Re: Password keepers

[Josh Drummond <jdrummon () UCI EDU>]

For personal / single user use I recommend to people the free LastPass 
(http://www.lastpass.com) solution. The best balance of strong security 
and convenient usability I've seen.  For shared / multi-user use in 
enterprise I recommend the free open-source WebPasswordSafe 
(http://www.webpasswordsafe.net) solution [full disclosure: as the 
author I'm a bit biased].  It is a cross-platform Java web application 
server you can customize the strong security controls and deploy to fit 
your environment.

Either way, to fully answer your question, encrypted digital offsite 
backups with the key separate from the data out-of-band is the way to 
go. But if immediate availability in disaster is a huge risk for you 
where a digital solution can't be depended on, printing unencrypted 
export (both of the above solutions support that) physical copy and 
keeping it safe with your usual physical security controls (sealed 
envelope, locked, access log, cameras, etc) is what you are left with.

Thanks,
~Josh

On 8/27/12 7:28 AM, Slocum, Stacy wrote:
> Hello-
>
> Could anyone share a best practice with regard to the storage and safe 
> keeping of the collection of all system passwords?  Is using a keepass 
> type application the best approach?  What about redundancy in the 
> event you can't get to the stored list or it is corrupt?
>
> Any advice and/or opinions would be very helpful.
>
> Thanks
>
> Stacy

--
*Josh Drummond*
Manager - IT Security & Architecture
Office of Information Technology
University of California, Irvine
Email: jdrummon () uci edu <mailto:jdrummon () uci edu>
Phone: 949.824.9574