Password management for Foundation infrastructure


#1

To avoid password tracking headaches, I think it would make sense for us to adopt a central password management tool

Initial suggestions include:

  • Lastpass
  • Keepass (in Google Drive)

Chris notes that Lastpass is also on offer via: https://www.humblebundle.com/lifehacker-software-bundle

Please post other suggestions here, then we can vote on a tool (or to avoid one)


#2

Using a singular location for storing passwords always makes me feel uncomfortable.

Using lastpass, lets you share login details without giving away the actual password, and also revoke access to those login details though, doesn’t it? Along with having mobile and desktop app support and practically works almost everywhere?


#3

Possibly overkill but Open Source - https://www.hashicorp.com/blog/vault.html

Ian.


#4

from Telegram:
Tamarisk:

Damian Axford
another infrastructure item that immediately seems useful is pas

Argh! The last time this was tried in a community organisation I was part of it failed to work for a large proportion of the time.

Fligg
The last time u looked at it (admittedly a couple of years ago)

This

[1:34:47 PM] Jess Robinson:

Tamarisk
Argh! The last time this was tried in a community organisation I

which “it”? the lastpass tool or the act of using a tool at all?

[1:35:24 PM] Tamarisk:

Jess Robinson
which “it”? the lastpass tool or the act of using a tool at all?

I can’t remember which password manager it actually was.

[1:35:58 PM] James Mastros:
Didn’t work in that it was unreliable software, or in as much as people just didn’t like using it?

[1:36:10 PM] Tamarisk:
I use 1pass personally, but as I’m not trying to share passwords I have no idea how well that aspect works.

James Mastros
Didn’t work in that it was unreliable software, or in as much as

The former.

[1:36:29 PM] Jess Robinson:
hmm, LP seems fine so far

[1:36:38 PM] James Mastros:
Lastpass has been dead-on reliable as far as I can remember.

[1:37:26 PM] Tamarisk:
Password managers may have improved but historically they tended to only integrate on one platform. So the one we tried worked amazingly on Windows, OK on Linux and died horribly on Mac.


#5

more from Telegram:

Kat (Citizen of Nowhere):
we used Keepass with a shared file. It failed to not have issues with user respect. It worked for some but not for all and had other issues.

Lastpass for me has the following issues: 1) massive security leak in history 2) non-free 4) a lot of faff to set up

[1:38:07 PM] Ian Norton (Lancaster):

Tamarisk
Password managers may have improved but historically they tended

We use keepass across all of those and android without issue

[1:38:13 PM] Jess Robinson:
LP is web based and iirc works on all
(the app is extra paid… but since web works on devices I havent cared)
anyway… as long as it was the software, and not the whole enchilada… and imo something IS needed…

[1:39:00 PM] James Mastros:
Integrates well on chrome under linux and windows, can’t speak to osx. but I’d be surprised if it was any different.

[1:39:02 PM] Tamarisk:

Ian Norton (Lancaster)
We use keepass across all of those and android without issue

They may have fixed it. It was a while ago. It worked initially and then broke horribly when they updated something.

Jess Robinson
anyway… as long as it was the software, and not the whole enchi

I’m not sure I agree. How many shared passwords are we actually talking about here?
Most things can be set up so that you don’t need to share passwords.

[1:41:01 PM] James Mastros:
I’d generally prefer we not share passwords, and I suspect… yeah, what Tas said.

[1:42:21 PM] Tamarisk:
A spreadsheet in a shared locked Google drive might be just as efficient if we’re talking about <10 things.

[1:42:52 PM] Fligg:

Jess Robinson
(the app is extra paid… but since web works on devices I havent

App is now free but both it and the web are starting to advertise.

[1:43:10 PM] Kat (Citizen of Nowhere):
advertise?

[1:43:30 PM] Fligg:
Have adverts in, according to an article I read the other day.

[1:44:28 PM] Jess Robinson:

Tamarisk
Most things can be set up so that you don’t need to share passwo

trying not to be dumb… but how?
note to self: change all the emails helpmonks has me as…

[1:46:45 PM] Tamarisk:

Jess Robinson
trying not to be dumb… but how?

