Software·43,775 discussions

Maintaining a password list.

Locked

I work part-time for a small not-for-profit. I’m the IT person on premise. I’ve been pushing our few users to institute strong passwords, as we maintain a lot of financial data, along with data subject to HIPAA regulation.

I’d like please, your recommendations as to how, and where to maintain a password list for those who need to reference other accounts periodically.

None of my file cabinets lock, and the safe doesn’t always open.

Thumbs promised. 🙂

Topic

Clarifications

In reply to Maintaining a password list.

Clarifications

e-mail

In reply to Maintaining a password list.

You should e-mail the account(s)/password(s) to their work e-mail address. This guarantees that they have access to it, without compromising the security.

G-mail is used…

In reply to e-mail

without downloading email to user PC’s. The passwords would be sitting on g-mail servers, which doesn’t strike me as a good idea. If we brought mail onto our own machines, this might be workable.

Yup, that’d be my choice too. It’s just a pity …

In reply to e-mail

I won’t get a Thumb simply for agreeing. 😉

How about a hug instead?

In reply to Yup, that’d be my choice too. It’s just a pity …

No?

Yo !! – BIG MOMMA !! :D

In reply to How about a hug instead?

😉

Don’t make me

In reply to Yo !! – BIG MOMMA !! :D

start yanking all the thumbs I’ve given you… 😀

“BIG”? :0

In reply to Yo !! – BIG MOMMA !! :D

oh…. my….. gawd……..

STOP IT !! You’ll drop me in it !! ….

In reply to “BIG”? :0

I might have just overstepped the mark.

It’s a ‘private’ joke, but now it’s all gone public.

Oops… :0

Drop IN? Just how big are we talking here?

In reply to STOP IT !! You’ll drop me in it !! ….

:0

:p

JD

In reply to STOP IT !! You’ll drop me in it !! ….

don’t make me start taking back your thumbs, too. 😉 😀 :0

He can’t drop you

In reply to “BIG”? :0

in what you’re already in. 😀 😀 😀

Mmm…

In reply to He can’t drop you

I wasn’t aware that I’d free-fallen that far.

GOSH !!! :0

While not workable due to factors mentioned above,

In reply to e-mail

I can keep something on my own computer under my own account. Hadn’t thought of that. Thank you.

emailed passwords would only work

In reply to e-mail

if they were NOT the windows login password….. ;\

Yeah.

In reply to emailed passwords would only work

E-mailing login passwords doesn’t strike me as a good idea…

And that’s what we’re talking about.
Which of course I didn’t make clear.
Thanks.

Ask an easy question why don’t you Davette. :(

In reply to Maintaining a password list.

No Locking Filing Cabinets and a safe that may not work then you throw in the bit about G Mail don’t make it easy do you?

Well for starters what regulation’s do you need to comply with? I’m assuming that there is some regulation involved here and sticking the Password on a Sticky Note to the bottom of a Keyboard isn’t an option either. Though many end users do things like this.

Provided it’s allowed you may be stuck with a Password Manager that is Password Protected on the Admins, Your workstation. It really depends if there is any Complianceing Issues involved here.

Drop me a PM and I’ll see what I can do to help you out here.

Col

Try password safe

In reply to Ask an easy question why don’t you Davette. :(

I would try using password safe for them and they can have it on their machines. It will store all the passwords they need and can only be accessed by them.

Thanks for the thought

In reply to Try password safe

but we’re talking Windows log-in passwords. No use to them on their own machines if they can’t log in.

Then they can not do any damage

In reply to Thanks for the thought

I would have thought that was so obvious. :^0

But other users could have the Different users Passwords stored in their List so that provided one can log in they will have access tot he passwords if required. 🙂

Col

Another vote for Password Safe

In reply to Thanks for the thought

I believe an electronic password safe is definitely preferable to a printed list somewhere. “Password Safe” <http://passwordsafe.sourceforge.net/> is the best I’ve come across and we use both individual password dbs and a shared db on our file server.

If someone can’t remember their Windows login, though, how are they ever going to remember the master combination to the password safe? I think your users need to meet you half way here and at *least* be able to choose a login password they can remember.

