To avoid password tracking headaches, I think it would make sense for us to adopt a central password management tool
Initial suggestions include:
Chris notes that Lastpass is also on offer via: https://www.humblebundle.com/lifehacker-software-bundle
Please post other suggestions here, then we can vote on a tool (or to avoid one)
Using a singular location for storing passwords always makes me feel uncomfortable.
Using lastpass, lets you share login details without giving away the actual password, and also revoke access to those login details though, doesnât it? Along with having mobile and desktop app support and practically works almost everywhere?
Possibly overkill but Open Source - https://www.hashicorp.com/blog/vault.html
Ian.
from Telegram:
Tamarisk:
Damian Axford
another infrastructure item that immediately seems useful is pas
Argh! The last time this was tried in a community organisation I was part of it failed to work for a large proportion of the time.
Fligg
The last time u looked at it (admittedly a couple of years ago)
This
[1:34:47 PM] Jess Robinson:
Tamarisk
Argh! The last time this was tried in a community organisation I
which âitâ? the lastpass tool or the act of using a tool at all?
[1:35:24 PM] Tamarisk:
Jess Robinson
which âitâ? the lastpass tool or the act of using a tool at all?
I canât remember which password manager it actually was.
[1:35:58 PM] James Mastros:
Didnât work in that it was unreliable software, or in as much as people just didnât like using it?
[1:36:10 PM] Tamarisk:
I use 1pass personally, but as Iâm not trying to share passwords I have no idea how well that aspect works.
James Mastros
Didnât work in that it was unreliable software, or in as much as
The former.
[1:36:29 PM] Jess Robinson:
hmm, LP seems fine so far
[1:36:38 PM] James Mastros:
Lastpass has been dead-on reliable as far as I can remember.
[1:37:26 PM] Tamarisk:
Password managers may have improved but historically they tended to only integrate on one platform. So the one we tried worked amazingly on Windows, OK on Linux and died horribly on Mac.
more from Telegram:
Kat (Citizen of Nowhere):
we used Keepass with a shared file. It failed to not have issues with user respect. It worked for some but not for all and had other issues.
Lastpass for me has the following issues: 1) massive security leak in history 2) non-free 4) a lot of faff to set up
[1:38:07 PM] Ian Norton (Lancaster):
Tamarisk
Password managers may have improved but historically they tended
We use keepass across all of those and android without issue
[1:38:13 PM] Jess Robinson:
LP is web based and iirc works on all
(the app is extra paid⌠but since web works on devices I havent cared)
anyway⌠as long as it was the software, and not the whole enchilada⌠and imo something IS neededâŚ
[1:39:00 PM] James Mastros:
Integrates well on chrome under linux and windows, canât speak to osx. but Iâd be surprised if it was any different.
[1:39:02 PM] Tamarisk:
Ian Norton (Lancaster)
We use keepass across all of those and android without issue
They may have fixed it. It was a while ago. It worked initially and then broke horribly when they updated something.
Jess Robinson
anyway⌠as long as it was the software, and not the whole enchi
Iâm not sure I agree. How many shared passwords are we actually talking about here?
Most things can be set up so that you donât need to share passwords.
[1:41:01 PM] James Mastros:
Iâd generally prefer we not share passwords, and I suspect⌠yeah, what Tas said.
[1:42:21 PM] Tamarisk:
A spreadsheet in a shared locked Google drive might be just as efficient if weâre talking about <10 things.
[1:42:52 PM] Fligg:
Jess Robinson
(the app is extra paid⌠but since web works on devices I havent
App is now free but both it and the web are starting to advertise.
[1:43:10 PM] Kat (Citizen of Nowhere):
advertise?
[1:43:30 PM] Fligg:
Have adverts in, according to an article I read the other day.
[1:44:28 PM] Jess Robinson:
Tamarisk
Most things can be set up so that you donât need to share passwo
trying not to be dumb⌠but how?
note to self: change all the emails helpmonks has me asâŚ
[1:46:45 PM] Tamarisk:
Jess Robinson
trying not to be dumb⌠but how?
Multiple user accounts (eventbrite, meetup, mail chimp etc allow you to do this) or shared access (twitter does this via tweetdeck) mostly.
[1:51:03 PM] Jess Robinson:
ah, multiple admins with own logins is fine⌠and handy⌠would have to ensure thats a thing for software chosen
[1:57:26 PM] Christopher Stanton:
Tamarisk
A spreadsheet in a shared locked Google drive might be just as e
Google drive needs an alternative.
[1:57:50 PM] Jess Robinson:
we can share the ability to edit/create across a pile of people
[1:57:52 PM] Ian Norton (Lancaster):
Christopher Stanton
Google drive needs an alternative.
Owncloud
[1:58:25 PM] Christopher Stanton:
Googleâs awkward that it is easily governed around a single account/point of failure.
[1:58:57 PM] Ian Norton (Lancaster):
Personally I use dropbox and pay for it, but thatâs not really viable for hackspace use.
[1:59:26 PM] Tamarisk:
Christopher Stanton
Googleâs awkward that it is easily governed around a single acco
Agreed which was the very thing we were trying to avoid in the first place. I forget to an extent because HacMan has a grandfathered account with them
Ian Norton (Lancaster)
Personally I use dropbox and pay for it, but thatâs not really v
Ditto, but because the files exist separately in each dropbox account that might not be the best solution for this kind of problem.
[2:00:02 PM] Christopher Stanton:
Though that can be mitigated somewhat by an intentionally setup singular account whose access details are shared.
[2:00:02 PM] Jess Robinson:
Christopher Stanton
Googleâs awkward that it is easily governed around a single acco
not sure I grok (having one of those days it seems)
[2:00:25 PM] Jonty Wareing:
Things like sheets are problematic because thereâs not really a good open alternative. To be honest though, I donât think weâre using it in a problematic way, and in the long run very few things should need to be totally private.
