| Re: Tracking Passwords or People with Passwords to Critical Systems (Sharon Villines) (Sharon Villines) | <– Date –> <– Thread –> |
From: Jay KapLon (Jay KapLon.org)
|
|
| Date: Tue, 27 Jun 2023 13:57:37 -0700 (PDT) | |
> From: Sharon Villines <sharon [at] sharonvillines.com> > Subject: Re: [C-L]_ Tracking Passwords or People with Passwords to Critical > Systems (Sharon Villines) > Date: June 27, 2023 at 10:29:14 AM EDT > To: Cohousing-L <cohousing-l [at] cohousing.org> > > >> On Jun 27, 2023, at 6:37 AM, Jay KapLon <Jay [at] KapLon.org> wrote: >> Lots of passwords just don’t matter, as you say. But there are plenty that >> do. The association’s bank logins, credentials for the domain names, the >> ones to your security system, I’m sure a review of the credentials list for >> the association could find a number that someone could make a mess of if >> breached. But a lot of the ones we share in the password manager are just so >> people don’t have to ask all the time…what is the password to this site? > > Thank you very much for the additional information. Where does the password > manager live? > > I used to use 1Pass and it would suggest passwords that were a string of > unrelated words as well as the gibberish ones. Like cometnethorseropetown. Either form of password is fine, either random characters or 5 RANDOM words like battery-staple-horse-fish-diversity. The dashes are just to make it easier for a human to read or tell to someone should you need to read it. Note that key on passwords that are lists of words is that you don’t make them yourself as you won’t be random and will use a smaller list than a password manager will and it really does matter. > But if one person maintains the password manager how do others get access to > it? The most stressful moments have been the weeks when someone wasn’t > available to pass on the password for a week. > > Since we host email accounts for anyone who wants one it is particularly > crucial that the password for the ISP be available ASAP. The password to the > password manager would be just another cog in the wheel. The password manager ‘lives’ on each person’s devices as well as ‘in the cloud’. That is, each member with whom a given password will be shared has the password manager installed on their computer, phone, tablet, or wherever they may need to log in to the given site or otherwise view the credential. (Credentials being username, passwords, and any notes.) It varies a little by which password manager you use (such as 1Password, Bitwarden, LastPass, etc.) but, a record is created by one person in their ‘vault’ within the password manager app. Then they share it within the password manager with a list of other users who have installed the same software and setup their accounts. The other users then accept the shared record (again depending on the password manager) or it just appears in their vault. From that point on, anyone in the sharing group can view the password and change it as needed and everyone is automatically updated with the latest info in a secure way across the internet. Each user’s individual password manager account is secured with their own chosen individual password or even with their fingerprint or face. Thus, in your example, anyone who is in the ISP shared password group can open their own copy of the password manager on their own device and log in to their password manager using their own private password, or again their fingerprint or face, and then see the ISP password. Should they do something like reset the password, the new one will be captured and updated in the shared record for anyone else who looks for it in their own password manager on their device. The one ‘weak spot’ in password managers is you need to really strongly encourage your users to use a good long password for their master password that is used to open their own copy of the password manager. That password is what keeps all the shared passwords safe, but again using a face or fingerprint deals with that issues. (And since each password can be shared with just the users who need it, only more trusted people can have the most high-value passwords.) If we get past the point of information useful to All Of Cohousing on these list messages, I’m happy to continue by direct email or text. -Jay Eastern Village Cohousing Silver Spring, MD, USA
- (no other messages in thread)
Results generated by Tiger Technologies Web hosting using MHonArc.