An old trick I’ve used is to take the first letter of each word in a favorite quote, phrase, song lyric, etc. and then substitute zeros for ohs, ones for “i”s and lowercase “el”s, threes for “e”s, etc. and then throw in a few capital letters and some punctuation.

For example: “this land is my land, this land is your land” could become “T11m1,t1iy1!”.

Or biometrics, as other posters have suggested. Lenovo includes fingerprint readers on most of it’s ThinkPad laptops for a reasonable price, and add-on fingerprint readers are also available inexpensively.
—
Cheers,

Glenn

Oxymoron

In reply to Maintaining a password list.

Well using the terms “Strong Passwords” and “password list” in the same context is a bit of an oxymoron, but you did say a small non-profit, so I understand.

I like the email idea too, but since that’s a no-go, can we assume that the person will at least know their own password and can log on to the network as himself/herself? If so, you can create a folder on the network (and I’m assuming an Active Directory network in place and maybe that’s too much of an assumption), nonetheless a folder on a network drive permissioned such that only those that should have access to view the document, do.

If you don’t have a central network, i.e. peer-to-peer, then you’re talking about a physical list which I guess a small locking cash box or key box mounted on the wall you can pick up real cheap from office supplies can hold a folded up list.

Yes, it is.

In reply to Oxymoron

Long story short…
At least two users have problems remembering their own weak passwords. Ah, the joy! 😀

Bloody Hell Boxy

In reply to Yes, it is.

You really are a Masochist aren’t you?

Just how much worse does it get?

Can these people at least read or are they Illiterate too?

At least tell me the building that they are in is lockable and possible to secure please, or are they stealing a WiFi Hot Spot in a park.

Maybe set every password to the same thing and use that. That way when someone forgets another can tell them unless that all forget at the same time after a Long Weekend on the turps. :0

Let me make a wild guess here the two that can not remember their own [b]Weak Passwords[/b] are the ones using their names as the Passwords right? 🙂

Col

Highly literate

In reply to Bloody Hell Boxy

and very well educated in their respective fields. Smarter than I am, each one of them. Until it comes to computers, data, security, etc…

So I take this to mean that they are Medical People right?

In reply to Highly literate

If that’s the case God Help you because no one else is going to. :p

You could become the [b]Experiential Patient[/b] for new treatments dreamed up by this crowd. Did you actually read that Contract that you signed? :^0

Now back to the immediate problem you need something to hold Passwords on/in, in some sort of Secure Location at the Office come Community Park with the WiFi Hot Spot.

You will obviously have this stored on the Admins System as an Encrypted File and probably be a good idea to store it Off Site on something convenient so I’m assuming that will be a USB [b]Thumb[/b] Drive. Just remember that these are not to be considered as Reliable so make sure that you have copies of the Thumb Drive and the Encryption Key Here Boxy. Just don’t rely on it as the Last Resort it will come and bite you [b]Big Time.[/b]

Do they have a Drugs Cabinet here? Those have to be locked and easily accessed so that may be a convenient location to store a Paper List of Passwords stuck under a Shelf with something like Blue tack.

If you where to rely on your Workstation there that would mean that they all need access to it and that isn’t a clever Idea so you need somewhere to store an envelope or a couple with the Users Names on the Front of them. When they get opened change the Password and write it down and seal it inside another envelope.

No matter what you do here it’s going to be a nightmare to administer and remember that when you use the shorthand M$ to these people it doesn’t mean Microsoft it means a Incurable Disease which was around a long time before M$ was. You’ll get some funny comments about Incurable Infected computers if you don’t remember that. 🙂

OK as you know what is available there you’ll need to look around and find something suitable but I wish you a lot of Luck in trying to get them to stick to a accepted System after it is setup. You’re going to need it.

Whatever possessed you to agree to doing this in the first place?

Anyway the offer is open if you need any help just PM me and I’ll see what I can do to help.

Col

No drugs, no scripts…

In reply to So I take this to mean that they are Medical People right?

