Enterprise password manager

Soldato
Joined
12 Jan 2006
Posts
5,610
Location
UK
I am after a password manager for the storing off user/password information for service accounts and admin information etc.

What are you all using? I came across "Keeper" which seems great but is cloud based and I'm not sure I would trust cloud based password managers in case the back end got hacked.

Any good local bits of software out there?
 
Associate
Joined
24 May 2007
Posts
15
Teaboy like you said I would avoid cloud, I used to use a cloud based wallet for my personal stuff (SPBWallet) then without any warning they shutdown the service lucky I only lost few bits of data. I now use KeePass.info its free and open source the downside is no iOS client.
 
Associate
Joined
1 Sep 2009
Posts
1,084
Soldato
OP
Joined
12 Jan 2006
Posts
5,610
Location
UK
RDM has password management and is a good tool in general for managing connection details of all types:

http://remotedesktopmanager.com/Home/Features#RemoteConnections

They also have a cut down version just for password vault use.

Came across this before and had issue and foiund out their support was crap.

Asked for advice as the permissions weren't working correctly and all I got back was a few lines saying thanks etc and a link to the video I had already used to setup the product!
 
Associate
Joined
1 Sep 2009
Posts
1,084
At least they're transparent and take the storage of passwords seriously.

It's not good enough. There was another incident a few years ago when vulnerabilities were discovered, so they have form on this, enough to make me have doubts about the quality of their platform.

It's all well and good having wonderful encryption for the vaults, but if they cough up user details like emails, security questions and password hashes (which can easily be matched to the plaintext versions) then they leave their users open to all sorts of attacks that can compromise passwords and systems in other ways.

I think it's irresponsible to use LastPass in an enterprise context.
 
Soldato
Joined
18 Oct 2002
Posts
6,365
Location
Bedfordshire
It's not good enough. There was another incident a few years ago when vulnerabilities were discovered, so they have form on this, enough to make me have doubts about the quality of their platform.

It's all well and good having wonderful encryption for the vaults, but if they cough up user details like emails, security questions and password hashes (which can easily be matched to the plaintext versions) then they leave their users open to all sorts of attacks that can compromise passwords and systems in other ways.

I think it's irresponsible to use LastPass in an enterprise context.

If anything the hack last year gave me confidence in their platform. There was a breach but the layers in their security prevented anything catastrophic happening.

To quote a comment from the article you linked to:

- They quickly identified, contained, and evaluated the scope of the breach
- They promptly notified users about the breach (within 72 hours)
- They are certainly doing proper password hashing (strong insurance policy)
- Vault data obviously isn’t stored on the same system as authentication data, evidence of strong segmentation
 
Associate
Joined
1 Sep 2009
Posts
1,084
If anything the hack last year gave me confidence in their platform. There was a breach but the layers in their security prevented anything catastrophic happening.

They prevented anything catastrophic happening on the LastPass platform, but having given up the other information whoever has it can use the information provided to attack LastPass customers in other ways.

If I have your email address, I can work out where you work. If I have the answers to your security questions, I can attack your other systems on the assumption that you use the same or similar answers for everything. I can use the email and security questions to craft a spearphishing attack with convincing, user-specific information in it. If I have your password hash, I can compare to hash databases and work out your plaintext password, and again use that on the assumption that you don't use unique passwords for each service or rotate them regularly.

Again - it's irresponsible to use LastPass in an enterprise context. I wouldn't even use it at home. The same goes for any of the cloud-based password managers - hackers go after them because they can obtain large amounts of data in bulk. I don't particularly trust local alternatives like KeePass but they're probably safer if you are competent enough to protect your password database.
 
Soldato
Joined
18 Oct 2002
Posts
6,365
Location
Bedfordshire
No you can't compare the hashes because they are salted and because of the way they've hashed it you're reduced to ~10,000 guesses per second. I can't remember what my master password used to be but it was over 20 characters and I suspect that is not unusual for your average lastpass user. It would take a very, very, very long time...

Yes the password reminder and email leak isn't ideal but you can easily setup a unique alias for each online service you use to mitigate that (I don't, I can't be bothered).

With IT security it all comes down to compromise, you can't stop people getting in and instead it's all about layers of defense and trade offs (cost, ease of access, usability etc).

What do you use then? Excel spreadsheet? :p
 
Associate
Joined
1 Sep 2009
Posts
1,084
No you can't compare the hashes because they are salted and because of the way they've hashed it you're reduced to ~10,000 guesses per second. I can't remember what my master password used to be but it was over 20 characters and I suspect that is not unusual for your average lastpass user. It would take a very, very, very long time...

Yes the password reminder and email leak isn't ideal but you can easily setup a unique alias for each online service you use to mitigate that (I don't, I can't be bothered).

With IT security it all comes down to compromise, you can't stop people getting in and instead it's all about layers of defense and trade offs (cost, ease of access, usability etc).