[2:00:27 PM] Tamarisk:
/me hands @castaway some extra brains.
[2:00:35 PM] Jess Robinson:
Tamarisk
/me hands @castaway some extra brains.
ta muchly
[2:00:38 PM] Jonty Wareing:
FWIW LHS trustees have a shared dropbox folder.
[2:01:03 PM] Tamarisk:
I use dropbox with clients because it has a low barier to entry
[2:01:08 PM] Fligg:
Christopher Stanton
Googleâs awkward that it is easily governed around a single acco
Sadly everything is single point of failure. If weâre looking at people getting hit by a bus then potentially self hosted is just as vulnerable.
[2:01:14 PM] Tamarisk:
And means I can hand them their stuff in one go.
[2:01:32 PM] Jess Robinson:
Fligg
Sadly everything is single point of failure. If weâre looking at
the multiple admins thing solves it, as Tas pointed out
[2:01:41 PM] Ian Norton (Lancaster):
Tamarisk
And means I can hand them their stuff in one go.
Thatâs what zip drives are for! 
[2:01:45 PM] Jess Robinson:
(and sufficent cloudiness)
[2:01:56 PM] Tamarisk:
Ian Norton (Lancaster)
Thatâs what zip drives are for!
[2:02:38 PM] Fligg:
Jess Robinson
the multiple admins thing solves it, as Tas pointed out
Does for commercial hosted possibly not self hosted (as people usually get accounts on the site not on the hosting itsrlf), sorry, wasnât clear. Think this is still a valid point⌠Though personally I do prefer stuff âfully under controlâ
[2:02:58 PM] Jess Robinson:
⌠thus me appending âand cloudinessâ
[2:03:22 PM] Fligg:
Sorry, I missed that /me goes to put his eyes back in 
[2:03:27 PM] Jess Robinson:
np
[2:03:59 PM] Tamarisk:
The brain stew appears to be infectious
[2:04:15 PM] Jonty Wareing:
Again with the pragmatism thing. Use things that allow you to get something done, but have an escape strategy. For file storage there are absolutely zillions, so I have no problem with google drive or dropbox as long as there are backups.
[2:04:36 PM] Jess Robinson:
yup
[2:04:38 PM] Jonty Wareing:
Self-hosting is lovely, but youâre generating work you really donât need to be doing.
[2:05:02 PM] Tamarisk:
Jonty Wareing
Self-hosting is lovely, but youâre generating work you really do
This
Looking at it a different way.
What will people need to login to regularly that theyâd have to have a shared password for?
I can only think of one and thatâs Google or Hootsuite (because then you can have 3 social media channels to manage and itâs also free), where you create a singular âdummyâ account that everyone can login to for administration.
Would it be applicable to accessing the contact@hackspace.org.uk address? If so, that makes it important, too.
I think weâre weighing this up against trusting people with passwords, or the convenience of passing them around. Conversely, thereâs also revoking access when people no longer become directors/part of a team and shouldnât have access any more, which it sounds like lastpass simplifies, so thereâs one thing going for it.
Lastpass used to be terrible across platforms, my colleague where I work said it worked great across his android to ipad devices and he uses it on desktop. Barring linux which Iâm unsure about, this anecdote seems more positive than happenings in the past.
Last pass has been hacked previously, though it seems peoples accounts havenât been compromised, and frankly these days, everything has been compromised at least once, from Yahoo, to Gmail, to Outlook and even my personal, obscure e-mail accounts.
I donât understand why a space needs to have a password management tool.
At one point I thought the conversation had to do with cloud storage.
As per attending inboxes. Isnât there a way that several emails can have the same alias? for example on our mailman maker-owner@nameofserver.here sends an email to two or 3 people at the same time.
If I have a password to an account I am then a single point of failure to accessing that account.
If I share that password with other people, then I am no longer a single point of failure, however if one of those people is no longer a âresponsible personâ and leaves the role, they still have the password.
When you then change the password, that can have a knock on effect:
This is where a password manager comes in, Lastpass for example can give you access to a password without knowing what it is (at least to my understanding) and it can log you into the system. It can share that password with people, and it can revoke that access. All without changing the main password.
Itâs also possible that the shared password mechanism of Lastpass is better than say, if we set in Twitter to allow a personâs account to access a âcompany accountâ, then weâre relying on that personâs account to have a secure password, perhaps 2 factor authentication, using Lastpass weâre not relying on their account and weâre giving them the same access.
It then becomes a matter of secure convenience. When you start using systems where youâre sharing around passwords to get into something, as opposed to giving access via permissions on accounts, you encounter these hiccups and it can stop things.
Sorry but arenât we just moving the problem up one level? If the passwordmanager is used there will still have one owner of the account.
Let me see if I understand the problem:
In both cases we registered with a info@ukhackerspace.org.uk or whatever so we can just reset the password. Right?
No, because you tie that account to a shared mailbox which the directors have access to.
So youâre allowing the directors to have recovery control, while allowing others to have controlled access.
When you start to have many systems, you start to have many passwords, and generating new passwords introduces mental fatigue, and the potential to generate passwords that are no longer secure.
Also, LastPass in particular does not require a single account owner - itâs federated.
Federated as you can have it hosted on different servers like email?
Federated as in more than one person owns access to it.
I think this is over-thinking things.
There are a few key passwords which need to be shared between a few people (ultimately the directors). We can do that via whatever means is convenient. My preference is through a GPG-encrypted file, but shared LastPass entries are also fine. This is a matter for the directors to decide amongst themselves.
Facebook, Twitter, etc have their own means of delegating access. Iâm not sure what else is needed here.