How does your team keep track of passwords?
If you work on a team, there will be shared resources (read: vendors) that require a password. From my experience, not all those vendors provide individual accounts for all who access them.
So, you’ve got a group password. How do you, the real-world you, store and share this information?
(I’ve got my own answer, and I’m curious how others do it)
Two things, though neither of them may directly answer the question:
1) If you're fine with "sharing" a master password (which I don't particularly recommend, but there are worse sins) then putting your user/pass sets into a plain text file, storing that file in a Truecrypt volume with a high-strength password, and putting the volume into a shared Dropbox folder is a very secure way of doing so. Best of all, it doesn't lock you in to any special file format.
2) Responding to several comments about complexity and password strength--the two are emphatically not linked. A very strong password need not be complicated. For instance, I'm comfortable telling you a huge amount of information about the very simple master password that encrypts all my bank account info:
- Its a passage from a famous work of literature.
- The original punctuation and spelling is intact.
- One word is different from the original text.
Even with this information being public, my password is still more secure than 99.9% of those in common use. It spans the keyboard, includes a large number of upper and lower-case characters, punctuation, numerals, and is invulnerable to dictionary attacks by virtue of being multiple words. The fact that one word varies from the source means that even if you had a "dictionary" of all classic literature you still wouldn't have the correct passage. All that being the case it is not a complex password. Its incredibly simple and if I told it to you you could memorize it in five minutes.
The other approach that I'm fond of is pointing out to vendors that it creates a real security and privacy problem for an organization to require users to share passwords. Most of the time they need to hear it. Sometimes they listen.
Plugins for using Wordpress as a CMS:
I'm a big fan of KeepPass. Like 1Password and PWSafe, you memorize one long "master" password, which is used to decrypt all your other passwords. KeepPass, in particular, is nice because it's free and runs on a variety of platforms--Windows, OS X, Linux, and even my Android phone. (Stick to the 1.x versions if you want maximum compatibility.)
I would combine KeepPass with something like Dropbox, which lets you sync files between different computers. I use it so that I always have my password file up to date whether I'm at work or at home, but you could use it to make sure everyone on the team has an up to date password file. I haven't tried, but I believe if you opt for the paid Dropbox accounts, you can even set up groups of users who have access to certain shared files. This also neatly avoids the problem of having to email passwords around to everyone for them to update their individual password files.
I like Apture, even though it's not WP specific. It does add a lot of neat rollover functions to Twitter, YouTube, and Wikipedia links.
Storing passwords in Google Docs makes me nervous, personally.
I'm blissfully free of shared passwords for the time being, but at my last layover, there was a spreadsheet on the network. Not hardly secure but I'm not really sure that security and shared passwords synchronize very well.There were some things that the office manager held--her spreadsheet was actually password protected.
We use creative spellings of names of our famous former journalists.
Not to sound flippant, but I just memorize mine. They're not crazy complex (maybe that's bad?).
I keep my passwords in my Mac's keychain access, having to enter the password every time to remind me the ones I don't memorize. we have a few standard office passwords that we change occasionally for the shared resources we use (for example for feedburner, and up until recently for google webmaster account)
Your passwords should be complex, using a mixture of uppercase, lowercase and numbers and at least 8 characters long. If you use weak passwords, or reuse the same password across accounts then you are weakening your entire system. High profile websites, especially news related ones are a constant target for hackers. You should use a program designed for storing password (as mentioned by Eli). It sounds like a pain, but it's something you need to practise. There are many tools which can automatically attack a computer by trying out thousands of common passwords, don't go using real words, ever.
Also, on Unix and related machines you can use passwordless authentication, which is often handy for getting to the machine to perform basic file manipulation. http://linux.die.net/man/1/ssh-copy-id
Is there a role for OAuth here? that seems to be the "right" way.
Ha, I wish we did. There a couple of people who know all the logins, and when I need something I go find one of those people. Then I save the password in my browser. :P
If my gmail account was compromised, or if I lost a laptop or smart phone, why can't I just logon to google from a different computer and change my google password?
I keep a master password document on Google docs for my office. I then put whatever passwords I want to share in individual Google documents and share them with the people who need them. That way I can edit the documents with changed passwords and share or un-share them at will.
We have a small team - so we use Google Docs.
I suppose if the team was bigger this would eventually become a security risk.
Please login to post questions.