Multiple user accounts (eventbrite, meetup, mail chimp etc allow you to do this) or shared access (twitter does this via tweetdeck) mostly.

[1:51:03 PM] Jess Robinson:
ah, multiple admins with own logins is fine… and handy… would have to ensure thats a thing for software chosen

[1:57:26 PM] Christopher Stanton:

Tamarisk
A spreadsheet in a shared locked Google drive might be just as e

Google drive needs an alternative.

[1:57:50 PM] Jess Robinson:
we can share the ability to edit/create across a pile of people

[1:57:52 PM] Ian Norton (Lancaster):

Christopher Stanton
Google drive needs an alternative.

Owncloud

[1:58:25 PM] Christopher Stanton:
Google’s awkward that it is easily governed around a single account/point of failure.

[1:58:57 PM] Ian Norton (Lancaster):
Personally I use dropbox and pay for it, but that’s not really viable for hackspace use.

[1:59:26 PM] Tamarisk:

Christopher Stanton
Google’s awkward that it is easily governed around a single acco

Agreed which was the very thing we were trying to avoid in the first place. I forget to an extent because HacMan has a grandfathered account with them

Ian Norton (Lancaster)
Personally I use dropbox and pay for it, but that’s not really v

Ditto, but because the files exist separately in each dropbox account that might not be the best solution for this kind of problem.

[2:00:02 PM] Christopher Stanton:
Though that can be mitigated somewhat by an intentionally setup singular account whose access details are shared.

[2:00:02 PM] Jess Robinson:

Christopher Stanton
Google’s awkward that it is easily governed around a single acco

not sure I grok (having one of those days it seems)

[2:00:25 PM] Jonty Wareing:
Things like sheets are problematic because there’s not really a good open alternative. To be honest though, I don’t think we’re using it in a problematic way, and in the long run very few things should need to be totally private.

[2:00:27 PM] Tamarisk:

/me hands @castaway some extra brains.

[2:00:35 PM] Jess Robinson:

Tamarisk
/me hands @castaway some extra brains.

ta muchly

[2:00:38 PM] Jonty Wareing:
FWIW LHS trustees have a shared dropbox folder.

[2:01:03 PM] Tamarisk:
I use dropbox with clients because it has a low barier to entry

[2:01:08 PM] Fligg:

Christopher Stanton
Google’s awkward that it is easily governed around a single acco

Sadly everything is single point of failure. If we’re looking at people getting hit by a bus then potentially self hosted is just as vulnerable.

[2:01:14 PM] Tamarisk:
And means I can hand them their stuff in one go.

[2:01:32 PM] Jess Robinson:

Fligg
Sadly everything is single point of failure. If we’re looking at

the multiple admins thing solves it, as Tas pointed out

[2:01:41 PM] Ian Norton (Lancaster):

Tamarisk
And means I can hand them their stuff in one go.

That’s what zip drives are for! :wink:

[2:01:45 PM] Jess Robinson:
(and sufficent cloudiness)

[2:01:56 PM] Tamarisk:

Ian Norton (Lancaster)
That’s what zip drives are for! :wink:

:stuck_out_tongue:

[2:02:38 PM] Fligg:

Jess Robinson
the multiple admins thing solves it, as Tas pointed out

Does for commercial hosted possibly not self hosted (as people usually get accounts on the site not on the hosting itsrlf), sorry, wasn’t clear. Think this is still a valid point… Though personally I do prefer stuff “fully under control”

[2:02:58 PM] Jess Robinson:
… thus me appending “and cloudiness” :wink:

[2:03:22 PM] Fligg:
Sorry, I missed that /me goes to put his eyes back in :slight_smile:

[2:03:27 PM] Jess Robinson:
np

[2:03:59 PM] Tamarisk:
The brain stew appears to be infectious

[2:04:15 PM] Jonty Wareing:
Again with the pragmatism thing. Use things that allow you to get something done, but have an escape strategy. For file storage there are absolutely zillions, so I have no problem with google drive or dropbox as long as there are backups.

