Security Basics mailing list archives

RE: Password Manager Software recommendations

From: "Ackley, Alex" <aackley () epmgpc com>
Date: Fri, 4 May 2007 12:46:20 -0400

When we ran into this problem, our answer was to move to a Two-factor
authentication scheme.  This scheme uses Aladdin's USB eTokens and their
SSO software.  The two together (with an internal PKI infrastructure)
work just fine for this.

The SSO is simply a program (small footprint) that resides on each users
machine that looks for applications to open.  When it sees one that it
has a template for, it looks on the token for the stored password
(secured with the users PIN and certificate) and puts it into the
applications login box.

It's easy to setup and implement.  If your users can handle using a
token to login, I recommend this setup.  Other companies have similar
products and they all fall in this little area between SOHO and
Enterprise.  

Alex Ackley, CISSP, GSEC
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of BSD Dude
Sent: Thursday, May 03, 2007 8:44 PM
To: security-basics () securityfocus com
Subject: Password Manager Software recommendations

My users work with a fair number of systems and application which
require unique log in credentials.  As a result, I am actively looking
for a password manager to help secure and organize these credentials for
my end-users.

Having spent some time researching available commercial options, I have
found basically two types of products:

Enterprise level products that are primarily single sign-on
solutions--which are not feasible in my environment; or 

Home user products that are basically all in one Internet security
products--which are not suitable for my environment.

I am familiar with a few open source projects; however, there is a
preference on the part of management to deploy a commercially
supported/maintained solution; however, open source is not entirely out
of the question (I really do not wish to start a debate on open vs.
closed source security products). 

The basic general requirements are:

Easy to use for most non-technical end-users
Small resource footprint 
Easy to deploy
Use of AES, Two-fish, and/or Blowfish algorithms
Product must be actively supported/maintained for the foreseeable future
(I am aware of the problems with this type of requirement)
Suitable for business/enterprise (MS Windows) environments

I'd appreciate some feedback/recommendations from those admins who have
traveled down this path before.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Current thread:

Password Manager Software recommendations BSD Dude (May 04)
- RE: Password Manager Software recommendations Ackley, Alex (May 04)
- RE: Password Manager Software recommendations jbeauford (May 04)
  - Re: Password Manager Software recommendations Jeb Barger (May 04)
- Re: Password Manager Software recommendations Chris Barber (May 04)
  - Re: Password Manager Software recommendations Jason Ross (May 07)
- Re: Password Manager Software recommendations Dave Dearinger (May 04)
- Re: Password Manager Software recommendations Cam Fischer (May 07)
- Re: Password Manager Software recommendations fRANz (May 07)
- <Possible follow-ups>
- Re: Password Manager Software recommendations BSD Dude (May 08)
- Re: Password Manager Software recommendations mdevlin (May 08)
  - Re: Password Manager Software recommendations Tara Kelly (May 08)

(Thread continues...)