Re: [CODE4LIB] Database passwords
KeePassXC (a cross-platform, community-updated fork of KeePass) has a shared entry feature that natively allows credential sharing between users: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_database_sharing_with_keeshare It can also handle time-based one-time passwords generation for 2FA a la Google Authenticator/Authy. However, a reasonable threat model would have one store account credentials in a different database as TOTPs to avoid a single point of failure. Best, Andrew Ward (he/him/his) Digital Services Librarian Troy Public Library On Tue, Oct 12, 2021 at 2:41 PM Bigwood, David wrote: > We use KeePass on a shared drive. It's free and stores the encrypted > passwords. It doesn't paste them into the login forms or even generate > hard-to-crack passwords. It's free and meets our minimum needs. IT decided > this is what we needed. > > David Bigwood (he,him,his) > dbigw...@lpi.usra.edu > Planetary Image Facility, Library > Lunar and Planetary Institute > > > > -Original Message- > From: Code for Libraries On Behalf Of Emily > Lynema > Sent: Monday, October 11, 2021 1:24 PM > To: CODE4LIB@LISTS.CLIR.ORG > Subject: [CODE4LIB] Database passwords > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > Message Below > > I'm curious to survey the community -- has anyone found a way to store > database administration passwords used by technical services staff that is > both user-friendly and secure? For example: the passwords to configure NC > State's various OCLC resources / services / databases. > > Feel free to message me directly if you're not comfortable sharing on-list. > > thanks! > > -- > Emily Lynema > Head, Information Technology > North Carolina State University Libraries > 919-513-8031 > ejlyn...@ncsu.edu >
Re: [CODE4LIB] Database passwords
We use KeePass on a shared drive. It's free and stores the encrypted passwords. It doesn't paste them into the login forms or even generate hard-to-crack passwords. It's free and meets our minimum needs. IT decided this is what we needed. David Bigwood (he,him,his) dbigw...@lpi.usra.edu Planetary Image Facility, Library Lunar and Planetary Institute -Original Message- From: Code for Libraries On Behalf Of Emily Lynema Sent: Monday, October 11, 2021 1:24 PM To: CODE4LIB@LISTS.CLIR.ORG Subject: [CODE4LIB] Database passwords CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Message Below I'm curious to survey the community -- has anyone found a way to store database administration passwords used by technical services staff that is both user-friendly and secure? For example: the passwords to configure NC State's various OCLC resources / services / databases. Feel free to message me directly if you're not comfortable sharing on-list. thanks! -- Emily Lynema Head, Information Technology North Carolina State University Libraries 919-513-8031 ejlyn...@ncsu.edu
Re: [CODE4LIB] Database passwords
Not directly answering the initial question but one wrinkle you'll want to consider is that more and more vendors require two-factor authentication in addition to the username/password. So if you want multiple staff to have access to the vendor account, then they also need access to eg a shared email box that you use as the database account email address. Some but not all vendors will agree to turn off 2FA for your account if you decide the burden of it isn't worth the security benefit. (The same issue of email access applies to password resets, though at least that's not needed every time you login.) Deborah -Original Message- From: Code for Libraries On Behalf Of Geoffrey Spear Sent: Tuesday, 12 October 2021 8:57 AM To: CODE4LIB@LISTS.CLIR.ORG Subject: Re: [CODE4LIB] Database passwords Caution: This email originated from outside our organisation. Do not click links or open attachments unless you recognize the sender and know the content is safe. Emily, We're using a shared folder in LastPass Enterprise (licensed for our entire institution; the library didn't adopt it alone as a solution to this problem, and I have no idea if it would be remotely cost-effective to do so...) at the moment. Before our migration to Alma, we had a homegrown ERM system where we stored all of the credentials. In theory it could have hidden the credentials from users with a lower level of privileges but in practice the only users of the ERM system were the same people who needed to share the passwords. Before creating the ERM system, we had an excel spreadsheet on a novell shared drive. On Mon, Oct 11, 2021 at 2:25 PM Emily Lynema wrote: > I'm curious to survey the community -- has anyone found a way to store > database administration passwords used by technical services staff > that is both user-friendly and secure? For example: the passwords to > configure NC State's various OCLC resources / services / databases. > > Feel free to message me directly if you're not comfortable sharing on-list. > > thanks! > > -- > Emily Lynema > Head, Information Technology > North Carolina State University Libraries > 919-513-8031 > ejlyn...@ncsu.edu > "The contents of this e-mail (including any attachments) may be confidential and/or subject to copyright. Any unauthorised use, distribution, or copying of the contents is expressly prohibited. If you have received this e-mail in error, please advise the sender by return e-mail or telephone and then delete this e-mail together with all attachments from your system."
