Using password keepers (LastPass/Bitwarden etc) for storing admin sensitive info?


Userlevel 4
Badge

Bit OT with regard to Veeam itself. I was wondering how you handle lots and lots of passwords and other sensitive information. I’m primarily interested in whether you use/consider safe for use low-cost and/or “small” solutions like password keepers (bitwarden seems nice enough). Assume a single user in an organization that has to protect data like this.

On one hand these apps look nice. But on the other, security-wise they are not PGP replacements at all, trading ease of use for security.


19 comments

Userlevel 7
Badge +7

Hi, I started using Keepass, personally, and after some time, we were sharing that keepass between 3 or 4 people, and it was ok, but not clean at all.

it was stored in a shared O365 folder, configured to always be able locally, in case of network failure or anything, we all keep a local copy, also I used to manually create a copy weekly to my local laptop.

Also we tested Passbolt, a password manager that could be deploy locally or cloud, has a community version, and you can have different access rights,

groups, users, etc. also has browser integrations.

I didn’t have the chance to implement it in my office, but I’ve tested in my home lab and now changing my personal (and wife’s) keepass to it!

hopefully helps!

Br.

Userlevel 7
Badge +10

Personally I use Bitwarden, never had a problem with it. They also offer a self hosted option, for those who are really paranoid about holding passwords in the cloud

https://bitwarden.com/blog/host-your-own-open-source-password-manager/

Userlevel 4
Badge

@Cragdoo I was looking into its free plan, which seems to be the only decent one not lacking serious features.

Are you using it though for personal stuff strickly or for organizational info too (say credentials for hosts/services etc)?

I’m more than happy to use it for personal stuff/banks etc. I do hesitate to use it for organizational sensitive info...

Userlevel 7
Badge +10

both, I use it personally, paid $10 for the premium edition, to help support the coders. We also use the on-prem version for organisational stuff/shared credentials etc

Userlevel 7
Badge +7

@CragdooI was looking into its free plan, which seems to be the only decent one not lacking serious features.

Are you using it though for personal stuff strickly or for organizational info too (say credentials for hosts/services etc)?

I’m more than happy to use it for personal stuff/banks etc. I do hesitate to use it for organizational sensitive info...

I use it for both, personal and business info / accounts.

once in a while I export a copy and put it on my safe box, just in case.

what I have is two setups, one for personal and one for the organisation credentials.

🤪

Userlevel 4
Badge

$10 is dirt cheap, did not see that, thanks.

both, I use it personally, paid $10 for the premium edition, to help support the coders. We also use the on-prem version for organisational stuff/shared credentials etc

Implicitly I’d say that you don’t feel comfortable hosting that sort of sensitive information in the cloud, even if it’s supposedly tamper-proof (nothing is).

I’m lacking experience in Docker, otherwise I’d most probably follow that route.

what I have is two setups, one for personal and one for the organisation credentials.

Can you elaborate what you mean by two setups?

Furthermore, as admins does GDPR possibly prohibit (even implicitly) the use of software like password keepers, when the storage is outside the company?

Userlevel 7
Badge +7

Sure.

at home, I had a Keepass database for personal use, and then for the company, another different database, stored in a different place.

With the new setup, my passbolt deployment is stored on my homelab (small mini tiny datacenter) and my actual company works with Keepass, and planning to move to something similar to passbolt.

so yes, the idea is to store securely the passwords, but I like keeping separated work and home stuff.

I have separate laptops as well, for work and personal usage.

if you are interested, you can ping me by PM and Inwill be more than happy to help you!

cheers,

 

Userlevel 7
Badge +20

At work we use Passbolt. Myself I use a combination of Keepass and Dashlane cause it has a great browser extension.  I do have Keeper also as a backup.

Userlevel 4
Badge

@Chris.Childerhose and @HunterLAFR how does the passbolt browser extension work compared to whatever other you were or are using? 

Great advantage for me is that there are “plain” (non-Docker) Linux installs available. And even though I don’t have time to commit for a pilot server deployment, I could help with the central IT of my organization to do something that will help organize our mess.

Userlevel 4
Badge

A bit unsettling that the passbolt Android app has less than 5 thousand downloads and no rating :/

Userlevel 4
Badge

Summarizing:

  1. No one seems to password managers to store company credentials, when the password manager uses its own cloud (internet). OTOH, it seems to be a good practice to use password managers that utilize on-premise clouds.
  2. KeePass seems to be widely used (off-topic: last time I had some sort of encryption for local files was with some early PGP versions). For one-man-teams or for very small ones it can do the job, regarding storage of confidential data. I do not know how well it integrates with browsers...
Userlevel 7
Badge +20

@Chris.Childerhoseand @HunterLAFR how does the passbolt browser extension work compared to whatever other you were or are using? 

