Re: Password Management

[Kevin Crider <kcrider () SKIDMORE EDU>]

The big diff for us is the portability of Keepass PLUS it's vulnerabilities.

Being portable is a nice feature, but it also means someone can take the database file and you'd never know...and do 
all kinds of things with it...

https://www.rubydevices.com.au/blog/how-to-hack-keepass

12 minutes to crack the master password.

At least with a cloud service I can control it...turn it off...and monitor access.

I love Keepass and agree it's way better than nothing...but IMO not much better than a spreadsheet...



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Maud, Phil
Sent: Wednesday, February 27, 2019 10:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Management

I've used keepass and have recommended it in the past

It's a good price (free) and is pretty usable and most importantly isolated from the browser (which seems to be the 
source of numbers of password manager hacking attempts)

I looked for encryption cracking against keepass and AFAIK it stands up pretty well - where I find vulnerabilities they 
seem to extend to other password managers as well (recent in memory password recovery being an example)

The main argument I had about not using it commercially is that there is no master key which means that if a user loses 
their master password they have lost all their passwords in one go and no one in IT can undo that for them

It's a basic password manager but better than no password manager...

Regards

Phil Maud
Information Security Analyst
Information Services, Building 63 (IT) G7
E: P.H.Maud () cranfield ac uk<mailto:P.H.Maud () cranfield ac uk>
T: +44 (0) 1234 75 4879





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of William D Sanders
Sent: Monday, February 25, 2019 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password Management

Is anyone using KeePass? I've used it before in a non-education environment, and it worked well for us. I'd love to 
hear about anyone's experience with it.
Thanks,
Dan



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Greg Williams
Sent: Monday, February 25, 2019 10:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Password Management

Looks like this topic hasn't been discussed in a while (~2 years).  We *have* had around 100 users in LastPass 
Enterprise for our IT department for the past 4 years.  This is the 4th year in a row that the price has increased 100% 
year over year.  It was $8/year/user 4 years ago.  So over 4 years $8*2*2*2 = ~62/year/user today.  What is everyone 
else using these days?  Are you using DUO with it as well?  Thanks!

Greg Williams, ME
Director of Operations
Office of Information Technology
Lecturer
Department of Computer Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
Phone: (719) 255-3292
Connect: Skype<skype:gwillia5 () uccs edu?chat> | WebEx<https://uccs.webex.com/meet/gregwilliams>
www.uccs.edu<http://www.uccs.edu/>