Everyone logs into their own computer as an Administrator. No network, just Internet access. I have been, PC by PC, shoring up security issues,

My contractual position is related to finance and books. It’s a blessing for them that I am (barely! 😀 ) computer literate, and keep up a bit on security and data maintenance.

I ‘lucked’ into it. And lordie, somebody needs to do it, or when something happens we have to wait and juggle PC’s for days to get a pro in.

Thanks Col.

PS At least a couple of them know eggzackly what I mean when I say ‘Uncle Billy’. 😀

simple recall failure does NOT reflect “smater”

In reply to Highly literate

Send these memory deficient people to a memory management class. Here is one.

http://www.youtube.com/watch?v=5GFuxb__z9c

Remembering a password has nothing to do with being good with computers.

ROFLMAO!!!

In reply to simple recall failure does NOT reflect “smater”

Thanks for the giggle! 😀 😀 😀

If the persons in question forget their passwords….

In reply to Yes, it is.

Then just say to then “it will cost you $$”, i bet they will start to remember then.
It is funny, as soon as you hit their pockets they start to remember. Either that or you are their own password person, so they do not need to remember because you are there to do it for them. I read that you are working for a non-profit company, but the people in question can afford the usb memory sticks. This little gadget just plugs into the usb socket and it does passwords on the fly.
More info here:
https://www.ironkey.com/

Thanks PT.

In reply to If the persons in question forget their passwords….

.

Encrypted flash drive or floppy?

In reply to Maintaining a password list.

But how many people would have access and need to remember a password for that?

I’ve thought about that.

In reply to Encrypted flash drive or floppy?

Where would I keep it? And the only other person who should have all the account passwords keeps everything in his/her blackberry. Not.

Consider a small firesafe?

In reply to I’ve thought about that.

I don’t know what requirements you are working with exactly, as far as what would be security-compliant if you were in the position for some kind of audit.

I see that keeping them encrypted on your own machine has been mentioned, and also that your on-site time is limited. Is the other authorized person always there when you aren’t, and can said person “play by the rules”?

We do have a small firesafe now.

In reply to Consider a small firesafe?

That would be the one that doesn’t always open. 😀

To answer your question, no and no.

I’m getting some ideas from you folks though. Sooner or later something will take shape that is workable. Thanks seanferd.

Say, somewhere in here

In reply to We do have a small firesafe now.

I thought I saw you make mention of trying to explain the importance of strong passwords to some of the folks in the organization. I just saw this article that delivered a short non-technical explanation that I think would be good for certain “learning styles”.

How
Hackers Will Crack Your Password – Hacked Off – Dark Reading

Thanks for that!

In reply to Say, somewhere in here

.

Or even a tryecrypt container

In reply to Encrypted flash drive or floppy?

on a network share. Each user could have one with a unique password, giving them access to the other passwords they may need. Meaning they need to remember windows login, email, and truecrypt. And even better, you can assign them passwords for true crpyt, and keep a master list encrypted in your own container.

[edit] Okay, just read the rest of the posts, no network. So, truecrypt on a flash drive with synchback freeware (http://www.2brightsparks.com/freeware/freeware-hub.html) set to keep several generations of copies on the HD.

Now, is this for 1 person or many?

In reply to Maintaining a password list.

I have in the past told people to burn it to a cd and keep it in a safe locked place.

Cd’s are cheaper than flash drives, however having a backup is still good.
I also know a department that has encryption keys stored on 2 cd’s in 2 places where 2 people have access, and each person stores their own password for the encryption key as well (different location).

I am sure I can help if I know more about what your needs are.
Oh yeah, using most mail clients you can tell it not to store on the server, however they are still going through the Internet to get there.
1 thing to try is to have them create an email, but dont address it, and copy it to a folder on their HDD keeping it from ever hitting the gmail servers

Seven employees

In reply to Now, is this for 1 person or many?

including myself with computer access. Six computers, not networked, not even p2p.

Now that is an idea of sorts.

In reply to Now, is this for 1 person or many?

Perhaps they could keep them at home. I think we should have a safe deposit box, but I don’t think that will happen soon.

