user accounts - Keepass different privileges
2014-07
Wandang
Is there a possibility in Keepass to have multiuser access to a kdbx file with different access privileges?
Basically each group of users would have their own password to acess the database and there would be one masterpassword to access all passwords (the entire database).
I could not find that option in the settings menu.
Alternatively having a kdbx file for each group would work too if Keepass could load kdbx files in a cascade. Loading the first file with the masterpassword and getting the password for the next file out of the first database, etc.
Is there any fix for this problem? Does Keepass support different access level / multiple access-passwords ?
Jeff Walker
I personally have about 20 accounts (my personal user id on lots of machines). For shared "system" accounts, there are about 45 per environment; development, test, and production. I have access to 2 of those, so my personal total is somewhere around 115 accounts. Passwords have to be at least 15 characters with some extensive but standard complexity constraints, and have to be changed every 60 days or so (system accounts every year). They also should not be the same for different accounts, but that isn't enforced. Think DoD-type standards. There is no way to remember and keep up with this. It just isn't humanly possible, as far as I'm concerned.
This might be a good justification of a centralized account management system, a la LDAP or ActiveDirectory, but that is a totally different battle.
Currently the solution is an Excel spreadsheet. They use Excel to put a password on it, and then most people make a copy and remove the password. This makes my stomach turn.
I use KeePass for this problem and it manages all of my account very well. I like the features like auto-typing, grouping, plugins, password generation, etc. It uses AES-256 encryption via the .Net framework, and while not FIPS compliant, it has a very good reputation.
The only problem is that they don't allow us using randomly downloaded software. So we have to justify every piece of software on our workstations. I have been told that they really don't want me to use this, because of the "sensitive nature" of storing passwords. sigh My justification has to be "VERY VERY strong".
I have been tasked with writing a justification for KeePass, I would like any input that I can get from the community. What do you recommend? Is there something out there that is better or more respected than KeePass? Is there any security experts saying interesting things on this topic? Anything will help at this point. Thanks.
b.long
I've been a long time KeePass user, and if I were tasked with justification, I'd probably do the following:
- Skim the sites FAQ for all of their details about security. Everything I've seen there will practically sell itself.
- Show the longevity and support for the project, indicating it isn't going to be dropped by the wayside anytime soon.
- Show off a few features, such as the fact that passwords are displayed encrypted by default (not sure if you're putting a mask in the Excel spreadsheet or not). This alone prevents prying eyes.
- You can double click the password entry to copy it to the clipboard and have it auto flush out in 10 seconds. This keeps the password out of "plain sight" as much as possible.
- Demonstrate how the password database itself can be locked down via password, key file, or even Windows Account, which allows you to store the password database in a central location and manage it that way.
- The password generator helps ensure you are getting non "user friendly" passwords that can be generated in nearly any format you want.
The bottom line is that you get a solid database to store passwords that can be managed and transferred without fear of it getting hacked into. In addition there are lots of features that makes password management simpler, which helps in the big picture.
Hopefully this gives you some ideas to consider. I'm not involved with the program at all, I just love it. I use it at home and at work daily.