Managing Customer login details , passwords and documentation

[Kenosh]

Howdy apologies if this has already been answered in these forums, but I was unable to see it.
I was wondering what other small IT businesses use to manage their customers settings login details and passwords and other documentation.
A good tool to manage this is something like IT Glue. However, this software is a bit overkill when the IT business only has 2 or 3 technicians
We have been using an Access database but realizing we need to move to a better solution.

So just putting it out there to see what secure solution you chaps are using in 2020?

Kenosh

 

[urcomputech]

I like to use google's notes. not only is it accessible via web (notes.google.com), you can download the android or ios version of the app. The killer feature that allows for sharing w/ clients is that you can "share" using your client's Gmail. I can have any number of "notes", one for each client, but share each note page with a different client. Anytime I update notes, it syncs back on my client's end. I believe I can even set it to read-only for my client. For added security, I can enable dual-factor authentication. If the client has a Gmail account, it's easy enough to share, if not I can create one for them and use my company name as part of the note so each time they log in to see, it's already branded with my name. Added bonus, it's free.
Hope that helps.

 

[britechguy]

My serious reply is: don't.

The potential for exposure should a compromise occur is just too huge. Just like most of us would never keep the keys to our customers' homes or places of business, we should not be keeping the credentials that serve the same purpose.

If anything, specify in your contract that maintenance of same is the customer responsibility, and make direct suggestions for software you like for having them take care of the process. And also make certain that they have at least two people who have access to their own vault in case one were to be incapacitated, and that if that were to happen that a temporary designee for "the number two" position needs to be made.

 

[Sky-Knight]

I have a password manager (Bitwarden), that's a cloud service hosted by them that I store managed customer details in.

I do NOT store unmanaged customer details.

Along with an insurance policy to protect myself and my clients from my whoops... the password manager is in and of itself a further liability shield.

Whatever you do, be crazy careful with it, make sure all logins are MFA protected... and for the love of all that is holy never.. and I mean NEVER use an unencrypted storage medium such as Google Keep. That is how things get mined in mass.

 

[HCHTech]

We're using a desktop/android password manager / digital wallet app called msecure. Encrypted and password/biometric protected to access, changes instantly shared among all techs - on their phones so always with them. I thought we would move away from this as we grew, but inertia has kept us using it, and we've changed the organization this year so things are easier to find. $30/phone/yr, $80 for the desktop app IIRC.

 

[YeOldeStonecat]

For myself....I use Bitwarden
However as a business, for us, since we were on N-Central (solar winds) we had started using Passportal.
Since we're spending this year migration from N-Central, to SyncroMSP, we're going to revisit IT Glue which we had looked at years ago, revisiting since it integrates with Syncro and pissportal doesn't.

Not only credentials for client logins, but other credentials such as for their domain registrations or public DNS control panel....if they had it before you took over. Any type of credentials.

Also for your admin account in a clients 365 tenant....since many times we don't have MFA on it for some reason, but keeping it crazy complex and/or rotating via a password manager is good also.

You can also resell this service to your clients, or include it as a line item/option in your higher MSP plans....as a value add to your clients.

Leaving it in our clients hands is a recipe for disaster, they'll lose it, forget it, and at a time of your need to get in....you're paralyzed. You lose your ability to swiftly go in and do something at any hour of the day/night, which is....part of what we do.

Nice having a service that has an extension in your browser to make logins blind and easy.

 

[timeshifter]

Leaving it in our clients hands is a recipe for disaster, they'll lose it, forget it, and at a time of your need to get in....you're paralyzed. You lose your ability to swiftly go in and do something at any hour of the day/night, which is....part of what we do.

^ 1000% this

If I had to rely on someone at each company I do business with to keep track of some of this stuff I'd go insane.

One man business here, I simply use a good password manager for all this.

 

[Markverhyden]

You're damned if you do and you're damned if you don't. So I've taken the position of regular business customers get their cred's backed up by me. That way all I have to deal with is the periodic change in email password or similar. Of course for "hit by a bus" scenarios I make sure they have a print out in a known secure place.

 

[Sky-Knight]

As I said, I put my managed clients in the password manager. The unmanaged people get a paper record and I'm out the door, no... I don't keep copies.

They lose it? I get paid for more time to get it back. I explain all of this when I drop the paper off, some people get it, some don't. Either way, I get paid.

 

[SAFCasper]

As I said, I put my managed clients in the password manager. The unmanaged people get a paper record and I'm out the door, no... I don't keep copies.

They lose it? I get paid for more time to get it back. I explain all of this when I drop the paper off, some people get it, some don't. Either way, I get paid.

We have a similar approach. If it's something we manage and have a business case for storing then it goes in LastPass. So domain admin accounts, service accounts, switch & router logins, Azure admin account etc. We use LastPass enterprise to store those.

If it's an end-user password easily resettable, like an email account, then we keep no record. Even for managed clients.


For general documentation, notes, network diagrams etc we use Atlassian Confluence. Self hosted with no external access, although it looks like we may have to go cloud in the near future as they are killing off on-site installs.
If you have under 10 users it's a good option to consider. Over 10 users it's not worth the licencing imo.

 

[Sky-Knight]

@SAFCasper There are a ton of OSS Wiki packages out there, XWiki specifically touts itself as an alternative to Confluence. My documentation needs have never scaled to that level, but for something that core to my company I think I'd be using an OSS solution to ensure I always had it. Support is great, but that extortion payment that can come along is a killer.

But for my uses I make a team for each client, and document with word docs / speadsheets in sharepoint.

 

[rsarceno]

Paul Woodward of NVSC introduce me to KeePass several years ago and I have been been using it since then.
The database is local and can be encrypted with AES or ChaCha20 256Bit Key.
Then I use Dropbox to sync the database from my Office desktop and laptops.

Keypass use Opensource which runs on Windows, Linux, MAC

Of course you don't want the Database in the wrong hand but even with todays technology, if you combine billions of GPU it will still take longer than a lifetime using brute force to crack AES-256. I read an article that the Gray Super Computer can do it in 5 to 6 years but who has access to one of those. Just imagine the cost of the electrical power you need might not be justifiable to crack your password database.

 

[SAFCasper]

@SAFCasper There are a ton of OSS Wiki packages out there, XWiki specifically touts itself as an alternative to Confluence. My documentation needs have never scaled to that level, but for something that core to my company I think I'd be using an OSS solution to ensure I always had it. Support is great, but that extortion payment that can come along is a killer.

But for my uses I make a team for each client, and document with word docs / speadsheets in sharepoint.

It's self hosted and perpetual licencing so I don't see any risk of loosing access. Worst case scenario we loose support and updates but that same risk also applies to OSS (ie. the project gets abandoned).

Oddly enough, that worst case scenario literally just happened! However, they gave 3 years notice so I don't have to worry about that for a while.

The main reason for Confluence however is that we found it suited us best. Decision had little to do with pricing or support although it was a nice bonus only costing $10

 

[Sky-Knight]

@SAFCasper Well at the risk of being harder to use... you could always move over to https://www.mediawiki.org/wiki/MediaWiki

If MediaWiki is abandoned, that means WikiPedia is dead...

But that one is like the grandfather of all wikis, crazy powerful, and wise but much more difficult to understand.