<div dir="ltr">I'll add another positive comment for KeePass as an encrypted password manager. I have my own personal database for my own credentials and we have a shared database for shared credentials within my I.T. team. We are also saving it within Google Drive which makes it super easy to share among the team. I also use the Android app when I need a password while on the go. We have not tried any sort of system-wide implementation for all employees. There are only a handful of people using it, but it works pretty well. <div><br></div><div>As far as an official password policy, we do not have one that is specific for passwords. The best we have is these few lines within our Computer Network and Internet Acceptable Use Policy:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><i>Passwords may not be shared or transferred. If an employee suspects that a password is not secure, he or she must inform the Executive Director or IT Director immediately. Any improper use of your account, even if you are not the user, is your responsibility.</i></div></blockquote><div><br></div><div>Some of our departments also had similar MS Word documentation with passwords for shared credentials as well (we also cannot fully eliminate shared credentials). I have managed to get all passwords removed from documentation and I have also done my best to stop people from sending email messages with passwords. But we don't have anything that specifically forbids writing passwords down. Similarly, all I have is "Joe says you should/shouldn't do this" sort of a thing. <br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div style="font-size:12.8px"><div style="font-size:small"><br></div><div style="font-size:small">Thanks,</div><div style="font-size:small">Joe</div></div><div style="font-size:12.8px"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8px"><br></div></div></div></div></div></div></div></div></div></div></div><div style="font-size:12.8px">Joseph R. Dusenbery, MISST</div><div style="font-size:12.8px"><span style="font-size:12.8px">IT Director</span></div><div style="font-size:12.8px">Muskingum County Library System</div><div style="font-size:12.8px">220 N 5th Street</div><div style="font-size:12.8px">Zanesville OH 43701</div><div style="font-size:12.8px">740.453.0391, ext. 152</div></div><div style="font-size:12.8px"><a href="http://muskingumlibrary.org" target="_blank">muskingumlibrary.org</a></div><div style="font-size:12.8px"><a href="http://muskingumlibrary.org/" style="color:rgb(17,85,204);font-size:12.8px" target="_blank"><img src="http://muskingumlibrary.org/wp-content/uploads/2017/09/MuskingumCountyLibrary-Logo-email-v2.jpg"></a><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 8, 2020 at 2:47 PM Chad Neeper via OPLINTECH <<a href="mailto:oplintech@lists.oplin.org">oplintech@lists.oplin.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I'm not going to comment on an individual library's password policy. But I'd like to mention Keepass (and its compatible derivatives) as a free, open source, cross platform, and widely supported password manager database. I started off with Keepass on Windows many years ago and when I transitioned to GNU/Linux, I switched to KeepassXC, which is very similar to the Windows based Keepass and uses the same database. I also use an Android app on my phone that uses the same encrypted database (stored on Google Drive and synced between my GNU/Linux distro and my phone). Being one of the top four password managers (at least as of 2017, according to Wikipedia), I have no problems suggesting use of Keepass for securely storing passwords.<div><div><br></div><div>As a nod towards your needs, the Keepass database is stored on a local file system rather than the cloud. So as long as your frontend has R/W access to the file system, you should be able to open a shared database file for shared passwords. I just happen to use Google Drive between my phone and computer because I use an android phone and it's native. But a shared network drive should work for staff computers. YMMV, depending on your own needs/situation. But it might be worth a look.</div><div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div>______________________________<br><b>Chad Neeper</b><br><font size="1">Senior Systems Engineer</font><br><br><b>Level 9 Networks</b><br><font size="1">740-548-8070 (voice)<br>866-214-6607 (fax)</font><br><br><font size="1"><i>Full IT/Computer consulting services -- Specialized in public libraries</i></font><br></div></div></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 8, 2020 at 1:56 PM Phil Shirley via OPLINTECH <<a href="mailto:oplintech@lists.oplin.org" target="_blank">oplintech@lists.oplin.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Does your library have a policy about the proper way (and
