Share password in several LastPass entries - passwords

Some of my login credentials are actually linked (via LDAP I guess) to a Windows Active Directory account. That means, the entries in my LastPass account for those refer to the same password which, according to AD policies, must be updated regularly. I have three problems with this:
How to find the passwords which must be updated whenever I perform an AD password update? I have solved this by placing all entries linked to the AD account into an "AD" group in LastPass, and manually updating those entries whenever the AD credentials change.
DRY? (Don't Repeat Yourself). How can I have a single entry referring to the AD credentials, and link the rest of the entries to this entry?
LastPass "Security Challenge" becomes useless, since I get lots of non-relevant "Change Reused Passwords" warnings.
Can you suggest a good approach to solve all this problems?

I've had a similar problem with multiple active directory logins stored. Here's how I've solved it, though I can't claim it's the best way. It just works for me.
At my company we have multiple domains (parent company and child companies). So lets use foobarenterprises.com, foo.com, and bar.com.
The first thing I did was setup Equivalent Domains (Account Settings > Equivalent Domains tab). This is just a single entry that is a comma seperated list of those domains. So with that setup, it will now recognize that all three domains can use passwords with each other (a saved login for foo.com would work as well for bar.com or foobarenterprises.com).
The second thing I did was to remove ALL entries with that user account. I then created a single entry that I named "AD Account" (or whatever you prefer). I set the URL to foo.com (which saves as http://foo.com) and set my username and password.
Now when I browse to any site in those domains, I can use my single saved entry to login. Though my autocompletion doesn't seem to work well... not sure if this is Lastpass or the sites I'm trying to log into though.
I hope others will post how they do this because I'm curious to know if there are better ways. But hopefully this will help some. Good luck!

Related

What's the expected behavior of a dependent app when an LDAP user's DN changes?

Is there any expected/standardized behavior for an app that authenticates via LDAP, when one of its registered users has its DN changed? (Or more generally, when their effective principal changes, which seems to commonly be their DN. I'll say "principal" instead from here, though I usually think "DN".)
Here's an example from Gitlab running into this issue: https://gitlab.com/gitlab-org/gitlab-foss/issues/993
In their case (based on the commit linked in that issue) they seem to address this by using multiple attributes to identify users instead of a single one, so that a single change doesn't prevent them from mapping back to the same LDAP user.
It seems to me the available options would be:
Don't try to prevent the issue but provide some method to change the principal stored (either in-app or via DB modifications)
Try to prevent the issue by picking (automatically or manually by user) a better, static user attribute to use as principal
Try to mitigate the issue by cross-referencing multiple attributes, as in the above links
Which of these would be the expected/"best" approach here, if any?

Auth0 database and social connections, unique email addresses

Maybe I am missing something here, or this is a flaw in Auth0? I'll give an example of my issue:
Let's say I have my Default App (client), hooked up to that I have Username-Password-Authentication (database connection) and google-oauth2 (social connection).
A user comes to my site, signs up via google-oauth2 (social connection) using joe#gmail.com. Once complete, he gets added to my users in Auth0, all great.
A few months later, Joe comes back to my site, and being a busy guy, he forgets he signed up to my site before. This time, he decides to sign up using my custom Email and Password form, that will add the user to the Username-Password-Authentication (database connection). so he signs up there using joe#gmail.com again, and everything goes well, he is now listed in my user's section in my Auth0 dashboard.
This is the problem, I now have two joe#gmail.com accounts, one with google-outh2 and one with Username-Password-Authentication. I really can't have this, I need a unique email address, regardless of the ID Auth0 supplies.
Does anyone know how I can make email address in my user section 100% unique? I'd think a rule would do this, but it appears rules only apply AFTER a user has been registered, so I can't run a rule before adding?
the only way I can see doing this right now is make my own checks and delete via the management API, but that is a really long and messy way to do it I feel.
Any help will be appreciated here!
Thanks!
Auth0's default behavior is to create a new account in the database for every unique entry. Since the user created using Google has a unique id (based on google-oauth2), and the user created using the sign-up form has a unique id - they will technically be considered two separate accounts. In order to resolve this disparity, you can establish a means with which the account data can be merged. In the documentation linked provided above, there are examples of three possible ways of doing this:
Automatic Linking - which involves creating a specific rule to merge users based on matching emails
User-Initiated Linking - which involves providing a UI for users to opt into merging users with matching emails
Suggested Account Linking - which involves setting up a rule that is linked into the UI
One important thing to consider is that the data returned from different social identity providers may not be normalized the way that data is normalized onto the Username-Password-Database. For example, while auth0's default for emails is to lowercase the information, google-oauth2 may return emails as Uppercased - creating the potential for non-matching emails when checks are made using strict equality
The option you are looking for is called account linking.
You can find more info at https://auth0.com/docs/link-accounts

