Ask HN: How do you manage passwords? Esp. for a company?

23 points by Jacqued ↗ HN
Everyone around here always says that you should not reuse passwords, make them long, complicated, impossible to crack with a dictionary, etc. I must admit, out of laziness, I have barely ever followed any of that advice.

How do you manage that ? Is there a foolproof and practical enough way to store the passwords somewhere secure ? (If they're random, 16+ char strings, I can't remember many of these).

More importantly : how do you manage them for a company ? I have recently started mine and am having trouble figuring a smart way to do it. For now we have a physical notebook where we write all of them down but I'm quite paranoid about losing it, and having some ill-intentioned person get their hands on it would be a real and complete catastrophe for us (it contains financial passwords, root passwords to our servers, etc.)

So what's a really secure way to manage passwords ? Especially when more than one individual needs to access it ?

18 comments

[ 5.2 ms ] story [ 47.2 ms ] thread
There's really just one answer to this - Lastpass with two-factor auth. Enterprise features described here: https://lastpass.com/enterprise/enterprise-features/

Replace Lastpass with any other secure password manager, and use any 2F auth you prefer, but that's the bog standard way to secure your passwords.

ssh keys with a way to revoke them.

pwgen 20, stored with the security manager.

I managed all my passwords with 1Password (with a recipe that is between 20 and 24 alphanumeric characters).

Since 1Password 4 it is possible to have multiple vaults - one of which I share with my colleagues via Dropbox. That way, everyone has access to the passwords if they know the master password for the vault AND have access to the shared Dropbox.

> Since 1Password 4 it is possible to have multiple vaults - one of which I share with my colleagues via Dropbox. That way, everyone has access to the passwords if they know the master password for the vault AND have access to the shared Dropbox.

My co-founder and I switched to that today, rather than me being the "gatekeeper", feels much better. I'm a dev, he's a marketing guy, and it works perfectly for us. 1Password is the best $35/head (With volume discounts available) you can spend to keep things safe and secure.

Much agreed - it just works which is great considering how secure passwords are always hard (to remember, to implement etc)
We use keepass, our .kdb is stored in a shared dropbox folder. I know this is not 100% safe, but it's infinitely more secure than the way we handled things before. Keepass is open source, free, and with KeepassX and MiniKeePass you can use it on Mac, IOS and Android, too.
The notebook will not be your point of entry.

You can say that to yourself at night before you go to sleep, if it helps. But, really, the notebook is not the problem.

My advice is to keep your eye on the ball, and do the big things that move the needle. Security is about layers, and there are a lot of layers that are bleeding right now, all over the industry.

There are also a lot of really good suggestions here for password management, if that's what you want to focus on.

We have a custom password database application. You request the to view a particular password or set of passwords, and then it goes through an approval chain to grant you access. Afterwards, you can see the password. Depending on the security requirements, these passwords are changing every 90-180 days so when you really need the password it's probably not the one you used last time.
I have them all in a text file and the text file is encrypted with an gnupg key.
I can't help but recommend our own product: http://teampasswordmanager.com

It's specially designed for groups that need to share passwords between several projects. Since it's a self hosted app, you install it wherever you want. It has 2FA, logging, IP blocking and more. Feel free to contact us for help.

We use SHA1_Pass. It does not store password data. It generates passwords as needed. The info required to generate the passwords is stored on our internal wiki. The secret sentence is only in our heads and never stored or written down anywhere and when an employee leaves, we change the secret sentence. Here is an example map.

http://16s.us/sha1_pass/map/

We use 1password then, for those who are sensitive one we do store it in the bank and few ppl have power to access it.
I think it starts with support/backing from stakeholders, perhaps the founders or someone in a position to dictate/enforce policy. Once the stakeholders are on board, then I think the next step is to decide if you want to implement a physical solution (aka Folder/Binder) or a digital solution (aka Software, or a Software related Process), or perhaps a combination of both. Each organization will be different, so the best choice(s) would likely depend on facilitating existing policy/process or existing practices/culture. For example, if there are remote workers, then a physical solution (aka Folder/Binder) might be a bad idea. Another example, if IT security is an afterthought, or the IT Infrastructure is not controlled/managed then a digital solution (aka Software based) might be a bad idea. It all depends on the situation/organization, so this will be a call that you need to make. In terms of managing the passwords, I would recommend a role based distribution on a need to know basis. In other words, if there is no reason for all the employees to know all the passwords, then do not give them all the passwords. Just give them the passwords they need to perform their job functions, and secure the passwords that they do not need elsewhere. Sometimes (especially in a startup or when the workforce is small), the lines between roles can be blurred, so your mileage may vary. But the general rule of thumb is the same; only give out what you need to give out at a minimum. I would also recommend setting and enforcing password policy. From my experience, the standard is 16+ characters, one upper, one lower, one special, one number, no words, no re-using, and it must be changed every 60-90 days. Many IT Systems allow you to set and enforce this via policy, for example in a Windows Environment you can set/enforce password policy via Active Directory. Another example, in a Unix/Linux Environment, you can use chage / passwd (or modify the shadow file directly, not recommended) and PAM. I would also recommend to audit frequently. I think the most important aspect of creating/enforcing policy is to let everyone know that it's nothing personal. Properly implemented security practices can be a pain in the ass. But effective Security is essential to protecting your assets. Getting the workforce on board is key. In most scenarios, your weakest point is internal (weather it is realized/intentional or not).