unacceptable ways) to store passwords? Do you know of any such
policy from OLC or some other library organization?</p>
<p>I've seen frameworks for developing your own security policies,
but I'd like something quick and easy, to be able to say "so and
so library does this or that."<br>
</p>
<p>Something that was on my list for this year was to develop
security policies like this and get them officially approved so
that I could enforce them easily. Obviously, plans for 2020
changed. In the absence of a policy like that, I'd like to have
something more than "Phil says you should/shouldn't do this" for
issues beyond taping your password to your monitor or hiding it
under the keyboard.</p>
<p>The main issue is passwords for shared accounts, which I of
course try to minimize but can't completely eliminate. At least
one department has passwords in their printed manual, which of
course means they're saved in a Word document somewhere
(unencrypted I'm sure), and some departments are moving their
documentation to our Google-based intranet.</p>
<p>I plan to suggest that staff use a password manager. I would love
to have a subscription to a business-level one where things could
be managed centrally, including pushing out changes to shared
passwords, and I see that TechSoup now has Dashlane Business, but
I think I'll have to settle for free, individual subscriptions,
which would still be a lot better than nothing. So far I've only
found one library that pays for a business-level password manager.<br>
</p>
<p>I would appreciate any thoughts you have about any of this.<br>
</p>
<p>Phil<br>
</p>
<p class="MsoNormal" style="line-height:115%"><b><span style="font-family:Arial,sans-serif">Phil Shirley</span></b><span style="font-size:10pt;line-height:115%;font-family:Arial,sans-serif"><br>
<i>IT Manager</i><br>
<b>Cuyahoga Falls Library</b></span><span style="font-size:9pt;line-height:115%;font-family:Arial,sans-serif"></span><span style="font-size:10pt;line-height:115%;font-family:Arial,sans-serif"><br>
<b>p.</b> 330.928.2117 x109 <b>e.</b> <a href="mailto:pshirley@cuyahogafallslibrary.org" target="_blank">
<span style="color:windowtext;text-decoration:none">pshirley@cuyahogafallslibrary.org</span></a>
<br>
<b>w. </b><a href="http://www.cuyahogafallslibrary.org/" target="_blank"><span style="color:windowtext;text-decoration:none">cuyahogafallslibrary.org</span></a>
<b>a. </b>2015 Third Street, Cuyahoga Falls, OH 44221</span></p>
<p class="MsoNormal"><a href="https://www.facebook.com/fallslibrary/" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;color:windowtext;text-decoration:none"><img id="gmail-m_-6943281101744906233gmail-m_-1149316980794425800Picture_x0020_5" src="cid:175095ed226644e7a491" width="24" height="24" border="0"></span></a>
<span style="font-size:10pt;font-family:Arial,sans-serif"> </span><a href="https://twitter.com/FallsLibrary" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;color:windowtext;text-decoration:none"><img id="gmail-m_-6943281101744906233gmail-m_-1149316980794425800Picture_x0020_6" src="cid:175095ed2277cd6c9ce2" width="24" height="24" border="0"></span></a><span style="font-size:10pt;font-family:Arial,sans-serif"> </span><a href="https://www.instagram.com/fallslibrary/" target="_blank"><span style="font-size:10pt;font-family:Arial,sans-serif;color:windowtext;text-decoration:none"></span></a></p>
</div>
_______________________________________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" rel="noreferrer" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a><br>
<br>
*** *** Wondering if your library's website measures up to current best practices in web design? <a href="https://oplin.ohio.gov/services/audits" rel="noreferrer" target="_blank">https://oplin.ohio.gov/services/audits</a> *** ***<br>
</blockquote></div>
_______________________________________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" rel="noreferrer" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a><br>
<br>
*** *** Wondering if your library's website measures up to current best practices in web design? <a href="https://oplin.ohio.gov/services/audits" rel="noreferrer" target="_blank">https://oplin.ohio.gov/services/audits</a> *** ***<br>
</blockquote></div>