Using Secret Server
I’ve read about Secret Server before and I thought it would be a good idea to start using it to keep track of passwords that I’ve got. You don’t realize how many passwords you have until you write them all down, theres a bunch!
So, I installed Secret Server on my home server, but before I did that, I wanted to make sure that all my security was in order. Putting all my logins and passwords on a web site just doesn’t feel right, so one thing that I really wanted to do was to enable SSL for the site, this seems like an obvious one.
I didn’t want to buy a certificate from VeriSign just to enable SSL on my personal site that nobody else would ever use, so I did some research about issuing your own certificate. A coworker pointed me to this link that shows how to use MakeCert.exe, that comes in the .Net framework SDK, to generate your own certificate. This worked great, I assigned the certificate to my site and it was all set!
I’m still nervous about having all my passwords in one location, its kind of scary, but I feel like its got the proper security around it. One thing that surprised me about Secret Server is that they display your password in clear text when you view it. I would have thought they would generate an image on the fly with the text of your password, like a CAPTCHA image, just so its not being sent over the internet in clear text. Enabling SSL solved this problem for me.
One of the benefits of storing your passwords is that it allows you to not reuse passwords, as I’m sure most people do. Now you can have a unique password for each site and not have to worry about remembering several weird passwords.
Rett said,
Wrote on September 18, 2006 @ 10:11 pm
Good idea, I’ve thought about having a central place to store passwords for a while, but instead they’re scribbled in several different notebooks (and one post-it) at work and home. The funny thing is that sometimes I write them in especially poor handwriting in the thought that if someone were to find it they wouldn’t be able to read it. This has backfired a couple times where I couldn’t read it myself.
This just seems like a web 2.0 site/service just waiting to be created. Would you trust your passwords anywhere except on your own server?
ben said,
Wrote on September 18, 2006 @ 10:22 pm
No way, I’m paranoid as it is with my own security of my own server. I think I’m good with the fact that I’ve got SSL enabled and the web address isn’t published, but it’s just scary knowing that if someone had my password to secret server they could get it all, ya know?
Dan said,
Wrote on September 20, 2006 @ 4:01 am
I use a bookmarklet which takes a master password, and the domain of your current site and makes a password out of that:
http://gfxmonk.sysprosoft.com/2005/05/password-generator-bookmarket-v2.html
Theres others around too, you can follow the links on that page to other versions if you dont like that one.
Josh said,
Wrote on September 20, 2006 @ 9:36 am
Now I know how I will be spending my time and Rett’s upcoming party. Taking pictures of his crude password collection for personal gain. For the record I remember my usernames and passwords with the “forgot password?” link on the site I am trying to use. Good system.
ben said,
Wrote on September 20, 2006 @ 1:11 pm
Dan, I have seen that bookmarklet and thats also a good idea, especially cause then you still only need one password, but the rest of them are never stored anywhere, but I still like using Secret Server for other things than web passwords, like domain passwords, routers, etc.
Josh, good call with the ‘forgot password’ link, that works too
Hopefully you can get Rett’s porn site passwords this weekend, let me know what you get
Rett said,
Wrote on September 20, 2006 @ 10:51 pm
Note to self, put baby gate up in computer room doorway, this will stop Josh from snooping around.
Jonathan Cogley said,
Wrote on January 17, 2007 @ 8:37 am
Glad to hear you like product!
If you have any suggestions for new features - please be sure to send them along. ** support at thycotic dot com **
BTW - I love the text based CAPTCHA mechanism on your blog comments!
ben said,
Wrote on January 17, 2007 @ 9:13 pm
Jonathan, I can’t take credit for the rudimentary (yet effective) CAPTCHA test, I got the idea from Jeremy Zawodny. Its amazingly effective because no spam bot is really designed to enter a specific word into a textbox, yet humans can pass the test easily.
The best part is, even if every blogger did this, it would still be very hard to make a bot that could beat it.