Great advantage for me is that there are “plain” (non-Docker) Linux installs available. And even though I don’t have time to commit for a pilot server deployment, I could help with the central IT of my organization to do something that will help organize our mess.

It works ok but not my primary one I use that is Dashlane. I use that all the time the Passbolt one is there only to access the work DB.

Userlevel 7
Badge +8

I have used Keypass as it was local, we exported backups. It worked ok.

 

1Password is the best I find, Can have it on my phone, PC, remote if needed.   It is very secure. You can set up multifactor authentication with hardware tokens and key generation. Unless you have a specific device, plus a physical token, plus a generated key, good luck trying to get in

 

At some point, you have to trust something, having the same admin password on all your servers is worse than having all your passwords in a password manager.  Someone will do something bad on your network getting a bad actor access before 1password get hacked most likely. Once they are in your NW, they can do lateral movement and gain access pretty quick. At a minimum unique passwords everywhere should slow them down.

 

1Password can crank your complexity as high as you want, and auto fill everything too which is nice. Install the browser plugins, app, yadda yadda, I sound like a sales guy.  Plus if you convince your work to get it you can get a free personal edition.

 

I’d look into 1Password as my company is crazy about security and they passed our requirements.  

 

 

Userlevel 7
Badge +8

KeePass IMHO fits only for small shops without the need for role based multi-user access.

We are using “Password Depot”. Does multi-tenancy, native-MFA and has apps for Windows, MacOS,  iOS and Android.
Most important to me: it can be hosted on-prem which I find absolutely crucial for customer passwords.
 

Userlevel 4
Badge

@Chris.Childerhose thanks for the clarification.

@Scott I’m having a different password per system with a special pass generator (read: I’m banging randomly the keyboard until 20-60 characters are spewed :D).

@Michael Melter “small shops” fits my bill. Specifically the sub organization I’m managing. It’s a 2 person department. However our bigger organization could benefit from a hosted in-premises solution, like bitwarden and passbolt. If I might ask, what is the size of your IT department (approximate order, if you like).

I’ve started using KeePass in the way @HunterLAFR uses it at work (single secret file in an onedrive folder, always locally cached between colleagues), while I’ll keep using Firefox Sync for syncing personal passwords there for a little longer.

Userlevel 7
Badge +20

I mainly use Keepass with Remote Desktop Manager as it can pass credentials for me on logins to any servers I have configured which are many.  Other than that I use Dashlane in Edge for autofill of passwords, etc.

Userlevel 7
Badge +8

@Chris.Childerhosethanks for the clarification.

@Scott I’m having a different password per system with a special pass generator (read: I’m banging randomly the keyboard until 20-60 characters are spewed :D).

@Michael Melter“small shops” fits my bill. Specifically the sub organization I’m managing. It’s a 2 person department. However our bigger organization could benefit from a hosted in-premises solution, like bitwarden and passbolt. If I might ask, what is the size of your IT department (approximate order, if you like).

I’ve started using KeePass in the way @HunterLAFR uses it at work (single secret file in an onedrive folder, always locally cached between colleagues), while I’ll keep using Firefox Sync for syncing personal passwords there for a little longer.

KeyPass was decent for us, but with 1Password using vaults with different permissions settings has been a life changer for our IT deparment, Dev’s have their own vault, apps and web guys have their own, desktop team and then the server/storage team have a vault…. 

 

A small group can change permissions to allow others which alerts and notifies everyone so nothing going on unnoticed, you can share passwords with users or groups of users and not an entire vault.

 

On prem is the only thing that if you need specifically, 1password isn’t going to do for you.

 

If you are putting your secret file in OneDrive, you are no longer using an “On Prem” solution 

 

The versioning and history in 1password is nice too. I can’t tell you how many people changed  multiple passwords in KeyPass and didn’t save.

 

 

 

 

Userlevel 7
Badge +7

For sure here, is that there is not a magical solution to fit all needs, 

you better try different ones and choose the one that works better with you, your team and company.

 

I would recommend you to try 1Password, PasBolt, KeePass, etc. but ask your colleagues and make a pros / cons list to choose the most suitable for you.

😉

cheers!

Userlevel 7
Badge +4

I use Bitwarden for personal password and other stuffs.

I cannot live without this software anymore 😂

Comment