ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LastPass password sharing

    IT Discussion
    9
    23
    4.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      technobabble
      last edited by

      Last quarter I moved away from various unsecure means of keeping track of passwords for myself, my business and my clients.

      I added secure inc to my Outlook to send passwords securely as well as using LastPass to hold all my passwords.

      Some clients don't want to have to signup for LastPass to receive their password and I don't want to have to share passwords via the phone because that is annoying when it doesn't work for them because they wrote it down wrong 10 times.

      So I found that I could share passwords via LastPass and choose if they get to see the password or not. I am considering keeping all my client's information there and each website user login and webmail/email password will be shared with each separate user. This will help keep me sane and maybe they will not feel the need to write down the password.

      Any flaws in this plan?

      1 Reply Last reply Reply Quote 0
      • D
        Dashrender
        last edited by Dashrender

        Say what now? You want to have access to all of your clients user's passwords just to make your life easier?

        So, let's say you wake up one day and decide to go rough, or worse, your computer becomes infected with a keylogger and someone steals your lastpass password - now that person can use anyone of your clients accounts to do whatever they want.

        I can understand the desire to make life easier for IT by knowing everyone's password, but this just seems unwise.
        And if you're a consultant, you should be able to bill for the time you spend resetting passwords. If an client is getting upset that they are paying you to much to reset passwords, perhaps they need to look at their employees and what they can do to resolve the real problem - them, and their inability to recall passwords, etc.

        1 Reply Last reply Reply Quote 1
        • T
          technobabble
          last edited by

          Good points, I'll have to see what else I can come up with. I will say smaller shops with 1-10 user can be exaperating bunch to try and support.

          1 Reply Last reply Reply Quote 1
          • T
            technobabble
            last edited by

            Ok...so instead of sharing a LastPass account, perhaps each client should setup an account.

            Side note question:
            If the person's workstation is compromised will it matter if you send a password in secure email?

            D 1 Reply Last reply Reply Quote 0
            • D
              Dashrender @technobabble
              last edited by

              @technobabble said:

              Side note question:
              If the person's workstation is compromised will it matter if you send a password in secure email?

              probably not, I guess it would depend more on what the compromise is doing, screen captures, keylogging, etc. For example, if it was only doing keylogging, and the user never typed the password they received in the secure email, I guess the hackers wouldn't get it.. .but how likely is that?

              T 1 Reply Last reply Reply Quote 0
              • N
                Nic
                last edited by

                Why would they not want to sign up for LastPass? Maybe make that a condition of you helping them.

                1 Reply Last reply Reply Quote 0
                • N
                  Nic
                  last edited by

                  The other idea is to not send them passwords, because you have no plausible deniability on knowing their password. Just make them go through the "reset password" process to setup their own.

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    coliver @Nic
                    last edited by

                    @Nic said:

                    The other idea is to not send them passwords, because you have no plausible deniability on knowing their password. Just make them go through the "reset password" process to setup their own.

                    This is the best option. Then make an admin account if you need to and reset their password in the event you need access.

                    1 Reply Last reply Reply Quote 0
                    • G
                      gjacobse
                      last edited by

                      As a generally rule,... I do not want to know ANYONE's password. Even though I am an agent of my agency - it makes ME liable. I don't want that.

                      Forget your password, fine - I'll reset it,.. or force it. But you have to come up with a new one. And the way passwords are around here done is crazy..

                      There are SOME I must know. but they are to a device; printer, firewall, admin, etc.
                      I don't want any user passwords...I can hardly remember my own sometimes....

                      1 Reply Last reply Reply Quote 0
                      • D
                        Dashrender
                        last edited by

                        Now I'm really confused - what systems are these uses forgetting their passwords to? I realize that Lastpass pretty much only works for websites - so yeah, assuming the customer wants you to be the primary IT point of contact for their webapps/websites, then absolutely you should have your own logon and password, and assuming their system allows it (think Office 365 as an example) you can manage passwords as needed).

                        T 1 Reply Last reply Reply Quote 0
                        • N
                          Nic
                          last edited by

                          You can still store passwords in LastPass for other things and just go in there to copy the password to paste it into any other application.

                          1 Reply Last reply Reply Quote 0
                          • T
                            technobabble @Dashrender
                            last edited by

                            @Dashrender I have this happen a lot with clients. Their email is hacked with a strong password I create, I send them a new one and the next day the hack starts again. They clean the PC of Malware and magically the hack stops.

                            I guess if its a keylogger it can't read your screen, LOL.

                            1 Reply Last reply Reply Quote 0
                            • T
                              technobabble @Dashrender
                              last edited by

                              @Dashrender We build websites and offer hosting services, which means we setup the email accounts and such....which means creating passwords for users.

                              D 1 Reply Last reply Reply Quote 0
                              • D
                                Dashrender
                                last edited by

                                Why are you creating passwords instead of their being a self service portal yo change passwords? It seems really insecure that you and others have access to customers passwords.

                                1 Reply Last reply Reply Quote 2
                                • S
                                  scottalanmiller
                                  last edited by

                                  I was wondering why you needed their passwords too. I've not had any hosting service that needed my passwords in a very long time.

                                  1 Reply Last reply Reply Quote 1
                                  • D
                                    Dashrender @technobabble
                                    last edited by

                                    @technobabble said:

                                    @Dashrender We build websites and offer hosting services, which means we setup the email accounts and such....which means creating passwords for users.

                                    Perhaps you meant that you only create the first password, and then when they forget you have to create a new one for them.. though I would think a password reset portal would be a safer option.

                                    T 1 Reply Last reply Reply Quote 1
                                    • T
                                      technobabble @Dashrender
                                      last edited by

                                      @Dashrender That is correct.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        Carnival Boy
                                        last edited by

                                        Won't they need a password to access LastPass or am I missing something?

                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • JaredBuschJ
                                          JaredBusch @Carnival Boy
                                          last edited by

                                          @Carnival-Boy said:

                                          Won't they need a password to access LastPass or am I missing something?

                                          Yes.

                                          LastPass sharing is completely not for this.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            technobabble
                                            last edited by

                                            We use WHM/cPanel for our hosting. At the moment, you can't change your own password unless you know the original (useless for those who forgot the password). According to cPanel support, they will be adding it soon.

                                            D 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post