Password safe exchange?
April 6, 2009 2:51 PM Subscribe
I want to build a flashdrive based password safe that my whole family can use. I have a good start I think, but I'd like some ideas for making it actually work.
The overview -
I'm growing concerned that I'm wandering around with too mauch information that would be extremely hard to recover if anything happened to me - Passwords for everything from my on-line banking to my domain hosting, contact lists, various email accounts, billing information, etc. And I know my family is running around with their own ocean of sensitive information. I know there are third party services that can manage all of this, but I'd prefer to not host it somewhere that a) may go belly up at any time, and b) is a stranger that now has all my family's most secure data.
My plan is to hand out USB flashdrives to everyone. These drives will have KeePass for storing passwords, TrueCrypt to provide an encrypted space, and AxCrypt to encrypt files if things need to be emailed. KeePass would be the main application here.
KeePass allows seperate password databases to be password protected and passed around with each file being self-contained (though you still need KeePass to open them). So each family member could create there own password safe, put their own password on it, then mail the file to everyone else who would store it on their flashdrive. Updates would be just as easy. Everyone's password file would still be secure, since you'd still need their personal password to open their database.
So, in a nutshell, I would have a flashdrive that had several password safes. But I'd only be able to get into mine. Some mechanism would need to be established so I or other family members could get access to the other files.
Here is the tricky part, and my question - How do we secure everyone's personal password? We'd need to recover it in the case of a tragedy, but it should still be secure until then. I'd like to find a solution that was somewhat portable, like the flashdrive. And I'd rather not pay some third party such as an attorney.
The overview -
I'm growing concerned that I'm wandering around with too mauch information that would be extremely hard to recover if anything happened to me - Passwords for everything from my on-line banking to my domain hosting, contact lists, various email accounts, billing information, etc. And I know my family is running around with their own ocean of sensitive information. I know there are third party services that can manage all of this, but I'd prefer to not host it somewhere that a) may go belly up at any time, and b) is a stranger that now has all my family's most secure data.
My plan is to hand out USB flashdrives to everyone. These drives will have KeePass for storing passwords, TrueCrypt to provide an encrypted space, and AxCrypt to encrypt files if things need to be emailed. KeePass would be the main application here.
KeePass allows seperate password databases to be password protected and passed around with each file being self-contained (though you still need KeePass to open them). So each family member could create there own password safe, put their own password on it, then mail the file to everyone else who would store it on their flashdrive. Updates would be just as easy. Everyone's password file would still be secure, since you'd still need their personal password to open their database.
So, in a nutshell, I would have a flashdrive that had several password safes. But I'd only be able to get into mine. Some mechanism would need to be established so I or other family members could get access to the other files.
Here is the tricky part, and my question - How do we secure everyone's personal password? We'd need to recover it in the case of a tragedy, but it should still be secure until then. I'd like to find a solution that was somewhat portable, like the flashdrive. And I'd rather not pay some third party such as an attorney.
Passwords written on paper and a safe deposit box at the bank or an actual safe in your house. Paper is pretty portable...
posted by iamabot at 2:59 PM on April 6, 2009
posted by iamabot at 2:59 PM on April 6, 2009
Depending on what you mean by "tragedy" another option is to split a password up so that everyone else together can reformulate it, but that no n-2 people can. This is called Secret sharing Some software is linked there, but I haven't used them.
posted by a robot made out of meat at 3:04 PM on April 6, 2009
posted by a robot made out of meat at 3:04 PM on April 6, 2009
Oh, I guess I didn't make that explicit. Assuming you have 4 family members.
1) Everybody puts their password into, say, ssss, and gets 3 "pieces" where 3 pieces can give back the password.
2) The pieces are distributed to the other members.
3) Everyone's password vault/file contains their mundane passwords and the pieces they have of the other 3 people's passwords.
When person A forgets his password (or dies, or joins a cult, whatever), the other three fetch their pieces and plug them back into ssss. Now A's file (which is on all of their flashdrives) can be unlocked, and then reencrypted with a new password that he'll remember.
posted by a robot made out of meat at 3:14 PM on April 6, 2009 [1 favorite]
1) Everybody puts their password into, say, ssss, and gets 3 "pieces" where 3 pieces can give back the password.
