[OPLINTECH] Policies on how to store passwords

Thu Oct 8 15:34:14 EDT 2020

I'll add another positive comment for KeePass as an encrypted password
manager. I have my own personal database for my own credentials and we have
a shared database for shared credentials within my I.T. team. We are
also saving it within Google Drive which makes it super easy to share among
the team. I also use the Android app when I need a password while on the
go. We have not tried any sort of system-wide implementation for all
employees. There are only a handful of people using it, but it works pretty
well.

As far as an official password policy, we do not have one that is specific
for passwords. The best we have is these few lines within our Computer
Network and Internet Acceptable Use Policy:

*Passwords may not be shared or transferred. If an employee suspects that a
password is not secure, he or she must inform the Executive Director or IT
Director immediately. Any improper use of your account, even if you are not
the user, is your responsibility.*

Some of our departments also had similar MS Word documentation with
passwords for shared credentials as well (we also cannot fully eliminate
shared credentials). I have managed to get all passwords removed from
documentation and I have also done my best to stop people from sending
email messages with passwords. But we don't have anything that specifically
forbids writing passwords down. Similarly, all I have is "Joe says you
should/shouldn't do this" sort of a thing.

Thanks,
Joe

Joseph R. Dusenbery, MISST
IT Director
Muskingum County Library System
220 N 5th Street
Zanesville OH 43701
740.453.0391, ext. 152
muskingumlibrary.org
<http://muskingumlibrary.org/>

On Thu, Oct 8, 2020 at 2:47 PM Chad Neeper via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> I'm not going to comment on an individual library's password policy. But
> I'd like to mention Keepass (and its compatible derivatives) as a free,
> open source, cross platform, and widely supported password manager
> database. I started off with Keepass on Windows many years ago and when I
> transitioned to GNU/Linux, I switched to KeepassXC, which is very similar
> to the Windows based Keepass and uses the same database. I also use an
> Android app on my phone that uses the same encrypted database (stored on
> Google Drive and synced between my GNU/Linux distro and my phone). Being
> one of the top four password managers (at least as of 2017, according to
> Wikipedia), I have no problems suggesting use of Keepass for securely
> storing passwords.
>
> As a nod towards your needs, the Keepass database is stored on a local
> file system rather than the cloud. So as long as your frontend has R/W
> access to the file system, you should be able to open a shared database
> file for shared passwords. I just happen to use Google Drive between my
> phone and computer because I use an android phone and it's native. But a
> shared network drive should work for staff computers. YMMV, depending on
> your own needs/situation. But it might be worth a look.
>
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full IT/Computer consulting services -- Specialized in public libraries*
>
>
> On Thu, Oct 8, 2020 at 1:56 PM Phil Shirley via OPLINTECH <
> oplintech at lists.oplin.org> wrote:
>
>> Does your library have a policy about the proper way (and unacceptable
>> ways) to store passwords? Do you know of any such policy from OLC or some
>> other library organization?
>>
>> I've seen frameworks for developing your own security policies, but I'd
>> like something quick and easy, to be able to say "so and so library does
>> this or that."
>>
>> Something that was on my list for this year was to develop security
>> policies like this and get them officially approved so that I could enforce
>> them easily. Obviously, plans for 2020 changed. In the absence of a policy
>> like that, I'd like to have something more than "Phil says you
>> should/shouldn't do this" for issues beyond taping your password to your
>> monitor or hiding it under the keyboard.
>>
>> The main issue is passwords for shared accounts, which I of course try to
>> minimize but can't completely eliminate. At least one department has
>> passwords in their printed manual, which of course means they're saved in a
>> Word document somewhere (unencrypted I'm sure), and some departments are
>> moving their documentation to our Google-based intranet.
>>
>> I plan to suggest that staff use a password manager. I would love to have
>> a subscription to a business-level one where things could be managed
>> centrally, including pushing out changes to shared passwords, and I see
>> that TechSoup now has Dashlane Business, but I think I'll have to settle
>> for free, individual subscriptions, which would still be a lot better than
>> nothing. So far I've only found one library that pays for a business-level
>> password manager.
>>
>> I would appreciate any thoughts you have about any of this.
>>
>> Phil
>>
>> *Phil Shirley*
>> *IT Manager*
>> *Cuyahoga Falls Library*
>> *p.* 330.928.2117 x109 *e.* pshirley at cuyahogafallslibrary.org
>> *w. *cuyahogafallslibrary.org <http://www.cuyahogafallslibrary.org/> *a.
>> *2015 Third Street, Cuyahoga Falls, OH 44221
>>
>> <https://www.facebook.com/fallslibrary/>
>> <https://twitter.com/FallsLibrary>
>> <https://www.instagram.com/fallslibrary/>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at lists.oplin.org
>> http://lists.oplin.org/mailman/listinfo/oplintech
>>
>> *** *** Wondering if your library's website measures up to current best
>> practices in web design?   https://oplin.ohio.gov/services/audits  ***
>> ***
>>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
> *** *** Wondering if your library's website measures up to current best
> practices in web design?   https://oplin.ohio.gov/services/audits  ***
> ***
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/b206cb4f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icpkpkfldhbamkmd.png
Type: image/png
Size: 1114 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/b206cb4f/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: epedfkhdglmaiblb.png
Type: image/png
Size: 1139 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/b206cb4f/attachment-0003.png>