My multinational IT company doesn’t allow any password managers and security team told me to memorize my account passwords. At the moment I am using simpliest of passwords on every account, in case of hackers want to access my account because I don’t want to make it harder to them I am saving all of my passwords into a plain text file too. They actually wanted me to memorize more than 30 accounts and make them secure somehow.
But, is there a secure password manager app, which doesn’t require installation or installation with admin rights, and if possible not show in my org’s security software? In my crappy laptop company installed Symantec Endpoint, Qualys, Cortex XDR, Xagt, Absolute Software Inventory (AbtSngSvc), EDPA? (might be part of Symantec), KeyAccess. I don’t have admin access too.
What I need is a secure password manager with TOTP support.
in case you want a relatively secure but still simple easy to remember password, just type it twice or thrice, even with a dictionary attack it still increases the complexity by a lot
Can you use external USB flash drives? most of the decent password managers have portal versions that can be run off a USB drive, that won’t stop their security software from seeing that you plugged in a USB and ran an executable off of it, but it would allow you to access your passwords.
Is there any reason you can’t use the web version of a password manager and just copy / paste the passwords? since it sounds like they are all for work accounts, any keylogging they have isn’t likely to be an issue since they most likely have administrative access to all of your accounts if they needed it.
Not just with my manager, also even went to Senior Project Management. They are saying they can’t change security policies even though they don’t make any sense.
@Securely0845 , I can’t use USB drive. I can’t even use microSD.
I tried Chrome’s own password manager but it keeps asking for my Windows password to fill a field instead of my Windows Hello PIN, so it is no longer an option.
Browser extensions are also managed by group policies.
That’s a bummer, but not surprising considering the level of access control they have in place.
Are you able to use personal phones while at work? you could always run your password manager on that and just type the passwords in, at least you’d have secure accounts.
Or like @Fibonacci suggested, the web version of most of them should work, unless they are intentionally blocking those web pages.
You might be able to use KeePass, but I would suggest not to install third party software that is not approved.
Web based like Bitwarden or proton pass would actually be worse and, would refrain from using that. Your company will not have agreements with those parties, and you are basically doing something that has not been approved.
I myself work as security officer at a corporate too, and we provide password managers, but we definitely do not take it lightly when someone uses their own solution.
We have an internal software repository but not a single password management software.
I tried to reason with security team, gave them NIST pages, tried to explain them that no one can remember all the passwords and there is no way to store 2FA codes securely but they didn’t listen
So odd, but yeah hard call I would say. If I were in your shoes I would probably ask my manager to approve my use of KeePass, that will keep you a bit guarded. KeePass at least is offline, and you will not deal with any other parties over internet.
This sounds like a satire of terrible security teams. It’s like they want people to reuse weak passwords, which is the only way most people could remember 30 of them. The security people I know would be overjoyed if their end users came to them because they wanted to manage long and complex passwords with well established software. Baffling.
Not sure why this is accepted answer, that download page has a lot of third party links that aren’t really of high quality.
KeepassDX is the option we recommend for local storage Android devices. I would not recommend installing KeepassXC on a work machine if they’ve forbidden it. All of those have TOTP.
Another solution is to use a password manager anyway on your phone, which is not a device controlled by them.
I am saving all of my passwords into a plain text file too. They actually wanted me to memorize more than 30 accounts and make them secure somehow.