Re: [CODE4LIB] Database passwords
Emily, We're using a shared folder in LastPass Enterprise (licensed for our entire institution; the library didn't adopt it alone as a solution to this problem, and I have no idea if it would be remotely cost-effective to do so...) at the moment. Before our migration to Alma, we had a homegrown ERM system where we stored all of the credentials. In theory it could have hidden the credentials from users with a lower level of privileges but in practice the only users of the ERM system were the same people who needed to share the passwords. Before creating the ERM system, we had an excel spreadsheet on a novell shared drive. On Mon, Oct 11, 2021 at 2:25 PM Emily Lynema wrote: > I'm curious to survey the community -- has anyone found a way to store > database administration passwords used by technical services staff that is > both user-friendly and secure? For example: the passwords to configure NC > State's various OCLC resources / services / databases. > > Feel free to message me directly if you're not comfortable sharing on-list. > > thanks! > > -- > Emily Lynema > Head, Information Technology > North Carolina State University Libraries > 919-513-8031 > ejlyn...@ncsu.edu >
Re: [CODE4LIB] Database passwords
On Oct 11, 2021, at 2:24 PM, Emily Lynema wrote: > I'm curious to survey the community -- has anyone found a way to store > database administration passwords used by technical services staff that is > both user-friendly and secure? For example: the passwords to configure NC > State's various OCLC resources / services / databases. > > -- > Emily Lynema > Head, Information Technology > North Carolina State University Libraries > 919-513-8031 A possible way to save secrets such as usernames and passwords is to save them as environment variables. This way there are only two different people who can read them: 1) the superuser of the computer, and 2) the person themselves. From the command line, a person can then issues commands like the following to get the username/password combination: $ echo $OCLCUSERNAME $ echo $OCLCPASSWORD This technique also provides opportunities for automatic login or the completion of RESTful queries. This technique will work in just about any computer environment: Macintosh, Windows, Linux. -- Eric Morgan
Re: [CODE4LIB] Database passwords
We use a local instance of PassBolt, loaded onto a CentOS 7 virtual server. It allows you to create groups of users and then assign access based on those groups. https://www.passbolt.com/ You can also assign permissions, share with others, make different users Admin (in case you get hit by a bus so someone else will be able to manage the passwords), etc. If you make it internal to your network and (no outside access) and require individual users to login, you'll find it is pretty secure and we have been successfully using it for a couple of years now. Jamen McGranahan Associate Director of Library Technology & Digital Services Jean and Alexander Heard Libraries, Vanderbilt University 615-343-1614 | jamen.mcgrana...@vanderbilt.edu he/his/him My working day may not be your working day. Please do not feel obliged to reply to this email outside of your normal working hours. -Original Message- From: Code for Libraries On Behalf Of Emily Lynema Sent: Monday, October 11, 2021 1:24 PM To: CODE4LIB@LISTS.CLIR.ORG Subject: [CODE4LIB] Database passwords I'm curious to survey the community -- has anyone found a way to store database administration passwords used by technical services staff that is both user-friendly and secure? For example: the passwords to configure NC State's various OCLC resources / services / databases. Feel free to message me directly if you're not comfortable sharing on-list. thanks! -- Emily Lynema Head, Information Technology North Carolina State University Libraries 919-513-8031 ejlyn...@ncsu.edu
Re: [CODE4LIB] Database passwords
Not sure how *secure* this is, Emily, but we store these kinds of logins - also logins to retrieve usage statistics - in the resource records in our ILS. In the case where we have multiple resources from one vendor we designate one resource as the "master" record for say Ebsco or ProQuest. That means the credentials are visible to other staff but in some ways that is a good thing. Beth Juhl Web Services University of Arkansas Libraries 365 N. McIlroy Ave. Fayetteville, AR 72701 bj...@uark.edu she/her/hers -Original Message- From: Code for Libraries On Behalf Of Emily Lynema Sent: Monday, October 11, 2021 1:24 PM To: CODE4LIB@LISTS.CLIR.ORG Subject: [CODE4LIB] Database passwords I'm curious to survey the community -- has anyone found a way to store database administration passwords used by technical services staff that is both user-friendly and secure? For example: the passwords to configure NC State's various OCLC resources / services / databases. Feel free to message me directly if you're not comfortable sharing on-list. thanks! -- Emily Lynema Head, Information Technology North Carolina State University Libraries 919-513-8031 ejlyn...@ncsu.edu
[CODE4LIB] Database passwords
I'm curious to survey the community -- has anyone found a way to store database administration passwords used by technical services staff that is both user-friendly and secure? For example: the passwords to configure NC State's various OCLC resources / services / databases. Feel free to message me directly if you're not comfortable sharing on-list. thanks! -- Emily Lynema Head, Information Technology North Carolina State University Libraries 919-513-8031 ejlyn...@ncsu.edu