It is almost impossible to hack into a Domino File (.nsf).  You can also encrypt a Domino file with a usrs ID file to make it more secure.

If this is the case, you are securing the file via the Acess Control List, and through a user ID encryption key.

They're far, far more secure than the fig-leaf protected spreadsheet in Excel. And if they're your personal passwords, well, you're set. No one else needs access to 'em.

If you need to share the passwords, e.g. for a server or shared account, then encryption is the way to go. The issue here is, it's more important to have a way into the document after significant events. Copy the keys to a thumbdrive, put the thumbdrive in an envelope along with the passwords to the keys. And put it where you store vital, secure information. Like, where you store your backups?

I would guess that your department would like to quantify how secure one solution is over another, whether that is a password-protected Excel spreadsheet, an NSF or some other password repository like Keepass.  I would also look at what is currently stored in the spreadsheet to determine if everyone with access to the spreadsheet has a need to see the other passwords. Master password lists grow over time, and there may not be a justification for keeping everything in one list.  It may be better to maintain multiple password lists.

Hi all,

Thanks for the responses.  I was thinking of putting it in a Domino file because we also keep a lot of our tech notes in Domino files (the journal template).  In our case, we have a list of accounts/pwds for two of us with full IT admin rights and then a separate spreadsheet for our help desk person who has only some of the accounts/pwds.  I have preferred the domino files because we already have clustering to an offsite data center for disaster recovery purposes.

I have not used encryption - I found the setting on the file properties.  Before I try it, can someone give me a bit of an explanation as to what the difference is - the current journal has ACL entries for the IT group (plus help desk group at the moment) and I am already authenticating against my notes id file - so what is the difference?  And in a disaster situation, I assume that as long as I have a Notes client set up and access to this .nsf I can open it (once I am authenticated).  Is it using the ACL to allow access or is there something else going on?

Albert

P.S. The other IT guy has suggested a cloud based program (Dashlane) but I am leery about putting all this in the cloud - maybe they will never be hacked but what do I know.  Also, I currently have my *personal* passwords in a private folder in my mail file so that others cannot see them - but the mail file itself is not encrypted.

Hi Albert,

There are two ways Encryption works here. 

1) You can encrypt a field or a section of a form, this means that only users that have the provided key can see the contents in those fields or sections.  When a field is encrypted a user that has access to the document, but does not have the key, cannot look in the document properties and see the contents of the underlying field.  So you could have a document with technical documentation as well as stored credentials within the document as well, but only users with the key see the credentials.

2) Database Encryption - This is the encryption you see in the Database Properties dialog box.  This Encrypts the .nsf file on the local computer, so that if your laptop is stolen, the new "Owner" of your laptop cannot just open up the .nsf with any notes ID.  They would have to guess the password on your ID, which is the one you would use to encrypt it.  This will also prevent you from having someone sned you a copy of the ID from their laptop, via email or USB, which was encrypted with their ID.  you ID, even though you are in the ACL, will not be able to open the DB due the encryption.

Final Note - DO NOT ENCRYPT DATABASES ON THE SERVER

Walt