#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    0

    What do you think is the best way to manage login credentials for a small company?


    I'm curious what you guys think the best way to manage a bunch of different logins and passwords for everything in the company.

    As per security guidelines, we're making sure all of our passwords around the net have different, secure passwords using strongpasswordgenerator.com. As you know, this makes remembering & manually entering passwords nearly impossible.

    My current idea is a simple spreadsheet (offline, not on Google docs) that can store and organize all the passwords, and then to password protect the spreadsheet.

    From there, we'd need to make sure our top-level's have access to this file. I'd say we could put it on a network drive so that the file could be updated to add new credentials, however this doesn't allow people to access the spreadsheet if they are at home or away from the office network. I suppose Dropbox could be an acceptable alternative, but I feel that's shying away from a 'secure' solution.

    My ultimate goal is a secure password profile around the net that wouldn't leave us compromised in the event of one login being cracked OR if an employee quits / gets fired and has an agenda, so we wouldn't have to go through and change every single password.

    Thoughts?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    Hi,

    first of all: please stay away from that password site. The idea of generating critical passwords with some dynamic JavaScript code from some website is already highly questionable. But those people do not even support HTTPS and have no idea how to generate secure random numbers.

    And what the f*** is this:?

    Code:
    //Removed "\\", because backslash character can cause problems when passwords are stored.
    (taken from http://strongpasswordgenerator.com/S...rdGenerator.js)

    Oh lord. I think that's pretty much the last place you want to get your passwords from.

    Use an established, trustworthy offline password generator like KeePass. It's really small and easy to install, so nobody should have any trouble with that.

    Regarding your original question: Don't do it. A spreadsheet with all passwords of your employees floating around on Dropbox is a security nightmare. It sounds like the beginning of a story about how some company got hacked.

    Let everybody manage their own passwords with a proper password manager like the already mentioned KeePass. If an employee leaves the company, you have to reset their passwords, anyway.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    0
    Originally Posted by Jacques1
    first of all: please stay away from that password site. The idea of generating critical passwords with some dynamic JavaScript code from some website is already highly questionable. But those people do not even support HTTPS and have no idea how to generate secure random numbers.
    Interesting perspective. Do you think the issue here is that these passwords aren't really 'random' (and could maybe be used in a bruteforce list themselves?).

    If the issue is moreso about these passwords possibly being intercepted by a 3rd party (due to the lack of HTTPS), I'm not sure how they would ever be able to realistically match that data up with the username and website. (edit: then again, if they were intercepted, they could be added to a list, so I see the flaw.)

    I do see your point though, and I didn't even consider that it didn't use HTTPS. I will check out the alternative you suggested going forward.

    Originally Posted by Jacques1
    Regarding your original question: Don't do it. A spreadsheet with all passwords of your employees floating around on Dropbox is a security nightmare. It sounds like the beginning of a story about how some company got hacked.
    That's what I was thinking, and why I was shying away from that solution. What about a self-hosted 'cloud' solution that was on our own server? I really like the versatility of a Google doc / Dropbox where logins can be added or modified while keeping the original file intact for everyone.

    Originally Posted by Jacques1
    Let everybody manage their own passwords with a proper password manager like the already mentioned KeePass. If an employee leaves the company, you have to reset their passwords, anyway.
    This bring up another interesting point... in the name of security, what do you think is the best way to get these passwords out to people in the company? Instead of emailing and saying, "Hey, here's the password for X".

    Is there a type of password manager that can be used by multiple people (possibly with permissions for lower-level employees) that would maybe access the same password DB?

IMN logo majestic logo threadwatch logo seochat tools logo