Password management - Security & Cryptography

Users browsing this thread: 2 Guest(s)
neeasade
Grey Hair Nixers
(31-08-2016, 12:36 PM)z3bra Wrote: How do you use the pass(1) database from you phone?

Not mpcsh, but I use this app: https://github.com/zeapo/Android-Password-Store
jkl
Long time nixers
While I do use KeePass (with KeeFox) to have my passwords where I need them, I can't see why I would want to use complex passwords for anything.

--
<mort> choosing a terrible license just to be spiteful towards others is possibly the most tux0r thing I've ever seen
z3bra
Grey Hair Nixers
Not for anything. Just for services you care about and don't want for someone to "guess" it.
For example, you mail account is pretty critical, as you use it to recover passwords. For a reddit/hn/youporn account, hou don't care much and can use "passw0rd".

I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
jkl
Long time nixers
If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.

--
<mort> choosing a terrible license just to be spiteful towards others is possibly the most tux0r thing I've ever seen
venam
Administrators
(31-08-2016, 07:32 PM)z3bra Wrote: I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
I've been doing that for some websites but not by choice.
I keep forgetting my credentials on those websites.

On another note, I've started putting my passwords in a hnb notebook and gpg this notebook.
With a helper alias it's nifty.
z3bra
Grey Hair Nixers
(31-08-2016, 07:35 PM)jkl Wrote: If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.

Has I see it, relying on other people to secure you online is flawed by design. Of course you need to trust people at some point, but if you can take steps by yourself to be more secure, it's a good habit.
If after that, the website stores the password in a plain text file, you're screwed.
aah
Members
I am just experimenting with a different way, I know it's not very secure!
I have my own start page that is located on my hard drive, from that home page it links to 3 other pages, one of them is encrypted with ccrypt. So if someone was to somehow manage to log into my computer(need a password) and open a browser the page does not load. If I open the browser via a script, the page gets unencrypted first and the browser started.
On the page is just a series of usernames next to passwords that I can copy and paste when needed.
I can post my pathetic little script if anyone wants that, I am not a scripter!
Of course if anyone was to search my computer and open the script they see the password in there, big weakness! lol
although it would probably take a scripter to spot it.
Dworin
Members
aah, if you password-protect your script, you basically have a password manager. Why not just one of the many available?

I've started using keepassc. I like that it also generates passwords and since it's without GUI, I could access it by logging in over ssh from my phone (passwordless login, to be sure). Never needed that yet though.
kerunaru
Members
mpcsh Wrote:I moved to it from `mpw(1)` (http://masterpasswordapp.com), which I quite liked, but became unwieldy when passwords needed to be changed.

Uhm... I use mpw too and, now that you mention it, I would try pass because of this. I didn't find myself in the situation to change those strong password yet but what actually happened to me is that there are some sites which doesn't allow some characters from passwords generated by mpw.
yossarian
Members
I use kbsecret [1], which I started developing a few months ago. It's written in Ruby and runs on top of KBFS and Keybase, which has a few advantages:
  • Encryption is transparent via KBFS - I don't have to worry about managing my PGP keys, my keychain, etc.
  • At its core, it's just JSON files and a directory structure on a FUSE mount.
  • I can create "sessions" between as many Keybase users as I want, meaning that I can share API keys and secrets across teams.

Using JSON for secrets has a few other advantages, like being able to create custom record types for logins, code snippets, environment variables, To Do notes, and so forth.

There are some downsides: you need to have a Keybase account and KBFS installed (it's all open source, but this is still potentially a hassle), and it's mostly command-line for the time being: no mobile app or browser integration.

I don't want to shill for myself too much, but I'd appreciate any thoughts!

[1]: https://github.com/woodruffw/kbsecret
buttcake
Members
Is there something like this https://github.com/w8rbt/dpg but for cli ?
venam
Administrators
There's quite a lot of places that store keys on Unix these days. Do you use a password/key manager software? What's your current solution to this?

Do you have novel ideas that aren't implemented yet?

As usual in security, you need at least 2 or more of a combination of the following: something you know, something you have, something you are.
jolia
Long time nixers
i started using safe(1) from z3bra few months ago, and i really like it!

you guys should give it a try.
z3bra
Grey Hair Nixers
I too have been using safe(1) for the last year, and I love it. Because it feels good to use something you made, but also because I took the time to correctly setup a password management process with it.

(08-12-2020, 04:30 AM)venam Wrote: As usual in security, you need at least 2 or more of a combination of the following: something you know, something you have, something you are.

