9

Looking for a system to store the many credentials I use as a consultant/contract programmer. While I know I could use KeePass or similar for desktop use, or something like PassPack for web based (client side encryption) password storage, even Evernote could be used to create a 'notebook' for each client/project with the sensitive data encrypted - what I'm looking for is a service that provides:

  • Storage of different credentials (WPA Keys, Software Licenses, Amazon API keys).
  • Secure way to request credentials, without forcing a signup.

I'd probably be okay with storing various data as passwords - the big thing is getting the data. While PassPack has a 'sharing' interface, it would force clients to sign up. I'm looking for something that simplifies public/private key encryption so I can tell a client, "Don't e-mail it to me, just go to ___.com/tjlytle and fill in the form."

Have I missed whatever site does that?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Tim Lytle
  • 511
  • 3
  • 14
  • 1
    I'm building this for myself and my clients and employee and partners; if no one answers I guess there's a business ready to happen... – Devin Ceartas Sep 02 '09 at 02:08
  • @Devin Yeah, that's what I'm thinking, I'm just looking for an existing solution before taking a shot at writing something. How far along are you? – Tim Lytle Sep 02 '09 at 02:28
  • Just thought I'd point out, found a related post on super user (http://superuser.com/questions/255/how-do-you-keep-track-of-all-your-passwords), after posting here, but didn't see anything with the 'request' feature I'm looking for. – Tim Lytle Sep 02 '09 at 02:29
  • @Devin PassPack's crypto libraries are open sourced, but Clipperz whole system is open (http://www.clipperz.com/open_source/clipperz_community_edition), maybe that's a good starting place? – Tim Lytle Sep 02 '09 at 03:48
  • Here's another JS library (https://www.pidder.com/pidcrypt/), and it seems to be part of another web based password management site. Since the library supports RSA (passpack uses AES) they may be working on the public/private 'send a password'. – Tim Lytle Oct 11 '09 at 04:06

5 Answers5

3

Having worked for "managed services" firms in the past, I've looked for something like this but never found it. I haven't had the time or inclination to write such a thing since starting my own business, but there's definitely a market for it. It would definitely be handy for internal use inside an IT organization of more than 1 person, too.

I've seen too many kluged "solutions" using things like "Password Safe" that don't have strong (or any) auditing mechanisms. It's a huge pain to change all the passwords in the "safe" when someone leaves the company. Keeping the passwords stored server-side with granular access mechanisms and an audit trail would make life a lot easier in such an eventuality.

Features that I'd like include:

  • Authentication for individual users to the database such that an audit trail can be generated. Ideally the authentication system would use plain ol' HTTP authentication.

  • Your "access without signup" ("request" feature) sounds like using a unique URL as a "shortcut" to bypass authentication for a given credential that can access a single password. That sounds pretty straightforward to implement. When you create that one-time use credential you should have some kind of metadata to describe why the credential was created (for reporting).

  • Reports showing what passwords were accessed by which users to allow only the ncessary passwords to be changed when someone leaves the company. Once the data is in a database back-end this is easy.

  • Password expiration dates. I'd use these to drive scripts to perform automated password rotation and check-in of new passwords to the system. Often I've got things like service account passwords that I don't want to be subject to operating system password aging requirements but, at the same time, I'd like to have the passwords change once in awhile.

A database back-end with a web CRUD interface all wrapped up in SSL ought to work fine for this.

It shouldn't be too much work to knock together something quick and dirty, but making it really polished and clean (with a nice client API) would probably be some work.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Sounds like a pretty robust system, while I'm just looking for a single user system (as a consultant) your feature list is much more comprehensive. About the request feature, I'm not looking for one time access *to* a password, just the ability to *add* a password. So a client can fill in the password, what it's for, etc, then have that encrypted with my public key, so they're 'sending' me the credentials in a secure way (sure, they could send me an encrypted e-mail, but I'm looking for something simple for them). – Tim Lytle Sep 02 '09 at 17:16
  • Oh! I misunderstood your request feature. What you're describing, being able to put a password into the database, also sounds very handy! Guess it would help if I read things, eh? >smile – Evan Anderson Sep 02 '09 at 17:29
  • A side-note: I'd be willing to throw $500 to somebody who developed such a thing with either a BSD-style or GPL-style license. Anybody interested should contact me offline and we can talk about doing a requirements document and a contract for the work. – Evan Anderson Sep 02 '09 at 17:33
2

We use our aforementioned pidCrypt library in pidder (https://www.pidder.com) - a web based platform that focuses on managing and sharing secrets (passwords, messages, identity information, etc.) securely.

We already had a "dropbox" feature on our todo list, albeit with little priority and scheduled for a later release. After stumbling upon this question, we decided to have it implemented at the start of our open beta later this year.

So, while the main features will require registration, there's also going to be a "dropbox" where anyone can send encrypted messages to a registered user provided they know his or her dropbox URL.

Jonah
  • 21
  • 2
1

There are at least two online password managers which are free software:

W3PW

http://w3pw.sourceforge.net/

Clipperz

http://www.clipperz.com/open_source/clipperz_community_edition

Both look quite good (haven't used them yet).

The only feature missing, as far as I can tell, is the ability to add a password without having an account (if I understood you correctly).

This should not be too hard to add, though, so it might make sense to build onto one of these products. That's the point of free software, after all :-).

One way would be to implement a feature that lets you limit a user to adding new passwords. Then you could just create a "addpassword" user with default (or empty) password, and send that to clients (or implement a feature to create a URI which preauthenticates you, so you can just send a link). That should work and be secure...

sleske
  • 10,009
  • 4
  • 34
  • 44
0

I have found LastPass to be a wonderful password manager for my passwords. Check out the feature list.

Though I am also on a quest for the best (yet affordable) enterprise worthy password manager.

Community
  • 1
Nathan Hartley
  • 1,660
  • 5
  • 26
  • 40
0

One solution I've found (for just getting the passwords) is to encrypt it in javascript, retrieve the encrypted data (via email/browser) then manually decrypt it locally (so the unencrypted data never travels unsecured). It's not polished, but it would essentially be the same as having the client encrypt and send the password - only they could do it simply in a web form.

Here's an example.

Tim Lytle
  • 511
  • 3
  • 14