Password management - Security & Cryptography

Users browsing this thread: 1 Guest(s)
neeasade
Grey Hair Nixers
(31-08-2016, 12:36 PM)z3bra Wrote: How do you use the pass(1) database from you phone?

Not mpcsh, but I use this app: https://github.com/zeapo/Android-Password-Store
jkl
Long time nixers
While I do use KeePass (with KeeFox) to have my passwords where I need them, I can't see why I would want to use complex passwords for anything.
z3bra
Grey Hair Nixers
Not for anything. Just for services you care about and don't want for someone to "guess" it.
For example, you mail account is pretty critical, as you use it to recover passwords. For a reddit/hn/youporn account, hou don't care much and can use "passw0rd".

I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
jkl
Long time nixers
If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.
venam
Administrators
(31-08-2016, 07:32 PM)z3bra Wrote: I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
I've been doing that for some websites but not by choice.
I keep forgetting my credentials on those websites.

On another note, I've started putting my passwords in a hnb notebook and gpg this notebook.
With a helper alias it's nifty.
z3bra
Grey Hair Nixers
(31-08-2016, 07:35 PM)jkl Wrote: If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.

Has I see it, relying on other people to secure you online is flawed by design. Of course you need to trust people at some point, but if you can take steps by yourself to be more secure, it's a good habit.
If after that, the website stores the password in a plain text file, you're screwed.
aah
Members
I am just experimenting with a different way, I know it's not very secure!
I have my own start page that is located on my hard drive, from that home page it links to 3 other pages, one of them is encrypted with ccrypt. So if someone was to somehow manage to log into my computer(need a password) and open a browser the page does not load. If I open the browser via a script, the page gets unencrypted first and the browser started.
On the page is just a series of usernames next to passwords that I can copy and paste when needed.
I can post my pathetic little script if anyone wants that, I am not a scripter!
Of course if anyone was to search my computer and open the script they see the password in there, big weakness! lol
although it would probably take a scripter to spot it.
Dworin
Members
aah, if you password-protect your script, you basically have a password manager. Why not just one of the many available?

I've started using keepassc. I like that it also generates passwords and since it's without GUI, I could access it by logging in over ssh from my phone (passwordless login, to be sure). Never needed that yet though.
kerunaru
Members
mpcsh Wrote:I moved to it from `mpw(1)` (http://masterpasswordapp.com), which I quite liked, but became unwieldy when passwords needed to be changed.

Uhm... I use mpw too and, now that you mention it, I would try pass because of this. I didn't find myself in the situation to change those strong password yet but what actually happened to me is that there are some sites which doesn't allow some characters from passwords generated by mpw.
yossarian
Members
I use kbsecret [1], which I started developing a few months ago. It's written in Ruby and runs on top of KBFS and Keybase, which has a few advantages:
  • Encryption is transparent via KBFS - I don't have to worry about managing my PGP keys, my keychain, etc.
  • At its core, it's just JSON files and a directory structure on a FUSE mount.
  • I can create "sessions" between as many Keybase users as I want, meaning that I can share API keys and secrets across teams.

Using JSON for secrets has a few other advantages, like being able to create custom record types for logins, code snippets, environment variables, To Do notes, and so forth.

There are some downsides: you need to have a Keybase account and KBFS installed (it's all open source, but this is still potentially a hassle), and it's mostly command-line for the time being: no mobile app or browser integration.

I don't want to shill for myself too much, but I'd appreciate any thoughts!

[1]: https://github.com/woodruffw/kbsecret
buttcake
Members
Is there something like this https://github.com/w8rbt/dpg but for cli ?
venam
Administrators
There's quite a lot of places that store keys on Unix these days. Do you use a password/key manager software? What's your current solution to this?

Do you have novel ideas that aren't implemented yet?

As usual in security, you need at least 2 or more of a combination of the following: something you know, something you have, something you are.
jolia
Long time nixers
i started using safe(1) from z3bra few months ago, and i really like it!

you guys should give it a try.
z3bra
Grey Hair Nixers
I too have been using safe(1) for the last year, and I love it. Because it feels good to use something you made, but also because I took the time to correctly setup a password management process with it.

(08-12-2020, 04:30 AM)venam Wrote: As usual in security, you need at least 2 or more of a combination of the following: something you know, something you have, something you are.

I don't fully agree with this statement. While this is a good advice, security isn't about seeking top-notch security at all cost. In my case, relying on a GPG key (something you have) was too much involved, and I ended up avoiding my password manager like the plague, because I knew that I would struggle to recover the password for different reasons. GPG require too much involvement to secure a secret store. You gotta rotate your keys, sync them between devices, or setup a complex, multi-key system, make sure you keep the revoke key, and you can't use your secret store for that, …

safe(1) was my solution to that. It is a flat-file encrypted secret store, requiring only a master password to unlock its entries. The master password is saved in the store itself (only to check that you typed your password correctly), so the store is "self-contained", meaning that to retrieve a secret, all you need is the secret entry you need, the master password and the tool to decrypt it.

As I backup the store in "THE CLOUD", I can quickly and easily fetch the store from my phone, and unlock it there (safe compiles just fine on my phone !). The file format is also simple enough that using openssl to decrypt an entry should be possible too (I should try it out someday).

The main issue I had in the past with password based key stores is that you always had to type the password for every single operation (encrypt AND decrypt). So modifying an entry would require to type it twice. Not practical at all !
That's why I also created an agent for sage, conveniently named safe-agent(1). It will accept connections from a socket and either store the key in-memory when someone writes on the socket, or send the in-memory key to a client reading from the socket. The master password is NEVER exchanged between client and agent.

This can, of course, be a security concern, just as with ssh-agent and gpg-agent, so you're not forced into using it. It's just a more convenient way to use the tool.

As for security, it's all about how far you can push the security cursor, without impacting too much the usability.
venam
Administrators
Personally, I find seahorse quite convenient. It has this ease of use and merges all key management in a single place.
As for heavy key management, I like keystore explorer.
Dworin
Members
I simply use a keepass system from cli, called kpcli. I have the file mirrored between two systems, because I may need the passwords there and also in case of disc mishaps.