I don't fully agree with this statement. While this is a good advice, security isn't about seeking top-notch security at all cost. In my case, relying on a GPG key (something you have) was too much involved, and I ended up avoiding my password manager like the plague, because I knew that I would struggle to recover the password for different reasons. GPG require too much involvement to secure a secret store. You gotta rotate your keys, sync them between devices, or setup a complex, multi-key system, make sure you keep the revoke key, and you can't use your secret store for that, …

safe(1) was my solution to that. It is a flat-file encrypted secret store, requiring only a master password to unlock its entries. The master password is saved in the store itself (only to check that you typed your password correctly), so the store is "self-contained", meaning that to retrieve a secret, all you need is the secret entry you need, the master password and the tool to decrypt it.

As I backup the store in "THE CLOUD", I can quickly and easily fetch the store from my phone, and unlock it there (safe compiles just fine on my phone !). The file format is also simple enough that using openssl to decrypt an entry should be possible too (I should try it out someday).

The main issue I had in the past with password based key stores is that you always had to type the password for every single operation (encrypt AND decrypt). So modifying an entry would require to type it twice. Not practical at all !
That's why I also created an agent for sage, conveniently named safe-agent(1). It will accept connections from a socket and either store the key in-memory when someone writes on the socket, or send the in-memory key to a client reading from the socket. The master password is NEVER exchanged between client and agent.

This can, of course, be a security concern, just as with ssh-agent and gpg-agent, so you're not forced into using it. It's just a more convenient way to use the tool.

As for security, it's all about how far you can push the security cursor, without impacting too much the usability.
venam
Administrators
Personally, I find seahorse quite convenient. It has this ease of use and merges all key management in a single place.
As for heavy key management, I like keystore explorer.
Dworin
Members
I simply use a keepass system from cli, called kpcli. I have the file mirrored between two systems, because I may need the passwords there and also in case of disc mishaps.
pfr
Nixers
(31-08-2016, 02:52 PM)neeasade Wrote:
(31-08-2016, 12:36 PM)z3bra Wrote: How do you use the pass(1) database from you phone?

Not mpcsh, but I use this app: https://github.com/zeapo/Android-Password-Store

I'm looking at setting up something like this. Is it considered safe to push an encrypted password-store db to a git repository though? I have been using GNU's pass for a long time but still also use LastPass as the firefox extension is just so convenient (when using work laptops running windowz). Now that LastPass free accounts are changing to single platform only I'm looking for an alternative FAST!

(08-12-2020, 06:31 AM)z3bra Wrote: As I backup the store in "THE CLOUD", I can quickly and easily fetch the store from my phone, and unlock it there (safe compiles just fine on my phone !). The file format is also simple enough that using openssl to decrypt an entry should be possible too (I should try it out someday).

I've been playing around with safe a bit lately, but can you explain a little more how this can be integrated on mobiles? What do you use to push/pull and unlock your password database from your phone?

Secondly, the one thing I love about pass is it's integration with dmenu (passmenu + pinentry-dmenu). Can this kind of thing be integrated with safe? I see you've mentioned that it does "Support external askpass programs". I'm guessing this means pinentry programs.
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival)
freem
Nixers
I am getting my feet wet with keypassxc. I must admit it seems to fit the bill for now, even if I think the "simulate keyboard" feature could be improved.
I see no point in a tool that uses clipboard or would require a human to retype decyphered password, since that means it's vulnerable to shoulder-spoofing and other attacks. If the goal is to go secure, at least do it correctly. I admit I'd like something which could be more like a daemon that I drive by cli, though.
I never tried any of those tools before, but I've also found `pass`, and it's on my todo-list now. As is, (re)reading more this thread :)
z3bra
Grey Hair Nixers
(10-03-2021, 09:04 PM)Ramiferous Wrote: I'm looking at setting up something like this. Is it considered safe to push an encrypted password-store db to a git repository though? I have been using GNU's pass for a long time but still also use LastPass as the firefox extension is just so convenient (when using work laptops running windowz). Now that LastPass free accounts are changing to single platform only I'm looking for an alternative FAST!

I've been playing around with safe a bit lately, but can you explain a little more how this can be integrated on mobiles? What do you use to push/pull and unlock your password database from your phone?

It needs someone with decent programming skills to write a frontend to it. As of today, it reads passwords from the TTY device, and writes to stdout. On my phone (Running Sailfish OS) I use it from the terminal, and copy/paste manually. Not ideal, but I can't make an frontend fot it myself.

