One of my clients has a fairly complicated web application. In any application of this nature, there are a lot of usernames and passwords–for DNS management, databases, accounts for integrated services, etc. Where can you store all these?
Well, you could have a master excel spreadsheet that gets version controlled. You could also go the route that some of my sysadmin friends have–a text file that is PGP encrypted. You could manage all the passwords via extensive sticky note or social memory (I might recommend against the latter two methods). Or you could use a specialized password management software. I haven’t done extensive research on in this area, but so far we’ve been using Password Safe, and I’ve been relatively happy with it.
Good features:
- You can open up the password file as ‘read only’, preventing you from mistakenly adding or changing data in the file.
- There’s an option to generate passwords. So, if you’re having a hard time coming up with a secure password, the software can string together a random set of characters.
- You can copy the password from Password Save and paste it into your application without even seeing it.
- Once you give it the master password, it will only stay open for a certain number of minutes.
- You can group password entries within the tool for better organization.
- You can associate a URL with a password entry, and use keyboard shortcut to open that URL when you are viewing the password entry. This is something I thought was kind of useless until I started using it.
- Password Safe supports windows and linux, and there’s other projects out there supporting more platforms, like Password Gorilla
The only issue I can think of is that version controlling the password file can be tedious. Just like version controlling any other binary file, CVS (or any other source management system) can’t do merges. That means that when you change something, you need to make sure that anyone who will change something else in the file updates before they do. The alternative is to not have it version controlled, but I like everything in version control.
If you have many passwords to manage, I’d recommend taking a look!
Follow me on Twitter
Follow me on Blue Sky
I am a big fan of Password Safe but just wanted to mention that for those who want to have their passwords with them wherever they go – PassPack (http://passpack.com)an online password manager may be something to consider.
Here is a comparison to offline vs. online password managers:
http://passpack.wordpress.com/2007/01/29/online-vs-offline-password-managers/
Louise
Louise
Pingback: Passwordsafe, redux | Dan Moore!