Being a huge fan of Keepass i am planning on pushing its use within my corporation to raise awareness about passwords security and put an end (hopefully) to post-its lying around with admin passwords written all over them!
For ease of use and conformity to my company's policy about password management i'd like to modify and lock the by default options of keepass.
Exemple : For the password generator, i'd like to configure the password generation setting to be in conformity with my company's policy (say 8 chars min) so that a user can only generate strong passwords.
Same goes for the master password, i'd like to force the users to pick a strong master password.
I'd also like to disable the export options.
How can i achieve this? How can i configure keepass the way i want it and then distribute it to my fellow coworkers so that they cannot modify the options i have set for them?
I plan on using the standalone 1.11 version because it can be used without admin rights.
Any help would be appreciated!
Regards,
Cedric
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The KeePass.ini file holds all of the configuration settings. If the ini file is read-only KeePass will use this as a master ini file and only allow changes to things not specified. http://keepass.info/help/base/configuration.html
You cannot set requirements for the master password, you need to educate your users. ;-))
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Since KeePass 1.11, you can specify a minimum length (number of characters) and a minimum estimated quality (bits) for master passwords (in the INI file). See the last section on http://keepass.info/help/base/keys.html .
If you need more complex checking rules (dictionary, ...), you can write a KeePass plugin. Since KeePass 1.11, there's an easy-to-use interface for plugins to check new master passwords.
For the enforced configuration settings, see Paul's link (section "For Network Administrators: Enforced Configuration"). Basically you need to create a file "KeePass.enforced.ini", which contains all the configuration settings that you want to enforce.
Best regards
Dominik
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am trying to run 1.11 on a network share for all of our Customer Service Reps to utilize. I have a few problems and questions.
Reading the FAQ - it appears you can run an "enforced" mode that may be able to do what I want - Problem is to use this, the steps outlined include going to Tools/Options/ Policy tab. I have no Policy Tab... I don't have it on the standalone thumbdrive version I have been using - nor on the freshly downloaded and installed Windows install version.
From reading the instructions on the 2.x version - after you save your "policy" settings - you rename the .xml to .enforce.xml.. I'm assuming this is enforce.ini on the 1.1x version.
Seems pretty easy - just can't find the Policy Tab.
The main reason for us wanting to run this central and secure - is that we don't want our CSR's to actually see the u/n - and pwds.
Is it possible through policy to make this read only and not allow users to view passwords? Help appreciated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
Being a huge fan of Keepass i am planning on pushing its use within my corporation to raise awareness about passwords security and put an end (hopefully) to post-its lying around with admin passwords written all over them!
For ease of use and conformity to my company's policy about password management i'd like to modify and lock the by default options of keepass.
Exemple : For the password generator, i'd like to configure the password generation setting to be in conformity with my company's policy (say 8 chars min) so that a user can only generate strong passwords.
Same goes for the master password, i'd like to force the users to pick a strong master password.
I'd also like to disable the export options.
How can i achieve this? How can i configure keepass the way i want it and then distribute it to my fellow coworkers so that they cannot modify the options i have set for them?
I plan on using the standalone 1.11 version because it can be used without admin rights.
Any help would be appreciated!
Regards,
Cedric
Cedric,
The KeePass.ini file holds all of the configuration settings. If the ini file is read-only KeePass will use this as a master ini file and only allow changes to things not specified.
http://keepass.info/help/base/configuration.html
You cannot set requirements for the master password, you need to educate your users. ;-))
cheers, Paul
Since KeePass 1.11, you can specify a minimum length (number of characters) and a minimum estimated quality (bits) for master passwords (in the INI file). See the last section on http://keepass.info/help/base/keys.html .
If you need more complex checking rules (dictionary, ...), you can write a KeePass plugin. Since KeePass 1.11, there's an easy-to-use interface for plugins to check new master passwords.
For the enforced configuration settings, see Paul's link (section "For Network Administrators: Enforced Configuration"). Basically you need to create a file "KeePass.enforced.ini", which contains all the configuration settings that you want to enforce.
Best regards
Dominik
I am trying to run 1.11 on a network share for all of our Customer Service Reps to utilize. I have a few problems and questions.
Reading the FAQ - it appears you can run an "enforced" mode that may be able to do what I want - Problem is to use this, the steps outlined include going to Tools/Options/ Policy tab. I have no Policy Tab... I don't have it on the standalone thumbdrive version I have been using - nor on the freshly downloaded and installed Windows install version.
From reading the instructions on the 2.x version - after you save your "policy" settings - you rename the .xml to .enforce.xml.. I'm assuming this is enforce.ini on the 1.1x version.
Seems pretty easy - just can't find the Policy Tab.
The main reason for us wanting to run this central and secure - is that we don't want our CSR's to actually see the u/n - and pwds.
Is it possible through policy to make this read only and not allow users to view passwords? Help appreciated.
The Policy tab is only on version 2.
There is no way to prevent users opening the entry and reading the password, that I know of (Dominik changes things too fast for me to keep up).
cheers, Paul
Thank you Paul and Dominik for your answers.