LastPass password sharing
-
Last quarter I moved away from various unsecure means of keeping track of passwords for myself, my business and my clients.
I added secure inc to my Outlook to send passwords securely as well as using LastPass to hold all my passwords.
Some clients don't want to have to signup for LastPass to receive their password and I don't want to have to share passwords via the phone because that is annoying when it doesn't work for them because they wrote it down wrong 10 times.
So I found that I could share passwords via LastPass and choose if they get to see the password or not. I am considering keeping all my client's information there and each website user login and webmail/email password will be shared with each separate user. This will help keep me sane and maybe they will not feel the need to write down the password.
Any flaws in this plan?
-
Say what now? You want to have access to all of your clients user's passwords just to make your life easier?
So, let's say you wake up one day and decide to go rough, or worse, your computer becomes infected with a keylogger and someone steals your lastpass password - now that person can use anyone of your clients accounts to do whatever they want.
I can understand the desire to make life easier for IT by knowing everyone's password, but this just seems unwise.
And if you're a consultant, you should be able to bill for the time you spend resetting passwords. If an client is getting upset that they are paying you to much to reset passwords, perhaps they need to look at their employees and what they can do to resolve the real problem - them, and their inability to recall passwords, etc. -
Good points, I'll have to see what else I can come up with. I will say smaller shops with 1-10 user can be exaperating bunch to try and support.
-
Ok...so instead of sharing a LastPass account, perhaps each client should setup an account.
Side note question:
If the person's workstation is compromised will it matter if you send a password in secure email? -
@technobabble said:
Side note question:
If the person's workstation is compromised will it matter if you send a password in secure email?probably not, I guess it would depend more on what the compromise is doing, screen captures, keylogging, etc. For example, if it was only doing keylogging, and the user never typed the password they received in the secure email, I guess the hackers wouldn't get it.. .but how likely is that?
-
Why would they not want to sign up for LastPass? Maybe make that a condition of you helping them.
-
The other idea is to not send them passwords, because you have no plausible deniability on knowing their password. Just make them go through the "reset password" process to setup their own.
-
@Nic said:
The other idea is to not send them passwords, because you have no plausible deniability on knowing their password. Just make them go through the "reset password" process to setup their own.
This is the best option. Then make an admin account if you need to and reset their password in the event you need access.
-
As a generally rule,... I do not want to know ANYONE's password. Even though I am an agent of my agency - it makes ME liable. I don't want that.
Forget your password, fine - I'll reset it,.. or force it. But you have to come up with a new one. And the way passwords are around here done is crazy..
There are SOME I must know. but they are to a device; printer, firewall, admin, etc.
I don't want any user passwords...I can hardly remember my own sometimes.... -
Now I'm really confused - what systems are these uses forgetting their passwords to? I realize that Lastpass pretty much only works for websites - so yeah, assuming the customer wants you to be the primary IT point of contact for their webapps/websites, then absolutely you should have your own logon and password, and assuming their system allows it (think Office 365 as an example) you can manage passwords as needed).
-
You can still store passwords in LastPass for other things and just go in there to copy the password to paste it into any other application.
-
@Dashrender I have this happen a lot with clients. Their email is hacked with a strong password I create, I send them a new one and the next day the hack starts again. They clean the PC of Malware and magically the hack stops.
I guess if its a keylogger it can't read your screen, LOL.
-
@Dashrender We build websites and offer hosting services, which means we setup the email accounts and such....which means creating passwords for users.
-
Why are you creating passwords instead of their being a self service portal yo change passwords? It seems really insecure that you and others have access to customers passwords.
-
I was wondering why you needed their passwords too. I've not had any hosting service that needed my passwords in a very long time.
-
@technobabble said:
@Dashrender We build websites and offer hosting services, which means we setup the email accounts and such....which means creating passwords for users.
Perhaps you meant that you only create the first password, and then when they forget you have to create a new one for them.. though I would think a password reset portal would be a safer option.
-
@Dashrender That is correct.
-
Won't they need a password to access LastPass or am I missing something?
-
@Carnival-Boy said:
Won't they need a password to access LastPass or am I missing something?
Yes.
LastPass sharing is completely not for this.
-
We use WHM/cPanel for our hosting. At the moment, you can't change your own password unless you know the original (useless for those who forgot the password). According to cPanel support, they will be adding it soon.
