I’ve been using Thycotic Secret Server for a while now to store my personal account information, passwords and account notes. It acts as a secure vault for for this important information. Prior to this, I’m ashamed to say, I was using the same username and password for most of my accounts. Obviously this is a terrible practice, especially in this day an age where banks, stores, and websites are frequently under attack for this information.
The Heartbleed Bug in OpenSSL brought this to the forefront for me. I knew I had to change all my passwords with new complex passwords, but the challenge of trying to remember all those passwords was an impossible task. I tested several different password management solutions, but none of them worked as well and as trouble free as Secret Server.
The following are the list of requirements I needed in a password management program:
- Easy to use
- Available remotely
- Automatic complex password generation
- Automatic login to password protected websites
- Must work in the browsers I use (Internet Explorer and Chrome)
- Must work with my iOS devices (iPhone and iPad)
Secret Server is just one of Thycotic’s security products aimed at securing your personal and private data. Thycotic offers a free* Express Edition of Secret Server for private use, and this is what I’m running. OK, technically it’s not “free” – it costs $10 per year, but Thycotic donates this to charity. Not only is this super cheap compared to other password management solutions, it also shows what a nice bunch these Thycotic folks are. Other editions have additional features and capabilities, such as the ability to change network passwords remotely, service account management, and provide high availability. I should also mention that all versions of Secret Server (including Express Edition) include full online support!
I installed Secret Server Express Edition on a dedicated Windows Server 2012 R2 web server, but you can also install it on an existing web server. You will need to install the IIS role and features, the .NET Framework 4.5.1, and Microsoft SQL Server 2012 Express. After that, the installation is a simple 5-step process and you can manage your passwords (secrets) right away. The comprehensive Secret Server Installation Guide walks you through the entire process, including prerequisites.
Once installed, you can access Secret Server through the IIS website you created. To add a new secret, select the Secret Template dropdown box in the upper right corner. The template you select contains all the relevant fields for the secret. I use the Web Password template for most of my secrets. This template allows me to use the Web Password Filler (described below).
Once a Web Password secret has been saved with the logon URL, username, and password, it’s easy to have Secret Server log you in to the website with the unique complex password. Simply add the Web Password Filler applet to the Favorites on your web browsers:
Then click the Web Password Filler favorite when you want to logon to the website. You will need to login to the Secret Server if you aren’t already, then Secret Server will automatically log you on to the website. for example, here’s the automatic logon for Amazon:
Thycotic also has a free Secret Server app on the Apple App Store so you can access your secrets and passwords from iOS devices. It doesn’t offer the same auto sign-in feature, but it does provide easy access to launch logon URLs and copy complex passwords.
There are many other features that Secret Server provides, but I honestly haven’t had a need to use them myself. Some of these advanced features include:
- Roles-based access controls
- Full auditing and reports
- Email notifications
If you’re looking for a full featured password management solution I encourage you give Secret Server a try. They offer a 30-day free trial.