Share a password without really sharing a password...
July 9, 2007 10:02 AM   Subscribe

I'm looking to arrange a particular password setup with several unpaid staffers in my office. Here's the arrangement: 5-10 folks each day access one or more of ten online accounts that we communally use. I want to ut able to easily distribute the passwords and have the users be able to employ them without ever being able to see what it is.

I want to find a system that look like this:
-For each user, they need me to enter a master password at the beginning of the day.
-They can then have the functionality of the passwords (so they can access any of the 10 or so websites they need to reach), but (here's the biggie) cannot delve into any settings and be able to see the password itself. E.g., no matter how much digging in the settings, all they would ever be able to see are asterisks.
-I am able to distribute updated passwords without manually entering them for each system.

Currently, I distribute a keepass file and log each user in at the beginning of the day, but cannot ensure that the user doesn't burrow into the settings and see or export the passwords.

Any thoughts on how I could give them this functionality without allowing them to ever see the passwords themselves?

Thank you in advance for the thoughts and any help. This is a wonderful community.
posted by ud-gb to Computers & Internet (11 answers total) 3 users marked this as a favorite
What kind of passwords?
Is this Unix? Windows? Web-based?
posted by jozxyqk at 10:05 AM on July 9, 2007

The Mac OS X Keychain will allow this. Save the passwords in Safari, then set the keychain to lock automatically after X hours.

The only app that will show them the passwords is Keychain Manager, and it won't show them without the master password.
posted by bonaldi at 10:21 AM on July 9, 2007

I think the right answer is to actually create an account for all 10 people on all 10 sites with the appropriate access restrictions, but I'm guessing you can' t do that.

Hard to tell from what you've provided.

If you're really serious about setting up this type of system, I would consider setting up a custom proxy that has the necessary credentials to log in to all the sites, then just provide each of the users with a login to the proxy. This is no small feat, however, depending on how the end sites process logins. And it will almost certainly involve a bit of custom coding/scripting.
posted by meta_eli at 10:27 AM on July 9, 2007

Do a google search for Single Sign-On and you'll be able to read up on a lot of apps. We have something at our company (it's fairly enterprise-ish though) where you can configure a set of shortcuts so that the system automatically logs the user in. It's all done using Active Directory but I don't really know the details.

You also need to script it to populate the appropriate fields into all the forms. The logins are associated to the main login and the passwords are fairly well-hidden as it's all server-side.

Hope that helps.
posted by PWA_BadBoy at 10:31 AM on July 9, 2007

What you're trying to do is basically manage a "keychain", so searching for that might help.

I am sure that ssh-agent can do this, if the systems in question are unix or mac os. You add the passwords to the ssh-agent program, and then give access to the running agent to each user's login. The agent usually runs on a socket, and you can "give access" to it through the filesystem.

The users' own logins would then give them access to the agent.
posted by cotterpin at 11:00 AM on July 9, 2007

Under Windows, if they can see the asterisks, they can see the password. There exists software to do just that, such as Asterisk Logger.
posted by gmarceau at 1:02 PM on July 9, 2007

Especially if you don't want them to be able to edit account settings, you're talking about a proxy. Someone will probably have to set it up for you, and do some initial work with what to block and what to log in automatically. Anyone relatively competent with managing whatever environment you run should be able to do the research & get it going, though if you have to hire someone, it may not be cheap.
posted by devilsbrigade at 2:16 PM on July 9, 2007

I think you should investigate some form of token-based authentication. You can authenticate based on a constantly iterating but unpredictable number that appears on a tiny hand-held device. Every password expires in ten seconds, so it doesn't matter if they see it. Then you can do away with the need to manage passwords altogether.
posted by Area Control at 3:57 PM on July 9, 2007

Firefox's built in password manager will only show passwords upon entering the master password. That is, you enter the master password once to start using auto-filling on websites, but this does not unlock the password file. You have to enter the master password while the password management dialog is open, for the actual plain text passwords to be displayed.

That is just user experience, I've no idea if it is implemented "securely enough".
posted by Chuckles at 7:59 PM on July 9, 2007

thanks to everyone and please, if you have any more ideas - know that I am grateful and researching any path.

Sorry, but here are a few details that some have asked about that I left out (!).

It would be cross platform, on xp as well as os x. Unfortunately, any script building or hiring out of services will probably prove untenable. I'm interested in trying the master password of portable firefox. Even though it is a significant hole that in XP anyone can break through asterisks, this plan would still be progress.

Bonaldi, I'll give the os x keychain a gander, too.

Please comment if any ideas could be enabled by further details on my part and again, please know that I am a very grateful to you for sharing and growing this body of knowledge.
posted by ud-gb at 9:19 AM on July 11, 2007

So just to follow up, I ended up setting up XP and OS X versions of portable firefox on a thumbdrive and have the people copy the folder onto their computer. As long as they close firefox, they'll need me to re-log them in and by having a master password, the only hole I can see is one I can't help - that of the asterisks being able to be converted via a javascript in the url.
posted by ud-gb at 9:05 AM on July 18, 2007

« Older Old PC compatible with widescreen LCD?   |   Looking for interesting ideas for helping kids... Newer »
This thread is closed to new comments.