[TYPO3-english] Password management advice

Rik Willems rik at actiview.nl
Tue Feb 7 15:25:47 CET 2012


Hi Oliver,

Thank you for your insights. I actually did think about an LDAP solution 
but thought we could do better.
I'm not sure I agree on your lock-in comment, but the rest stands clear.

I prefer to create as little as possible to avoid security risks. 
Relying on proven solutions made by knowledgable people is my way to go.

Thanks!

Rik


On 7-2-2012 14:25, Oliver Salzburg wrote:
> Hello Rik,
>
> my opinion is that, yes, you would have to delete every one of those
> 200 accounts one-by-one.
>
> I assume you build these sites for your clients. So by forcing a
> non-default authentication mechanism on the client just to solve your
> in-house account management issue, you're making life worse for your
> client.
>
> Let's say you move all sites to an LDAP-based authentication mechanism.
> Given that you worry about your own user accounts, it would be logical
> that your company hosts the LDAP server. Now all authorization for all
> websites you've built for your clients needs to go through your server.
>
> That might be desirable if you're going for the tightest lock-in for
> your clients, but they might not appreciate those efforts ;)
>
> I would recommend spending a days or two hacking together a solution
> that can SSH into all the sites of all your clients and add/remove
> user accounts from the local database.
>
> Cheers
> Oliver
>
> On 2012-02-07 13:55, Rik Willems wrote:
>> Hi Oliver,
>>
>> I've seen this one. It does solve the password distribution but not the
>> management part of the user accounts.
>>
>> When you run 200 websites you don't want to remove a user in each
>> installtion when one of your employees leaves. How you other companies
>> manage this?
>>
>> Cheers! Rik
>>
>>
>>
>> On 7-2-2012 11:35, Oliver Salzburg wrote:
>>> On 2012-02-07 10:12, Rik Willems wrote:
>>>> Hi all,
>>>>
>>>> I'm looking for some password management advice. How are you all
>>>> handeling this situation.
>>>>
>>>> Say, you work on a lot of TYPO3 (and perhaps Magento as well) projects
>>>> with your team. Does everybody use his own username/password? How do you
>>>> manage changes in your team? Do you go through all projects and delete a
>>>> user, or change a master password?
>>>>
>>>> Do you have other solutions to a central login system to all your
>>>> projects for project members? LDAP server perhaps?
>>>>
>>>> Looking forward to your thoughts.
>>>>
>>>> Cheers! Rik
>>>
>>> I use KeePass (http://keepass.info) and create a new database entry for
>>> every new site (both FE and BE). The login forms are later identified
>>> by the title of the browser window (so to speak) and I log in with the
>>> press of a hotkey.
>>>
>>> Besides that, I would never share user accounts with anyone. Doing so
>>> has many negative implications that are just unnecessary. TYPO3 user
>>> accounts are cheap to create, do so.
>>>
>>> Cheers
>>> Oliver


More information about the TYPO3-english mailing list