Encrypted Password Storage Solution

CleverBalls · 9 Dec 2014 at 11:31

Hey guys, the business I am currently working for retains all of their passwords in their heads and they're all very easy to break. What I would like to put in is a password retention solution, so they can use better passwords, but retain them in a database for reference if forgotten.

What would be the best solution?

Password protected/encrypted excel document in cold storage?

Password protected/encrypted excel in a sterile file location on a server?

Cloud based storage?

Also, what would be the most SECURE solution?

Cheers guys!

blueboy2001 · 9 Dec 2014 at 12:19

We use KeePass. File is held on a share restricted to certain users. Not suggesting it's the best solution, but it's encrypted and free. It also handles multiple users making changes and syncs all users changes back to the file.

DJMK4 · 9 Dec 2014 at 12:32

KeePass here too

CleverBalls · 9 Dec 2014 at 12:36

Not a software engineer or anything, but because this is open source, would it not be possible for black hats to reverse engineer the custom encryption process?

snips86x · 9 Dec 2014 at 12:36

+1 for Keypass, works a treat and you get a mobile version

katana6434 · 9 Dec 2014 at 13:53

Also use keypass at work. Have had no problems with it.

KIA · 9 Dec 2014 at 19:18

CleverBalls said:
Not a software engineer or anything, but because this is open source, would it not be possible for black hats to reverse engineer the custom encryption process?

See http://keepass.info/help/base/security.html

Caged · 9 Dec 2014 at 20:14

CleverBalls said:
Not a software engineer or anything, but because this is open source, would it not be possible for black hats to reverse engineer the custom encryption process?

Knowing how something was encrypted doesn't give you the key that is required to decrypt it.

Ev0 · 9 Dec 2014 at 21:18

CleverBalls said:
Not a software engineer or anything, but because this is open source, would it not be possible for black hats to reverse engineer the custom encryption process?

Well technically the encryption process isn't 'custom', it uses standard known encryption algorithms to encrypt things.

Basically Kerckhoffs's principle applies here:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

http://en.wikipedia.org/wiki/Kerckhoffs's_principle

Now where there can be issues is with the implementation of the crypto system, it's all very well using a tried and tested algorithm but for example if the key generation is flawed and predictable it then doesn't matter

It's usually the implementation that can let a cryptosystem down.

memyselfandi · 9 Dec 2014 at 22:00

We have used Keypass in the past but don't now because it doesn't have individual user accounts to access and hence no audit trail of exactly who is access which password when. Of course that may not be an issue in your environment in which case I would suggest it too.

(I can't say what we use now)

Caged · 9 Dec 2014 at 22:48

http://thycotic.com/products/secret-server/express/secret-server-express/

also:

https://lastpass.com/enterprise/pricing-roi

http://www.vaultier.org/products/

http://rattic.org/

El Pew · 10 Dec 2014 at 09:21

If you want true single sign-on with a built in password vault, so your users can access applications without even having to type the password in, you need to look at solutions like the following:

Oracle ESSO: http://www.oracle.com/us/products/m...ent/oracle-enterprise-sso/overview/index.html

Imprivata OneSign: http://www.imprivata.co.uk/

Evidian SSO: http://www.evidian.com/products/enterprise-sso/

Plus with these you can get provisioning, i.e. you as an admin can 'send' new or modified passwords directly to the user so they can use them without even knowing what the passwords are - great if you're onboarding new applications.

CleverBalls · 10 Dec 2014 at 13:29

Caged said:
Knowing how something was encrypted doesn't give you the key that is required to decrypt it.

True, I don't even know why I asked the question really - Just wanted to be sure!

I'm building a database with Keypass now, seems like a good enough solution and it complies with PCI so we should be covered!

Caged · 10 Dec 2014 at 20:13

A product can't "comply with PCI", for what it's worth. Only your working practises can.

KeePass wouldn't "comply with PCI" if you left the database and the key file on a publicly accessible share for instance.

memyselfandi · 11 Dec 2014 at 12:44

It would also run into issues that the authentication to access the Keypass database is shared and hence is equivalent to a shared password. Combine that with no auditing of what passwords have been accessed once the you have logged into Keypass with the shared credentials means you would likely be looking at a PCI audit failure.

anything I don't mind · 11 Dec 2014 at 12:51

I use keepass put the keyfile on a domain auth protected area on network storage as well as a password. Then we all access the same file. It is only me that modifies the file. If you realy wanted to i guess you could change the permissions on the keepass file so that only one person has write access. Never done that though but i don't see why it would not work like any other file.

Ev0 · 11 Dec 2014 at 13:03

I see there's Malware out there that's looking for master passwords for some of these password stores now, not that it's anything new I'm sure

http://securityintelligence.com/cyb...password-management-authentication-solutions/

Swarfega · 11 Dec 2014 at 15:36

KeePass, personal and at work. AutoType saves me hours every month.

Schnippzle · 12 Dec 2014 at 12:08

We use PasswordState. Quite impressed with it. Does exactly what it says on the tin.