Ed,

Team was an simple term for a group of people. These folks are not computer literate...just beneficiaries of a trust that I administer. So, they want access to financial information about the trust. One has a hard time understanding the information on a checking account statement.....the difference between posting date and transaction date took some explaining. One still uses a paper calendar, so no online calendar to make appointments. They can send and receive email and text messages, and that is all. One just got a facebook account last week. One is still using a Motorola flip phone from the 80s on Verizon...she is waiting for them to pay her to upgrade to android/ios... ;-) She also has an original iPad.....it crashes all the time due to low memory, but that does not cause enough pain to buy a new one. Pure Luddites, and I don't mean that in a negative way. Just their lifestyle, and I have to deal with it. Plain text email with login credentials seemed like a bad idea given their total lack of understanding about online security, hence my question.

It takes a lot of different folks to fill out a bell shaped curve.....;)

Mark


On Sun, Oct 27, 2013 at 9:13 PM, Ed <plug@0x1b.com> wrote:
On Sun, Oct 27, 2013 at 8:25 AM, Mark Phillips
<mark@phillipsmarketing.biz> wrote:
> On Sun, Oct 27, 2013 at 2:12 AM, Ed <plug@0x1b.com> wrote:
>>
>> Hi All,
>>
>> 1) your compliance officer is having kittens....
> The compliance officer does not like cats.....the team members are the ones
> having kittens.
> PasswordSafe is too complicated for them to use.

ok - if your compliance officer is happy, then me too - PasswordSafe
too complicated... hmm, I would never have guessed that.

>>
>>
>> 3) if you need to control access (AAA), you should think about
nevermind - too complicated, but WF can do that kind of relationship if needed
team gets their own creds for your SAML server, it federates to
>
> The credentials I am sharing are not for my servers, but for accounts on
> servers
> that I don't manage. Like Wells Fargo.
>>
>>
>> why not keep things simple?
>
>
> I am all for that!!!! ;)
>>
>>
>> It sounds like you could get by with a plain Apache httpd install that
>> only serves https and requires a client side certificate for access,
>> there really is no reason to put this info on any other systems. Odds
>> are good you can serve this up from your office cable/DSL service
>> without too much trouble.
>
>
> That would work. My biggest concern is that I am not enough of a security
> expert
> to guarantee that what I whip up is secure enough. So, I am looking for
> recommendations
> for third party solutions that are secure.

Hard to beat a website you host for secure and simple ( ie team
appropriate access) and PLUG does have a security meeting that could
pen test your work.
http://phxlinux.org/meetings/20-linux-security-hackfest.html
The hardest part might be installing certificates in your team's
browsers - not an act many users are familiar with, but easily
cookbooked and should be a one time event. If you run Linux, just load
Apache-httpd (yum or apt or..) and look at http://localhost - I bet it
is already up.

If you have access to your team's computers, it might be easier to
just SSH (remote access) into their systems and keep a file updated on
their system. Team members would then just be working off a local doc
file, almost as easy as hitting a bookmark.

If your only worry is that the file be secure in transit, then this
should be an easy thing.

>>
>>
>> And, NO!  none of this is appropriate for real client credentials -
>> also make your clients pick new random 12 character passwords
>> (MyPasswordSafe can generate them for you if needed) the odds are good
>> that the passwords you are sharing with your team are the same
>> passwords your clients use for personal email and all sorts of other
>> things too.
>
>
> Since I pass out the credentials and manage them, I control when the
> passwords change.
> I just need a secure and easy way to communicate the changes to the team
> members.
> Remember, the team members cannot spell "pgp", so it has to be really simple
> for them,
> but secure enough to keep a Wells Fargo account login safe.

if you're the originator of the credentials then ~ nevermind

>>
>>
>> Mark - this is bad, really bad
>
>
> What is bad??? My problem or the proposed solutions?

