What is Reddit's opinion of
Secret Server?
From 3.5 billion Reddit comments
13 reviews of this app found across Reddit:
http://www.thycotic.com/products_secretserver_overview.html
Using the Professional version of this program right now for a fairly large network, but their "Express" edition is only $10. Runs on an internal IIS/MSSQL environment and the encryption and security is very solid in my experience. If you're running AD, it will also integrate with that for login and permissions.
Edit: speling
We used to use KeePass in a shared folder, but we have moved to SecretServer. We were weighing central password managers, and it came down to LastPass Vs. SecretServer, most sysadmins favored a self-hosted solution over a "cloud" one for obvious reasons.
SecretServer might be an overkill in your situation, I'm not sure. The reason why we moved away from KeePass - which is a great password manager - is the need to have more granular access control on credentials, AD integration with multi-factor auth and overall decent auditing capabilities.
Once you're beyond the all-passwords-in-one-shared-file system, I'd recommend the jump to a real password management system like Secret Server
It's $100/user, but it gives you full per-user access control and history.
Check out SecretServer for a self-hosted option. There is a version with Active Directory integration for tighter control as well.
Expensive is relative, FYI.
This isn't something to keep in email, but you should have a master password list for non-user accounts. Secret Server is a great resource for password control. If you host it on-site (or private cloud) then you can tie it to Active Directory for access.
I prefer something like Secret Server over the various free online password managers.
You should have a password list under some form of control. Think of the "lottery bus" argument. If on your way home tonight you get hit by a bus/win the lottery what happens to the company? If you decide to just not show up tomorrow what happens to the company. Having the various passwords (like your DC restore passwords) and subscription accounts under control is the way to account for this.
Sorry, I should probably clarify here. Although OP has compared it to LastPass in the title. I generally don't make such comparisons.
RatticDB is designed for teams or people to share passwords to systems where they cannot have separate accounts. When you try to design a system to support that you'll find that support for LDAP and other assumptions are pretty much demanded by users. Think of it more as an open source alternative to Secret Server.
We are a msp using KeePass and it's been working great. However, we now have 12 people working so I'm starting to realize the need for a AD integrated solution to have more granular permissions. We've been looking at http://www.manageengine.com/products/passwordmanagerpro/ and http://www.thycotic.com/products_secretserver_overview.html/ both are pricey, but I'm ready to make a change. Adding PasswordState to the list.
Best practice is not to give them keys to the kingdom. Set them up with a domain account, and dole out permissions via. the domain security policy as required. It will be more work in the end, but far more proper and worth the effort. Don't forget, create a 'helpdesk users' group, and assign permissions to the group, not the user (so you don't have to go through this all again if he leaves).
Also, set up a decent password management program, like SecretServer.
Too many people get lazy and just add them into domain admins. Not good.
What bothers me is that when an organization has a password policy for their users (via AD GPO), but then they don't follow it on their network gear, linux servers etc. If you make a policy enforce it everywhere. Also, check this product out: http://www.thycotic.com/products_secretserver_overview.html Its way better at OTP, service account password changes, and it can make pretty reports for the auditors/boss.
Another option could be Secret Server which we are currently testing. Combined with Active Directory (assuming windows enviorment) I think you could use a personal smart card for each employee.
I second the vote for Secret Server. We have been using it for years now. Don't know what our team would do without it ...
You can also start with just a few users like we did - only $75 a user one time cost - hardly a budget buster but I think they even do all the high end stuff with their Enterprise Edition.
We use the Secret Server tool and it does the job. Let's you do serious IT infrastructure stuff too - like it changes all our windows administrator passwords on a schedule, stores our SSH private keys, launches remote desktop and so on. Our next step is to start using their service account management ... then (in theory) we can have Secret Server change the service account passwords and update all the places using them - that I want to see...
They also have mobile apps that let you access the vault - I use the iPhone app but the BlackBerry guys like that app too ... I also heard they are coming out with Android and Phone7 support soon.
I'm just looking into this now, and have heard good things about Clipperz. There's a self-hosted version of it that I might try out. There's also the Secret Server which is a bit more enterprisey, but not quite what we're looking for. It's also expensive.