passwords in the cloud is not a security risk.


#8

https://packages.debian.org/sid/keyringer

It’s just a bash wrapper around git and gnupg …
So really nothing to go wrong at all and super easy to audit.

You can split keys by teams… So eg… the data centre team can decrypt the system drives, but don’t have access to decryption passphrases for application vm’s.

It’s in Debian so super easy to install and maintained.


#9

If you can get away with it, try not to. It’s generally considered to be much better if you can set it up in such a way that everybody has their own set of login credentials even if they all have equivalent privileges. This way you don’t have to communicate any passwords (which means you don’t risk interception), people can set up things like two factor authentication on their own device (where applicable) and if a password does get leaked, it’s much easier to change the details of a single account than circulate a new password to everybody not to mention easier to audit if something malicious happens.

If you do share passwords, encrypt them with a strong key, and don’t send that key along with the encrypted login credentials - at a minimum, don’t send the decryption key along with the encrypted credentials in the same email for obvious reasons. https://keybase.io/ for instance is supposed to be fairly secure and probably good for sharing passwords.

LastPass seems alright and certainly a convenient mechanism for password sharing, although having a service where a lot of valuable passwords are stored in one place and that it’s a closed service where we don’t actually know the extent of their security procedures causes me some concern just because it’s such an inherently valuable target. I suppose the comforting thing is that if somebody does manage to break LastPass, it’s probably not your credentials that they’re after.

Edit: I’d not come across Keyringer before. It looks good.