Didn't understand that these are more like hosted accounts - and not
true client accounts (street) so no ID theft risk or other chicanery.
Disclosure of passwords to third parties will violate terms on many
accounts. Not a problem here as your compliance O is happy.

still wondering about the usefulness of a team that is challenged by
spelling "pgp"  ...

>
> Thanks,
>
> Mark
>>
>>
>> On Sat, Oct 26, 2013 at 5:11 PM, Mark Phillips
>> <mark@phillipsmarketing.biz> wrote:
>> > I use keypass2 with dropbox for my personal passwords and love it. But
>> > it is
>> > too complicated for my team...:-(
>> >
>> > Mark
>> >
>> > On Oct 26, 2013 2:58 PM, "Michael Butash" <michael@butash.net> wrote:
>> >>
>> >> At work we use "password safe" to share common passwords like service
>> >> accounts, shared vendor accounts, and various other credentials that
>> >> are not
>> >> unique to a member.  It's kind of a kludge, and of course windoze only,
>> >> so I
>> >> have to use vm to access it. quite annoying.
>> >>
>> >> I've considered pushing to use keepass instead, as I've used this as
>> >> well
>> >> for a good 6 years under linux.  Only problem is it's only a file db to
>> >> be
>> >> accessed, which makes anyone not on a shared network resource accessing
>> >> it
>> >> difficult.  Also sadly, even the "official" version iterated to
>> >> keepass2, a
>> >> really crap c#/mono application that barely works under linux, and not
>> >> without frustrations, but older 1.x format with keepassx works great.
>> >>
>> >> I have since migrated to LastPass, even paying for the service because
>> >> I've found it to be more valuable than the $12 a year personally, and
>> >> their
>> >> "enterprise version" can have shared access permissions.  Perhaps the
>> >> consumer version can be coaxed to do this too, but I've not had
>> >> necessity to
>> >> try.  The android integration with dolphin browser (plugin) makes it
>> >> easy on
>> >> any platform, mobile or desktop for consistent access means.
>> >>
>> >> Secure shared access for me is a random large/complex string that I
>> >> note
>> >> as who I've given it to, and only as long as needed before changing it.
>> >> I
>> >> don't remember passwords, preferring the ambiguity that if I can
>> >> remember
>> >> it, likely others can brute-force it, or torture it out of me.
>> >>
>> >> Of course any service like lastpass inside the US, the NSA would simply
>> >> subpoena and force to give unilateral access to my account anyway (much
>> >> as
>> >> they can/do anyone, thank your politicians) at that point, so really
>> >> confidentiality is all a perception regardless as long as anything is
>> >> shared
>> >> externally.
>> >>
>> >> -mb
>> >>
>> >>
>> >> On 10/26/2013 02:31 PM, Eric Cope wrote:
>> >>
>> >> I use lastpass, although not to share... I can help demo it if you
>> >> want...
>> >>
>> >> Eric
>> >>
>> >>
>> >> On Sat, Oct 26, 2013 at 2:20 PM, Mark Phillips
>> >> <mark@phillipsmarketing.biz> wrote:
>> >>>
>> >>> I have a small team, and I am looking for a way to share account info
>> >>> -
>> >>> user names and password, and password updates. These are login
>> >>> credentials
>> >>> for financial accounts I manage.
>> >>>
>> >>> I googled for some ideas, and came up with snail mail, various web
>> >>> services that encrypt/decrypt emails, Lastpass, and safegmail.
>> >>>
>> >>> The users are technical noobs, so it has to be easy. No software to
>> >>> install. Free or inexpensive. They use Windows and Mac, I use Linux.
>> >>> Only I
>> >>> use Gmail, so safegmail is out.
>> >>>
>> >>> Does anyone have any recommendations for web service solutions? Anyone
>> >>> use Lastpass? Other ideas?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Mark
>> >>>
>> >>>
>> >>> ---------------------------------------------------
>> >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> >>> To subscribe, unsubscribe, or to change your mail settings:
>> >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>
>> >>
>> >>
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >>
>> >>
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >
>> >
>> > ---------------------------------------------------
>> > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>