Using an IP address to identify users

Let's say I have a table of food items to bring to a lunch on a very simple web page. I don't want there to be login, but I would like there to be some smartness to my app.
Let's say a user puts in a food item. Other than a login, couldn't I use the IP address to do things like: only the user that created the record at same IP address can edit this record. Something like that.
I was thinking one more step toward a login, have a single text box where a user can put initials.
This way first person to suggest bring an item can be happy to know their todo for the lunch is done and can't be "overwritten"
That's it!
Pros and cons, welcomed!
This is more of a helper app than a formal thing, like to help around the office of local users.
Authentication and Authorization are separate functions, and I'm drawing the distinction here for a reason.
Authentication is the process of positively identifying a user, so you know who they are.
Authorization is the process of allowing or preventing that user from accessing parts of the application.
IP addresses can be used to partially identify users, but as #Dai pointed out in his comment, it has problems. Even using a Mac address is problematic since some people know how to spoof Mac addresses. If you can use someone else's authentication service, you can authorize them yourself.
Once you have positively identified a user, you can track them using a randomly generated ID that is good for a session. It is possible to use a cookie to track that ID. If that ID is associated with a Role you can authorize based on that role.

Using the same credentials to login to two Joomla! sites (1.5 & 1.6)

I am looking for a way for my users to be able to login to both of my Joomla sites (one running 1.5 and the other 1.6) using the same credentials. For example, if a user registers to my Joomla1.5 portal, when they use that same info for my Joomla1.6, they get logged in without having to re-register and vice versa.
I guess an authentication plugin would be the best solution in combination with a XML-RPC service? Joomla1.5 site's plugin is triggered which "communicates" with the Joomla1.6 site where the user is already registered, if the credentials check out, a new user is created and the user automatically gets logged in.
Thanks in advance for any ideas/help.
You are trying to do two very different things that will require two very different plugins. First, you need a bridge to handle user table synchronization. You not only have to create a user for each site, you have to sync everything about both accounts each time anything changes. This would include changing email address, password, or even user name plus any other related data such as the use groups that the user belongs to. A good place to start would be jFusion, which is designed to bridge Joomla with other software packages but can certainly be modified to bridge Joomla sites. JFusion also has the added advantage of creating user sessions for each connected software package for a single unified login, which would be the second piece of the puzzle you would need to solve once you get the users sorted out.
http://www.jfusion.org/

Login for webapp, needs to be available for support staff

I know the title is a little off, but it's hard to explain the problem in a short sentence.
I am the administrator of a legacy webapp that lets users create surveys and distribute them to a group of people. We have two kinds of "users".
Authorized licenseholders which does all setup themselves.
Clients who just want to have a survey run, but still need a user (because the webapp has "User" as the top entity in a surveyenvironment.)
Sometimes users in #1 want us to do the setup for them (which we offer to do). This means that we have to login as them.
This is also how we do support: we login as them and then follow them along, guiding them.
Which brings me to my dilemma. Currently our security is below par. But this makes it simple for us to do support. We do want to increase our security, and one thing I have been considering is just doing the normal hashing to DB, however, we need to be able to login as a customer, and if they change their password without telling us, and the password is hashed in the db, we have no way of knowing it.
So I was thinking of some kind of twoway encryption for the passwords. Either that or some kind of master password.
Any suggestions?
(The platform is classic ASP... I said it was legacy...)
Both options you present sound unattractive to me.
A master password is probably even more dangerous than what you are doing right now
Encrypting (instead of hashing) passwords in the database is not good enough either IMO, as it takes only a break-in on your end to get hold of all passwords. They really should be hashed.
I assume the product, being an old legacy app, is impossible (or not economically feasible) to change in a way that administrator accounts can impersonate user accounts, which in my opinion is still the best approach to this in a real-world scenario (not everyone shares that opinion, discussion on the issue here).
How about introducing a second password column (password2) containing a hashed password that you enter? The login process of the app may be easy to tweak into looking in a second column as well. It might be easy to implement, and I can not see any additional security problems coming from it (correct me if I'm wrong of course.)
What I would do is to let the support staff login with their username/password but to chose a user to "impersonate". So in your session you will have:
logged_user - the actual user who typed in his/her username and password
impersonated user - the user (1) is acting on behalf of
Everything you do is done with the impersonated_user's permissions and preferences.
If you are not impersonating anyone impersonated_user=logged_user.
This way you have to always log any operation with both "actual" username and "impersonated" username; for example:
2010-03-09 | 11:34 am | deleted item #890 | 'George' impersonating 'Lizzie'
sounds like you want to decouple your authentication from your identity a bit. Maybe something like an administrator override page, so that after you log in as the administrator, you have a choice of which user identity you wish to assume. After selecting an identity, you continue to use the app without further authentication.
I like the solution offered by Manrico Corazzi. It reminded me that when you need support from Microsoft, there is way to hand over the control of your machine to a technician. That could be another way to achieve the impersonating mechanism. In order for an administrator account to log in, an authorized license-holders would have to explicitly allow him to join his session and act with all his privileges.