What do you use then? Excel spreadsheet? :p

How do you know they didn't steal the salts as well? Very little is known about LastPass, they claim to have regular penetration tests but they don't publish them so you have no idea how good their security really is. Based on the events of the last few years where their security flaws have been highlighted and then they were badly compromised, I don't know how anyone can even think about using them. I mean, here are a couple more stores about how bad they are:

http://www.theregister.co.uk/2016/0..._millions_of_lastpass_users_who_visit_a_site/

http://www.theregister.co.uk/2016/0...lock_down_yeah_actually_thats_a_legit_attack/

I work for a security vendor that has a product that vastly surpasses LastPass. A lot of our new customers over the last few years have realised that LastPass is totally inadequate for any sort of enterprise use, both in terms of their features as well as their "security", and they've plumped for something actually suitable instead.
 
Last edited:
Associate
Joined
1 Sep 2009
Posts
1,084
Biased much? :p

What's the name of the product?

I'd rather maintain my privacy thanks, not keen on divulging my employer. If you actually spend some time doing research on this and look at what makes a good solution, you'll come across the guys I work for.
 
Associate
Joined
23 Oct 2002
Posts
428
Location
None of your business
We use a combination. For the wider IT team (so around 60 UK people with more joining) we have Thycotic Secret Server Enterprise (https://thycotic.com/products/secret-server/) which ties nicely into Active Directory and allows granular permissions on what can be accessed. Also has the nice add on product of allowing automated password resets rather than having to raise a ticket...

For the security team, we use Password Safe (https://pwsafe.org/. Nothing wrong with Thycotic but we wanted something away from the larger team; however, as we're now growing a second team up North, I'm designing the migration into the Secret Server world with all the correct setup. Only went with Password Safe as it was a lot better than the Excel spreadsheet that was used when I joined 18 months ago and needed something quick, whereas getting us into Thycotic and getting it setup would have taken a lot longer than a day :(
 
Last edited:
Soldato
Joined
18 Oct 2002
Posts
6,365
Location
Bedfordshire
How do you know they didn't steal the salts as well? Very little is known about LastPass, they claim to have regular penetration tests but they don't publish them so you have no idea how good their security really is. Based on the events of the last few years where their security flaws have been highlighted and then they were badly compromised, I don't know how anyone can even think about using them. I mean, here are a couple more stores about how bad they are:

http://www.theregister.co.uk/2016/0..._millions_of_lastpass_users_who_visit_a_site/

http://www.theregister.co.uk/2016/0...lock_down_yeah_actually_thats_a_legit_attack/

I work for a security vendor that has a product that vastly surpasses LastPass. A lot of our new customers over the last few years have realised that LastPass is totally inadequate for any sort of enterprise use, both in terms of their features as well as their "security", and they've plumped for something actually suitable instead.

I wasn't defending lastpass for enterprise use but to say their security is 'garbage' is baseless.
 
Associate
Joined
1 Sep 2009
Posts
1,084
I wasn't defending lastpass for enterprise use but to say their security is 'garbage' is baseless.

Baseless? It's easy to be drawn in by their whole spiel about how strong their encryption, but security is about way more than encryption.

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

This is from a few days ago. A vulnerability that allows someone to effectively steal all your passwords just be redirecting you to a custom URL.

So yeah, it's garbage.
 
Soldato
Joined
27 Feb 2003
Posts
7,171
Location
Shropshire
Baseless? It's easy to be drawn in by their whole spiel about how strong their encryption, but security is about way more than encryption.

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

This is from a few days ago. A vulnerability that allows someone to effectively steal all your passwords just be redirecting you to a custom URL.

So yeah, it's garbage.

From that link

I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.

Resolved in less than 24 hours.

Do you guarantee that there are zero flaws in your product? I suspect not.
 
Associate
Joined
1 Sep 2009
Posts
1,084
Resolved in less than 24 hours.

Do you guarantee that there are zero flaws in your product? I suspect not.

Of course not, no software company does. But given the shear number of vulnerabilities LastPass as had, it's clear that there is something fundamentally wrong with their approach. If they're managing passwords, and in particular admin passwords as is the context of this thread, then they need to design with security as the default position.

I think it's obvious that LastPass have instead designed their product for user convenience as a starting point. They haven't thought about how to secure the endpoints so that passwords can be used securely, they haven't thought about how their ancillary systems need to be secured, and they haven't secured their platform correctly - hence all the problems with it.

Fixing a bug in 24 hours, yeah that's good work - although who knows how long that vulnerability has been there? But the fact that such an elementary fault made it past their testers (if they even have any) suggests that their whole approach to engineering the software is wrong. It looks like they're not doing comprehensive code reviews from a security perspective, so who knows what other critical bugs they have that remain undiscovered.

To be fair, it's not just LastPass - Dashlane and 1Password have been found to have similar critical flaws. I wouldn't trust any of them to secure my personal passwords, and it's lunacy to use them in an enterprise setting. From what I'm hearing, auditors are starting to pay attention to companies that try and use these sorts of solutions, and not in a favourable manner.
 
Back
Top Bottom