April 1, 2010

Secure Password Management

One of the recurring issues in my line of work is the storage of sensitive information.  As a freelancer, I am entrusted with a large amount of commercially sensitive information, access details to servers/networks/software and similar.  Obviously, there ends up being far too much to simply remember!  All too often people “solve” this problem by storing information in emails, in a document, on a post-it-note or scrap piece of paper.  Not very secure!  Other approaches I have seen taken include reusing the same password over and over for different things.  Again, easy to exploit, once an individual with malicious intent finds one password – they have much broader access than anticipated.


Secure Password Management

Attempts have been made to develop software for the sole purpose of securely storing passwords.  Some are pretty good for the single user environment – i.e., a single application to download and use on a single PC.  Some have network support and the notion of multiple users.  Some are free, some are open source, others are commercial.  As always, selection depends on requirements, but a few of the more popular are KeePass, 1Password and LastPass.

I looked at several but the biggest initial short coming, for me, was the lack of a Web Browser interface.  In this instance, my reasoning was because I am in the process of building my own Intranet with many tools accessible via browser grouped into a neat portal style application.  Having said that, a browser solution is preferable to many organisations for a number of reasons.  First of all, for each client or user, there is no need to install anything.  The sole requirement is a web server on the internal network (which most companies, these days, would already have) and a web browser on each client.  In larger scenarios this is fantastic, solutions can be rolled out “company wide” in one swoop, completely non-intrusive to everything else on the network or its clients.  This offers a further advantage in that updates to software, access controls/users and content can be administered at the server and again instantly go company wide.  Lastly, such a solution offers platform independence, you could even access your password repository via your mobile phone.

So, off I ventured for web based solutions.  The pickings are comparatively slim but there are a few.  One example is PasswordSafe, another is Secret Server.  Then I remembered something I used to use while fully employed:

The History of Magpie

Back when I was working for a company called Accelerate4, we used a piece of software on our Intranet called Magpie.  It had been developed by one of the guys I was working with.  At the time, it was fairly simple, nothing special to look at, but very capable and a perfect fit for our needs.  Developers loved it and it became used extensively and exclusively internally for its designed purpose.

The original developer, as it turns out, has not abandoned Magpie and when I contacted him was in the process of beta testing a new release.  I was more than happy to get involved as it allowed me some input in terms of extra functionality and the future “wish list”.  🙂

Magpie Today

Is very well evolved and is the choice I have made for the FlatCoder Intranet.  There are a number of reasons for this decision, the highlights listed succinctly below:

  • Browser based, as noted.
  • Great organisation and grouping of data.
  • Ability to define teams as well as users, fine granularity control and view of  “who knows what”.
  • Multilingual
  • Ability to restrict/control access via IP address.
  • Bundled web server for Mac OS X, MS Windows and Linux allowing for rapid and easy installation.
  • Ability to integrate with other/existing web servers such as Apache or IIS.
  • Options for authentication methods (e.g., htaccess).
  • Options for encryption schemes using symmetric ciphers (IDEA, DES3, Blowfish, Rijndael (aka AES)).
  • Public/Private key encryption using RSA or DSA.

In short, never email a password again, email a link!  Magpie is both highly secure and a pleasure to use!  Future enhancements are also planned including the ability to store file attachments (great for server/client keys and similar).

To find out more about Magpie visit the Official Site over at Pismo Software Ltd.