

Ask HN: How do you manage passwords? Esp. for a company? - Jacqued

Everyone around here always says that you should not reuse passwords, make them long, complicated, impossible to crack with a dictionary, etc. I must admit, out of laziness, I have barely ever followed any of that advice.<p>How do you manage that ? Is there a foolproof and practical enough way to store the passwords somewhere secure ? (If they&#x27;re random, 16+ char strings, I can&#x27;t remember many of these).<p>More importantly : how do you manage them for a company ? I have recently started mine and am having trouble figuring a smart way to do it. For now we have a physical notebook where we write all of them down but I&#x27;m quite paranoid about losing it, and having some ill-intentioned person get their hands on it would be a real and complete catastrophe for us (it contains financial passwords, root passwords to our servers, etc.)<p>So what&#x27;s a really secure way to manage passwords ? Especially when more than one individual needs to access it ?
======
shawnreilly
I think it starts with support/backing from stakeholders, perhaps the founders
or someone in a position to dictate/enforce policy. Once the stakeholders are
on board, then I think the next step is to decide if you want to implement a
physical solution (aka Folder/Binder) or a digital solution (aka Software, or
a Software related Process), or perhaps a combination of both. Each
organization will be different, so the best choice(s) would likely depend on
facilitating existing policy/process or existing practices/culture. For
example, if there are remote workers, then a physical solution (aka
Folder/Binder) might be a bad idea. Another example, if IT security is an
afterthought, or the IT Infrastructure is not controlled/managed then a
digital solution (aka Software based) might be a bad idea. It all depends on
the situation/organization, so this will be a call that you need to make. In
terms of managing the passwords, I would recommend a role based distribution
on a need to know basis. In other words, if there is no reason for all the
employees to know all the passwords, then do not give them all the passwords.
Just give them the passwords they need to perform their job functions, and
secure the passwords that they do not need elsewhere. Sometimes (especially in
a startup or when the workforce is small), the lines between roles can be
blurred, so your mileage may vary. But the general rule of thumb is the same;
only give out what you need to give out at a minimum. I would also recommend
setting and enforcing password policy. From my experience, the standard is 16+
characters, one upper, one lower, one special, one number, no words, no re-
using, and it must be changed every 60-90 days. Many IT Systems allow you to
set and enforce this via policy, for example in a Windows Environment you can
set/enforce password policy via Active Directory. Another example, in a
Unix/Linux Environment, you can use chage / passwd (or modify the shadow file
directly, not recommended) and PAM. I would also recommend to audit
frequently. I think the most important aspect of creating/enforcing policy is
to let everyone know that it's nothing personal. Properly implemented security
practices can be a pain in the ass. But effective Security is essential to
protecting your assets. Getting the workforce on board is key. In most
scenarios, your weakest point is internal (weather it is realized/intentional
or not).

------
zaroth
The notebook will not be your point of entry.

You can say that to yourself at night before you go to sleep, if it helps.
But, really, the notebook is not the problem.

My advice is to keep your eye on the ball, and do the big things that move the
needle. Security is about layers, and there are a lot of layers that are
bleeding right now, all over the industry.

There are also a lot of really good suggestions here for password management,
if that's what you want to focus on.

------
KiwiCoder
There's really just one answer to this - Lastpass with two-factor auth.
Enterprise features described here:
[https://lastpass.com/enterprise/enterprise-
features/](https://lastpass.com/enterprise/enterprise-features/)

Replace Lastpass with any other secure password manager, and use any 2F auth
you prefer, but that's the bog standard way to secure your passwords.

------
caw
We have a custom password database application. You request the to view a
particular password or set of passwords, and then it goes through an approval
chain to grant you access. Afterwards, you can see the password. Depending on
the security requirements, these passwords are changing every 90-180 days so
when you really need the password it's probably not the one you used last
time.

------
ksatirli
I managed all my passwords with 1Password (with a recipe that is between 20
and 24 alphanumeric characters).

Since 1Password 4 it is possible to have multiple vaults - one of which I
share with my colleagues via Dropbox. That way, everyone has access to the
passwords if they know the master password for the vault _AND_ have access to
the shared Dropbox.

~~~
codebeaker
> Since 1Password 4 it is possible to have multiple vaults - one of which I
> share with my colleagues via Dropbox. That way, everyone has access to the
> passwords if they know the master password for the vault AND have access to
> the shared Dropbox.

My co-founder and I switched to that today, rather than me being the
"gatekeeper", feels much better. I'm a dev, he's a marketing guy, and it works
perfectly for us. 1Password is the best $35/head (With volume discounts
available) you can spend to keep things safe and secure.

~~~
ksatirli
Much agreed - it _just works_ which is great considering how secure passwords
are always hard (to remember, to implement etc)

------
dirktheman
We use keepass, our .kdb is stored in a shared dropbox folder. I know this is
not 100% safe, but it's infinitely more secure than the way we handled things
before. Keepass is open source, free, and with KeepassX and MiniKeePass you
can use it on Mac, IOS and Android, too.

------
16s
We use SHA1_Pass. It does not store password data. It generates passwords as
needed. The info required to generate the passwords is stored on our internal
wiki. The secret sentence is ___only in our heads and never stored or written
down anywhere_ __and when an employee leaves, we change the secret sentence.
Here is an example map.

[http://16s.us/sha1_pass/map/](http://16s.us/sha1_pass/map/)

------
fbm
I can't help but recommend our own product:
[http://teampasswordmanager.com](http://teampasswordmanager.com)

It's specially designed for groups that need to share passwords between
several projects. Since it's a self hosted app, you install it wherever you
want. It has 2FA, logging, IP blocking and more. Feel free to contact us for
help.

------
reiz
I have them all in a text file and the text file is encrypted with an gnupg
key.

------
jparishy
We use Mitro[0]. We've been on it for a few months now and it works quite
well.

[0] [https://www.mitro.co/](https://www.mitro.co/)

------
meerita
We use 1password then, for those who are sensitive one we do store it in the
bank and few ppl have power to access it.

------
petervandijck
[https://www.meldium.com/](https://www.meldium.com/) is awesome for that.

------
nodata
ssh keys with a way to revoke them.

pwgen 20, stored with the security manager.

------
ToniVlaic
I use RoboForm

------
borplk
KeePass

------
davidsmith8900
\- This might help ~> [http://www.informationweek.com/security/client/10-top-
passwo...](http://www.informationweek.com/security/client/10-top-password-
managers/240153906)