Here are some more suggestions

In reply to Maintaining a password list.

and it looks like you are going to have to use the KISS principle and keep it simple.
It doesn’t only happen with volunteers either.

http://techrepublic.com.com/5206-10878-0.html?forumID=12&threadID=19045&start=0

Thanks Jacky.

In reply to Here are some more suggestions

Some ideas there.

Home grown into the bargain

In reply to Thanks Jacky.

sometimes I can find things here. 😉

I can’t.

In reply to Home grown into the bargain

Once in awhile I stumble into what I’m looking for when searching for a specific thing, but not often. I’ve got a post of my own that I’ve been looking for and can’t find! 😀 😀 😀

I know who the ‘go to’ guy around here is now. 😉

I don’t know about that

In reply to I can’t.

Ropes is pretty good at finding things. 😉

More info…

In reply to Maintaining a password list.

We are a very small mental health organization that relies entirely on charitable donations and international, federal, and state grants for funds.
We are subject to HIPAA standards/regulation, in addition to being accountable under the blizzard of grant requirements.

Financially, we utilize a 3rd party vendor, who maintains virtually all the hard copy data, and does the biggest amount of bookkeeping, bill paying, and payroll. I serve as liaison between them and our agency, as well provide the reporting/invoicing mechanism for meeting grant requirements.

http://en.wikipedia.org/wiki/HIPAA

I can easily keep a list off-site, but I am there only 15 hours per week.

I am requested, due to the nature of our work not to speak freely of it. Ask please, if you folks need anymore info, I may or may not be able to answer.

And the short version for those not in the US is what Boxy?

In reply to More info…

Looks like a lot of Legalese to me but basically how secure do you have to keep the system and how good are the end users here?

Davette are you sure that this setup isn’t there to drive you insane?

The URL to the TR Discussing has a lot of good suggestions and that would probably be a good starting point. 🙂

Col

Am cruising that discussion now.

In reply to And the short version for those not in the US is what Boxy?

And figuring to give thumbs to those who took the time to answer.
I wanna make people anxious before I start handing them out though. 😀

But I only answer questions for the Thumbs :(

In reply to Am cruising that discussion now.

I would love a couple of Danette’s thumbs, then I could open the Air Lock and have something to remember her by. :^0

Actually I think you will be in the [b]Funny Farm[/b] shortly so hand out what you want to before they come and take you away in that lovely [b]White Jacket[/b] that they have with the extra long selves. :p

Tis been nice knowing you Davette sorry to see you go. :0

Col ]:)

Geeminy.

In reply to But I only answer questions for the Thumbs :(

Now you owe me. You got two thumbs…

Leave the damn airlock alone! :0

OH Goodie I have both of Daveta’s Thumbs now. :^0

In reply to Geeminy.

I may even allow you to look and remember when they used to be attached to your hands on day. :0

Col

Heh Heh! you could always try this

In reply to More info…

Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions.

Thanks.

In reply to Heh Heh! you could always try this

I think we do need training in how to properly manage our data. Funds…

I was thinking more along the lines

In reply to Thanks.

of the users. They should be kept up to speed as they hold a lot of responsibility, especially accessing the System and Accounts. You may have to take them aside and discuss a password that they would be comfortable with and could remember. I had problems with a Phys Ed but when I showed him the football he caught it straight away. f00tb@ll, problem solved and he made up others as well.

I have begun working

In reply to I was thinking more along the lines

with one of them along those lines. Choose words that s/he recognizes and translate them into a password. I think over a few months she’ll figure it out. We did actually get somewhere today. I’ll know tomorrow (via frantic phone call) if we did. 🙂

I’ll keep my fingers crossed for you :D

In reply to I have begun working

nah just think positive and it should work out. 😉

Excel file on the server?

In reply to Maintaining a password list.

Have a secure area on a server, restrcted to only those that need to know all the passwords, put an excel file in that area with the accounts/passwords in, and password protect the file.

No network.

In reply to Excel file on the server?

No server.
But frankly, I’d like to get us up and running in that kind of fashion. This higgledy-piggledy way of doing things is disconcerting. 😀

Thanks Bizzo. Idea in waiting. 😀

Davette there are several USB Options available here

In reply to No network.