[2:04:36 PM] Jess Robinson:
yup

[2:04:38 PM] Jonty Wareing:
Self-hosting is lovely, but you’re generating work you really don’t need to be doing.

[2:05:02 PM] Tamarisk:

Jonty Wareing
Self-hosting is lovely, but you’re generating work you really do

This


#6

Looking at it a different way.

What will people need to login to regularly that they’d have to have a shared password for?

I can only think of one and that’s Google or Hootsuite (because then you can have 3 social media channels to manage and it’s also free), where you create a singular ‘dummy’ account that everyone can login to for administration.

Would it be applicable to accessing the contact@hackspace.org.uk address? If so, that makes it important, too.

I think we’re weighing this up against trusting people with passwords, or the convenience of passing them around. Conversely, there’s also revoking access when people no longer become directors/part of a team and shouldn’t have access any more, which it sounds like lastpass simplifies, so there’s one thing going for it.

Lastpass used to be terrible across platforms, my colleague where I work said it worked great across his android to ipad devices and he uses it on desktop. Barring linux which I’m unsure about, this anecdote seems more positive than happenings in the past.

Last pass has been hacked previously, though it seems peoples accounts haven’t been compromised, and frankly these days, everything has been compromised at least once, from Yahoo, to Gmail, to Outlook and even my personal, obscure e-mail accounts.


#7

I don’t understand why a space needs to have a password management tool.

At one point I thought the conversation had to do with cloud storage.

As per attending inboxes. Isn’t there a way that several emails can have the same alias? for example on our mailman maker-owner@nameofserver.here sends an email to two or 3 people at the same time.


#8

If I have a password to an account I am then a single point of failure to accessing that account.

If I share that password with other people, then I am no longer a single point of failure, however if one of those people is no longer a ‘responsible person’ and leaves the role, they still have the password.

When you then change the password, that can have a knock on effect:

  • Everyone needs to be updated with the password
  • If an autonomous system relied on the password (not that common these days though) then that system needs maintenance else it’ll break
  • You’re trusting everyone to remember the password, storing or noting down the password or writing it in various places then introduces security risks.

This is where a password manager comes in, Lastpass for example can give you access to a password without knowing what it is (at least to my understanding) and it can log you into the system. It can share that password with people, and it can revoke that access. All without changing the main password.

It’s also possible that the shared password mechanism of Lastpass is better than say, if we set in Twitter to allow a person’s account to access a ‘company account’, then we’re relying on that person’s account to have a secure password, perhaps 2 factor authentication, using Lastpass we’re not relying on their account and we’re giving them the same access.

It then becomes a matter of secure convenience. When you start using systems where you’re sharing around passwords to get into something, as opposed to giving access via permissions on accounts, you encounter these hiccups and it can stop things.


#9

Sorry but aren’t we just moving the problem up one level? If the passwordmanager is used there will still have one owner of the account.
Let me see if I understand the problem:

  • case scenario: you and me are in charge of twitter account we both know the same password. I a certain moment I go mental and change the password on you and start saying things contrary to the foundadion. What then?
  • scenario 2: I am the only twitter user for the fondation and I suddenly disapear.

In both cases we registered with a info@ukhackerspace.org.uk or whatever so we can just reset the password. Right?


#10

No, because you tie that account to a shared mailbox which the directors have access to.

So you’re allowing the directors to have recovery control, while allowing others to have controlled access.

When you start to have many systems, you start to have many passwords, and generating new passwords introduces mental fatigue, and the potential to generate passwords that are no longer secure.


#11

Also, LastPass in particular does not require a single account owner - it’s federated.


#12

Federated as you can have it hosted on different servers like email?


#13

Federated as in more than one person owns access to it.


#14

I think this is over-thinking things.

There are a few key passwords which need to be shared between a few people (ultimately the directors). We can do that via whatever means is convenient. My preference is through a GPG-encrypted file, but shared LastPass entries are also fine. This is a matter for the directors to decide amongst themselves.

Facebook, Twitter, etc have their own means of delegating access. I’m not sure what else is needed here.