Posted: 9/5/2014 5:33:54 PM EDT
|
Does anyone have any enterprise experience with lastpass?
We currently use Password Manager by Manage Engine but are looking for alternatives after living with some quirky user interface/experience issues. We use this as teams with certain members being the asset owner, then creating accounts associated with that asset, setting passwords, then sharing those passwords to others on a team that might need access to them. We currently have password complexity requirements that we would like to be able to implement on the front end of this system so that all new passwords created match our complexity requirements. In a best case scenario, the application will be easy enough to use that our teams wouldn't mind having auto-generated 32 or 64 bit passwords assigned to the accounts that they use every day. TIA for any input. |
|
Is this for backend system accounts? Or end user accounts?
For service and admin account management, I have used KeePass and EPS (free). KeePass is the best IMO - the epitome of KISS. However, it isn't very scalable, you can't delegate privileges to individual users and groups, and you need to keep the password DB on a fileshare somewhere. And the entire team will know the 1 root password. EPS = enterprise password safe is OK, but it's free and you don't get much support. But it is flexible, scalable and supports a number of users. It can use AD and other other systems as well for user auth^2. I don't think there is a perfect solution out there unfortunately because there isn't much demand. Most companies don't give a hoot about security. Heck, my last couple ran everything as the domain administrator account and the password was our street address. My current team uses EPS, but the rest of the company including development keeps their accounts in notebooks under their desks and spreadsheets on the company SharePoint site. This info probably isn't exactly what you're looking for but hope you find it helpful, and if not, can at least share empathy for the constant headache of managing accounts in IT. |
|
Keep it simple.
Set up a Spider Oak share (encrypted up, down, and at rest and they don't have the keys). Have it host the database for Bruce Schneier's password manager. Make one person responsible for generating new passwords and putting them in the database -- everyone else gets read only access. It will meet your needs. |
|
Quoted:
Keep it simple. Set up a Spider Oak share (encrypted up, down, and at rest and they don't have the keys). Have it host the database for Bruce Schneier's password manager. Make one person responsible for generating new passwords and putting them in the database -- everyone else gets read only access. It will meet your needs. Single point of failure if that person separates. We are going to spend money on this, not looking for a free solution. Support is a must. We need this for mainly service accounts and database passwords. Unfortunately there are a lot of systems that have local auth only, preferably they would all use tacacs/ad/radius, then we woukd just tie them to individual users, but generally this is not the case. A simple example is a remote UPS with network access that can manipulate power to connected devices. They generally have local auth only, so we have a shared account for admins. These need to be complex enough that no admin can remember or would want to write it down. The system would need to be simple enough that they would usr it instead of keeping the password stored locally on their machine. If an admin seperates from the company, change the password, update the enterprise password software, and change the information on the end devices. If a new admin joins the group, share the accounts to them in the enterprise password software via ad group membership. |