[OPLINTECH] Policies on how to store passwords

Chad Neeper cneeper at level9networks.com
Thu Oct 8 14:47:15 EDT 2020


I'm not going to comment on an individual library's password policy. But
I'd like to mention Keepass (and its compatible derivatives) as a free,
open source, cross platform, and widely supported password manager
database. I started off with Keepass on Windows many years ago and when I
transitioned to GNU/Linux, I switched to KeepassXC, which is very similar
to the Windows based Keepass and uses the same database. I also use an
Android app on my phone that uses the same encrypted database (stored on
Google Drive and synced between my GNU/Linux distro and my phone). Being
one of the top four password managers (at least as of 2017, according to
Wikipedia), I have no problems suggesting use of Keepass for securely
storing passwords.

As a nod towards your needs, the Keepass database is stored on a local file
system rather than the cloud. So as long as your frontend has R/W access to
the file system, you should be able to open a shared database file for
shared passwords. I just happen to use Google Drive between my phone and
computer because I use an android phone and it's native. But a shared
network drive should work for staff computers. YMMV, depending on your own
needs/situation. But it might be worth a look.

______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full IT/Computer consulting services -- Specialized in public libraries*


On Thu, Oct 8, 2020 at 1:56 PM Phil Shirley via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> Does your library have a policy about the proper way (and unacceptable
> ways) to store passwords? Do you know of any such policy from OLC or some
> other library organization?
>
> I've seen frameworks for developing your own security policies, but I'd
> like something quick and easy, to be able to say "so and so library does
> this or that."
>
> Something that was on my list for this year was to develop security
> policies like this and get them officially approved so that I could enforce
> them easily. Obviously, plans for 2020 changed. In the absence of a policy
> like that, I'd like to have something more than "Phil says you
> should/shouldn't do this" for issues beyond taping your password to your
> monitor or hiding it under the keyboard.
>
> The main issue is passwords for shared accounts, which I of course try to
> minimize but can't completely eliminate. At least one department has
> passwords in their printed manual, which of course means they're saved in a
> Word document somewhere (unencrypted I'm sure), and some departments are
> moving their documentation to our Google-based intranet.
>
> I plan to suggest that staff use a password manager. I would love to have
> a subscription to a business-level one where things could be managed
> centrally, including pushing out changes to shared passwords, and I see
> that TechSoup now has Dashlane Business, but I think I'll have to settle
> for free, individual subscriptions, which would still be a lot better than
> nothing. So far I've only found one library that pays for a business-level
> password manager.
>
> I would appreciate any thoughts you have about any of this.
>
> Phil
>
> *Phil Shirley*
> *IT Manager*
> *Cuyahoga Falls Library*
> *p.* 330.928.2117 x109 *e.* pshirley at cuyahogafallslibrary.org
> *w. *cuyahogafallslibrary.org <http://www.cuyahogafallslibrary.org/> *a. *2015
> Third Street, Cuyahoga Falls, OH 44221
>
> <https://www.facebook.com/fallslibrary/>
> <https://twitter.com/FallsLibrary>
> <https://www.instagram.com/fallslibrary/>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
> *** *** Wondering if your library's website measures up to current best
> practices in web design?   https://oplin.ohio.gov/services/audits  ***
> ***
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/04f3773a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icpkpkfldhbamkmd.png
Type: image/png
Size: 1114 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/04f3773a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: epedfkhdglmaiblb.png
Type: image/png
Size: 1139 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20201008/04f3773a/attachment-0001.png>


More information about the OPLINTECH mailing list