That may be your only option use a [b]Thumb[/b] Drive with the passwords encrypted on it. Applications like RoboForm have this ability try looking here

http://www.roboform.com/

I use things like this for Mobile Users but I think it may be your only option.

Just remember if you use something like keep Backup and lots of them. 🙂

Cheers

Col

Thanks oh schizoid one.

In reply to Davette there are several USB Options available here

All suggestions appreciated and being evaluated.

Several solutions

In reply to Maintaining a password list.

There are several places I would recommend you store hard copies of your passwords (disks, CDs, flash drives, etc. can become corrupted or damaged).

Purchase a fire-proof safe at Staples or Wal-Mart. Small ones are ~$45, larger ones that can hold backup tapes and such as well are ~$99. House the safe in a lockable desk or closet somewhere.

Being a non-profit I am sure they have bank accounts and such. Visit the same bank used by the organization and price a safe-deposit box. Typically they are around $9 per month for the smallest boxes. This provides secure, off-site storage. This will not help for users needing a password quickly but it will provide a safe place to store critical account information.

Lastly, if neither of these options are workable for your needs I would prepare an Excel spreadsheet of your passwords. I would then password protect that spreadsheet, and either ZIP (with encryption) or PGP encrypt the file. This way, only a few key people need to remember the password to decrypt the data. These people can extract the spreadsheet if needed to look up the information. You can store this encrypted file just about anywhere that isn’t publically accessible.

Hope these suggestions help.

-Mike D
http://www.daileymuse.com

I tend

In reply to Several solutions

To code my passwords so that even if they are seen by others they wont no the password, of course you would have to tell other people how to decode the password on a need to know basis.

For example if the password for my system was

systempassword i would use the abc’s to 123’s

like 1 = A, 2 = b, 3 = C is get the point?

So the letters now become numbers, i have a few way’s to code and decode my passwords.

Thanks.

In reply to I tend

But that’s not really going to help with my two very non-tech users.
I already have my own ‘coding’ system in place. Getting them to use, and remember them is the problem along with securely storing them so as to make them accessible if I am not around.

As an update…

In reply to Several solutions

I just ran across this thread here on TechRepublic. Someone else may have already recommended this, but this thread discusses password management apps to store and track your passwords for you.

http://techrepublic.com.com/5208-7343-0.html?forumID=102&threadID=279207&start=0

I didn’t think of this option in my earlier reply.

-Mike D
http://www.daileymuse.com

Thanks again!

In reply to As an update…

.

Thanks Mike.

In reply to Several solutions

.

Strong passwords that are written down are not strong

In reply to Maintaining a password list.

Have them come up with a phrase, taking the first letter of each word and making that their password, and then use the same password on all systems.

Example: Someone Sent Boxie A Nerve Jangler And Now Her Foot Is Tapping.

SSBANJANHFIT

To make it more complex, substitude the “S” for a number five “5” and the “I” for a one “1” making it

55banjanhf1t

Easy to remember, yet hard to guess.

B-)

I use one that has something to do with laying pipe…. 😀

:0 :0

In reply to Strong passwords that are written down are not strong

“I use one that has something to do with laying pipe…”

Please do not let us know more. We have heard too much about your pipe laying

Amen.

In reply to :0 :0

.

No, really

In reply to :0 :0

there are pictures too….. ;\

Thanks JD.

In reply to Strong passwords that are written down are not strong

Getting them to remember… 😀

Notes

In reply to Thanks JD.

If they have some sort of notes program on there phone store the passwords there for them to use, i have the IPhone and use my notes to keep everything in have so much information on it, but have it to wipe it after 10 wrong passwords i love technology lol wish i could do this to users if they typed the wrong password ha ha

Don’t know about that.

In reply to Notes

We’re talking Administrative rights Windows log-in passwords. The occasional news that a wireless phone network has been compromised bothers me on that count. But thanks for the thought.

You would wipe the users? :0

In reply to Notes

Now, why didn’t I ever think of that? ;\

Protected Document

In reply to Maintaining a password list.

