I would like to provide a team of developers a way to share passwords to collect
ID: 660485 • Letter: I
Question
I would like to provide a team of developers a way to share passwords to collectively used services.
Software requirements:
Since the team is distributed, the passwords should be accessible via web.
I would like to assign roles to the users, so that users with role A can access all the passwords and users with role B can access only some passwords.
I would like to be able to lock any user or change the user's role at any time.
Some meaningful security built into this software application would be nice.
GPL/Apache licensed and other open-source software is preferred (we can self-host).
Could you recommend some online group password storage software according to the requirements?
Explanation / Answer
LastPass should do the trick. It meets all of your sharing needs. There is also an enterprise edition with more coworker/employee login sharing features (but I've never tried that out at all).
Security note #1: While this is secure from external snooping the person it is shared with can get the password (even if it is hidden with a little bit of work)). So definitely use a unique password for each service (you should do that all the time but many people don't).
Security note #2: Once shared although you can unshare the password you cannot count on it not being known even if set to hidden (due to #1). So to truely unshare you will have to change login credentials. The enterprise edition intro-page seems to imply that it is developed to somehow avoid that but if you read the docs closer it does not actually avoid that at all.
As well it is:
Cross-platform: (Windows, Mac & Linux) and cross-browser compatible (all 5 common browsers)! Also has an Android and iOS app.
Very Secure: Lastpass is very secure; of course generally it is only as secure as your master password. However you can enable multi-factor authentication (might need premium I can't remember - since I don't have cell signal usually I haven't bothered to set that up for anything despite the benefits).
Fairly cheap: Free version available. Premium version is $12/year.
Lastpass is also more than just a password app; you can securely (ie with encryption) store important documents and notes and credit card/address details as well.
To go over your requirements:
Since the team is distributed, the passwords should be accessible via web: Client-software on each computer. I don't know if it has a web interface - I've never used anything but the client at any rate.
I would like to assign roles to the users, so that users with role A can access all the passwords and users with role B can access only some passwords: With the enterprise edition you can definitely do this.
I would like to be able to lock any user or change the user's role at any time: Yes - but see note #2
Some meaningful security built into this software application would be nice: Pretty good - obviously there are some flaws/loopholes (see notes #1/#2).
*GPL/Apache licensed and other open-source software is preferred (we can self-host). No. Unfortunately not.