You need to store them on a secure database (example: IMB DB2 or PostgreSQL) on a server. Add permissions and create some kind of interface for the users such as an intranet application.

You should not need to store plaintext passwords online. Most computer systems store them in an encrypted hash form so that even if that is stolen, they are hard to crack (assuming they don't yield to a dictionary attack trying "letmein","12345","guest","aardvaark" ...)

Each employee should have their own password and userid, with access control lists giving them access to what they need to to get their job done. When they leave, you drop them off the ACL.

A central authentication server like Kerberos or LDAP or Active Directory means that the hashed passwords are only stored in one place, and that one password allows access to all services at a given security level.



Having said that, there are a number of occasions where devices only have one password, or can't be connected to an authentication server. A paper list in a safe works well. In fact, there are passwords (such as encryption keys and the administrator password to the authentication server) that should be written down and placed in a safe so that if someone is hit by a bus or just forgets, others can access critical information.



I have in fact implemented a password store for that kind of shared password, but it's a bit messy and not ready for general release. Basically, I just use the open-source GPG (like PGP) program to encrypt a list of passwords with the public keys of each of a number of authorized users. Any of them can access the list with their own private key, which they keep to themselves, and if anyone leaves, their public key is just dropped from the list of keys used - there is no master password or key that must be quickly changed, locking everyone out till they can be told the new secret.



(the messy bit is that the list is held in an SVN version control repository, and I try to make sure all the plaintext files are properly erased when someone edits the list)



There are lots of password vault programs, and one built into Firefox, but generally those have one master password that everyone knows. Which is probably fine in a small business where you are more worried about hackers than a dishonest employee or someone being let go under a cloud. (Not that I'm really worried about that, but it was an intellectual exercise to try to do it right)

Jack,



If you are in one physical location, might I suggest a FIPS encrypted flash drive. Keep it in a secure place that everyone has access to. FIPS drives are relatively cheap, and you must have the password to read the encrypted files. We use them at my office for when people have to take client data off-site.

A paper list?



The chances of losing that are low if you keep it in a fireproof secure box/safe