I maintain a list of admin passwords for various applications on a spreadsheet. I keep them grouped by application. The spreadsheet is in a share that is restricted to only a very few users, and is password protected.

I definitely don’t keep individual users passwords, but if I’m gone, my backup person knows to go to that spreadsheet and they can see not only the password, but details like what server the app is on, sa id and password, etc…

It is against policy to email passwords, whether to an internal or external email, so this is a nice central area to keep them available to those who need them.

Thanks GSG.

In reply to Protected Document

Something along those lines is probably what I will do.

Do not use any version of Excel prior to

In reply to Thanks GSG.

2007, as the “passwords” are crackable in about 5 min on a single core p4… I knnow, I had to crack a few when we got a new accountant, and the old one didn’t leave any passwords.

Not sure on the quality of OO.o though, my guess is it would be superior, since they can use the OS cryptlib etc.

Thanks for that.

In reply to Do not use any version of Excel prior to

We’re running two different versions of Office Suite, too.
Aargh, the fun.

I guess it comes down to how secure do you need it to be.

In reply to Thanks for that.

To just protect it against curiosity, any basic file protection is fine. A new version of OO.o or Excel will protect against all but very determined viewers, and truecrypt will stop pretty much every one except maybe a few national agencies or governments.

HIPAA compliance

In reply to I guess it comes down to how secure do you need it to be.

= pima. 😀

Do as JD suggested then here Davette

In reply to HIPAA compliance

Use Biometric Scanners. No possibility of them forgetting their Password, you can have more than one user log in and easy.

Col

That is fine

In reply to Protected Document

as long as you don’t forget the password to the share, right? :0

Use a password management tool

In reply to Maintaining a password list.

In our org we use a password management tool.
The passwords sit on an encrypted drive only accessible trough the utility that is password protected with a pass phrase that is easily remebered.
Once you log onto your local workstation you can access the tool, if you have the correct log in pass phrase
3 tries and you are locked out until someone from the admin group resets the password and forces a change.
Also we all get emailed if someone forgets
makes for great Mondays :))

biometrics?

In reply to Maintaining a password list.

Put a thumb scanner on each system?

Or a token on a thumb drive?

Or make the password drowssap?

Yep that’s a better idea after all

In reply to biometrics?

How many will forget their [b]Thumbs?[/b]

I use a Biometric Scanner with my NB and the only problem that I might have is if the Scanner ever stops working I’ll need to remember the Password. 🙂

Of course you’ll need to see if the Budget will stretch that far.

Col

I have my users use post-it notes for all their passwords….

In reply to Maintaining a password list.

….in their Outlook.

Our company also maintains sensitive personal information and security is a major concern.

I was appalled when I saw one user in our accounting department who had all her passwords to the various tax, SS and other sensitive programs on sticky notes all over her monitor…

I showed her how to use the post-it notes in Outlook to maintain all her passwords…Since she was comfortable with the whole post it note thing, the transition was easy.

I also show my users how to maintain their own network password list in their outlook post it notes. They create 7-10 unique passwords that meet all our security protocols, and then just use them in sequence. It takes a lot of pressure off my users thinking they have to come up with secure passwords every 35 days… and it gives them an opportunity to become familiar with which password comes after which.

Outlook postit notes is not a perfect solution for all my users, but the majority have found this a very helpful way to maintain their passwords.

Thanks for your time…

In reply to I have my users use post-it notes for all their passwords….

but if they can’t log in to Windows, they can’t log into Outlook, either.
Also, they don’t have Outlook, gmail is used, and as referenced earlier mail is left on their server/s.

Just a contribution is all….

In reply to Thanks for your time…

Occasionally I do have to reset a password for the user to login to the network, but that doesn’t happen more than it did prior to them keeping their own password lists.

I was just trying to contribute to the conversation by relating how my users maintain their numerous passwords for the many resources they have to access.

I wasn’t looking for a thumbs up or anything… 🙂

Your time is valuable…

In reply to Just a contribution is all….

have a thumb anyway! 😀

[Author]

Replies