2) The pieces are distributed to the other members.
3) Everyone's password vault/file contains their mundane passwords and the pieces they have of the other 3 people's passwords.
When person A forgets his password (or dies, or joins a cult, whatever), the other three fetch their pieces and plug them back into ssss. Now A's file (which is on all of their flashdrives) can be unlocked, and then reencrypted with a new password that he'll remember.
posted by a robot made out of meat at 3:14 PM on April 6, 2009 [1 favorite]
Response by poster: "You're probably overthinking this with the flashdrive thing."
My theory is that a flashdrive that has all the required software on it, ready to run, will be easier for some to use. Trying to explain where to go, what to grab, how to install, etc seems like too mauch bother.
Obviously people can put the files where ever they want, but having the flashdrive as a baseline seems easiest.
posted by y6y6y6 at 3:47 PM on April 6, 2009
My theory is that a flashdrive that has all the required software on it, ready to run, will be easier for some to use. Trying to explain where to go, what to grab, how to install, etc seems like too mauch bother.
Obviously people can put the files where ever they want, but having the flashdrive as a baseline seems easiest.
posted by y6y6y6 at 3:47 PM on April 6, 2009
I'm with iamabot. I think in a tragic situation the last thing your family will want to deal with is this complexity. Put the sensitive information in the safe deposit box. If it's just passwords like your examples, you can write them on a piece of paper. If it's more, you can print it. Flash drives, like self-burned CD ROMs, are a totally unproven medium for long-term storage. Paper is good.
posted by fritley at 4:56 PM on April 6, 2009
posted by fritley at 4:56 PM on April 6, 2009
Keepass comes to mind
http://lifehacker.com/5044925/hive-five-winner-for-best-password-manager-keepass
You can run it off of a thumb drive and it can store passwords for different profiles.
posted by nuke3ae at 3:06 AM on April 7, 2009
http://lifehacker.com/5044925/hive-five-winner-for-best-password-manager-keepass
You can run it off of a thumb drive and it can store passwords for different profiles.
posted by nuke3ae at 3:06 AM on April 7, 2009
My theory is that a flashdrive that has all the required software on it, ready to run, will be easier for some to use. Trying to explain where to go, what to grab, how to install, etc seems like too mauch bother.
Fair enough. I'll second the KeePass (or KeePassX) recommendation. During the brief time that I tried it out, it seemed easy enough to use and set up.
posted by chrisamiller at 6:22 PM on April 7, 2009
Fair enough. I'll second the KeePass (or KeePassX) recommendation. During the brief time that I tried it out, it seemed easy enough to use and set up.
posted by chrisamiller at 6:22 PM on April 7, 2009
Response by poster: a) Yes, KeePass. Which is why I mentioned in my question that the whole idea is built around KeePass.
b) I haven't found a good way to release master passwords in case of emergancy or whatever. The idea of putting them in a safe sort of makes the whole thing less useful. The reason to do this is that it's distributed, digital, redundant, personalized, and easy to update.
c) I'm thinking I might just write a web application to handle releasing passwords. Everyone would upload their password along with people trusted to release it. The webpage would let anyone in the family request a password release. That would trigger some emails where others in the family would have to agree before it was released.
Of course one of the main problems with such an app is that the passwords are stored in a database or something similar.
I'm still working on it.
posted by y6y6y6 at 11:18 AM on April 10, 2009
b) I haven't found a good way to release master passwords in case of emergancy or whatever. The idea of putting them in a safe sort of makes the whole thing less useful. The reason to do this is that it's distributed, digital, redundant, personalized, and easy to update.
c) I'm thinking I might just write a web application to handle releasing passwords. Everyone would upload their password along with people trusted to release it. The webpage would let anyone in the family request a password release. That would trigger some emails where others in the family would have to agree before it was released.
Of course one of the main problems with such an app is that the passwords are stored in a database or something similar.
I'm still working on it.
posted by y6y6y6 at 11:18 AM on April 10, 2009
This thread is closed to new comments.
You're right that the password is the key. You might have every family member prepare a sealed envelope with their pass inside, then place them in either a safe-deposit box, or a fireproof lockbox.
posted by chrisamiller at 2:58 PM on April 6, 2009