Company Password Management
How Do You Manage Your Passwords
Not sure if this question suits this site but here goes.
What recommendations can you give to centralize and maintain a list of passwords (PCs, hosting, ssh, server ...) inside a small software dev. company?
The aim is to avoid problems if someone forgets a password or goes missing. Obviously such a list should not fall into the hands of an outsider.
P.S: If it's important, the company server is running Linux.
Edit: I'm also interested in any policies concerning the form of passwords and a recommended recurring time interval within which they should be changed.
I always do this with a flat text file, encrypted to all the relevant admins' GPG keys, under source control.
This has several advantages. Firstly, it makes you make all your admins install GPG, use it, and generate, and exchange, keypairs. This has a lot of knock-on benefits in security terms (eg, admins can authenticate requests from each other, which makes social-engineering attacks much harder).
Secondly, the security's not in some centralised application, but in the individuals' key management. You can hack the server that stores the encrypted file all you like, all you'll get is ciphertext. You can keep a local copy of this file on any device that suits you without endangering anyone's security, and without having to install any application other than GPG (which anyone working with security should have around anyway, see above).
Thirdly, because of the source control, you can always step back to find out what the company-wide desktop root password was three years ago, when someone digs a machine out of the basement and insists it needs to be resuscitated right now. You encrypt the current version of the document only to the keys of the currently-serving admins, but you can always add an escrow key for emergencies (passphrase and private key stored in a secured, tamper-proofed medium, and only ever used once - generate a new escrow key if the current one ever has to be used).
KeePass is a password manager I find very usefull, it's cross platform, has features like generating passwords and maintining expiration dates etc.
But it is a single user tool so i'm not sure it fits your needs unless you disallow your users to change their passwords and instead do that centrally. Whether or not that is feasible/acceptable will depend on your security policies.
It's probably best (in turns of policies and the like) to have each user maintain his/her own password and use admin privileges to reset the password of a user who has forgotten his/hers.
As said above KeePass + i use Dropbox to sync the kdbx over multiple devices (PC, Notebook, Android smartphone, it's everywhere).
You can even set password expiration dates there to remind you.
That's pretty much the best tool on the market right now.
As for password policies i think you should find what's the best for your company yourself, just use common sense or google for the best practices, ex. MIT policies.
There is also an online password manager called LastPass with sharing capabilities. They also provide LastPass Enterprise adding functionality useful for organizations.
You should read about technoligy behing LastPass as it states that encryption/decription is done locally on your PC, so only encrypted data passes over the wire and is stored in LastPass data centers. The other important thing is that you can export LastPass data if it happends that LastPass goes out of bussines, your passwords won't
We are currently evaluating http://www.teampass.net/ as tool to manage passwords in our team. So far it seems to work well and can even import KeePass-exported entries.
Since cpm is not mentioned, I'll write a few sentences about it.
cpm is a simple tool based on a ncurses ui. It stores your password database in a GPG-encrypted file which can be distributed out or stored in a git-repository if you want. The data is stored as XML, so it is easy to grab the data and use it in other programs as well.