(10-03-2021, 09:04 PM)Ramiferous Wrote: Secondly, the one thing I love about pass is it's integration with dmenu (passmenu + pinentry-dmenu). Can this kind of thing be integrated with safe? I see you've mentioned that it does "Support external askpass programs". I'm guessing this means pinentry programs.

This works perfectly with safe ! For dmenu, it's straightforward as the store works the same as with pass, so list the content of the directory and pipe it to dmenu.
To prompt for the password, you gotta use am askpass program indeed. ssh does it when you need to unlock a key, and it works the same. The called program needs the ability to read input from user, and output text to stdout. You can use dmenu, gtk-askpass, rofi, thinglaunch, or even "st -e vi -" if you want. And whenever you are prompted for the master pass, the program specified will be spawned instead of prompting from the TTY.
pfr
Nixers
(16-03-2021, 07:37 PM)z3bra Wrote: This works perfectly with safe ! For dmenu, it's straightforward as the store works the same as with pass, so list the content of the directory and pipe it to dmenu.
To prompt for the password, you gotta use am askpass program indeed. ssh does it when you need to unlock a key, and it works the same.

Is askpass the same thing as a pinentry-program (set inside ~/.gnupg/gpg-agent.conf ?).

(16-03-2021, 07:37 PM)z3bra Wrote: It needs someone with decent programming skills to write a frontend to it. As of today, it reads passwords from the TTY device, and writes to stdout. On my phone (Running Sailfish OS) I use it from the terminal, and copy/paste manually. Not ideal, but I can't make an frontend fot it myself.

Fair enough. I will probably continue to use password-store on my phone then, but it should be possibly to use the same git repo with safe and password-store correct? therefore keeping them both in sync?

Considering I've only just managed to set up pass across all 3 of my devices, I might just sit with it for a while to see how well I go integrating it into my life. But safe certainly looks promising.

Can safe use a password data base stored in something like DropBox?
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival)
z3bra
Grey Hair Nixers
(17-03-2021, 12:35 AM)Ramiferous Wrote: Is askpass the same thing as a pinentry-program (set inside ~/.gnupg/gpg-agent.conf ?).

From the end-user perspective, yes. When I say "askpass", I don't mean a program named "askpass" though, I'm talking about a category of programs whose purpose is to prompt user to type some text, like ssh-askpass. Pinentry is more complex I think, as it's only supposed to be called from withing gpg, and uses a complex IPC mechanism… For the end user however, it works the same. When prompted for a password, the chosen program is spawned and you can input text within it to pass your password to safe(1).

Here is a quick showcase, using the package "ssh-askpass-gnome" on Debian 10 : safe-askpass.webm.

Note that when a TTY is available, safe will prompt the user on the TTY, unless the "-k" flag is specified (to force using the ASKPASS program set in the environment).
Guest0x0
Members
While most of the discussion and existing password management tools are mainly around how to fetch some random hashed password, I wonder (just wondering, without much ideas or any evidence yet) if meaningful, plain-text password can be another option. For brute-force approaches I guess only the length of the password matters. For other people trying to guess your password, it would be very difficult if your password depends upon some random knowledge or fact that only you knows. For example, if I set my nixers.net password to be the title of my first post here, this would be considered extremely unsafe from a typical point of view, as the password is directly public available on the net. However, if I never ever tell anyone about this fact, it would be hard to guess the password, as the source of the password is somewhat chosen randomly, and only me knows about it. The best part about this approach is that you can easily remember all your passwords in mind, which is handy if you have to login to many different places every day.
z3bra
Grey Hair Nixers
The only argument I have against this technique is password reuse.

I do agree that having a long plaintext password is secure enough (eg, a quote from a movie, book extract, …). For it to remain secure, you should not use the same password twice, which means remember the "trick" associated with each password, and being able the recall it.

This is tedious, and I ended reusing passwords a lot.

For this reason, I decided to use a password manager. I helps me remember the password I use for each service. At first, I dumped my own memory into the password manager. After I integrated it to my workflow, I didn't feel the need to have "understandable" passwords anymore, and just switched to randomly generated ones, because I didn't have to open a random book anymore 😉
Seirdy
Members
I use passage, a fork of password-store that uses Age instead of GPG. I patched it to use my own password generator.

But honestly, the best simple password manager out there is probably kure. It uses a secure memory enclave to handle the master password. I think KeePassXC does the same; I haven't checked.

If Kure worked with the Freedesktop Secret Storage Service specification it'd be the holy grail.
maksim
Members
(31-08-2016, 01:01 PM)tigoesnumb3rs Wrote: I'm currently using pass as well. Since I set it up I started just dumping randomly generated passwords into it. I just start up 'pwgen -A 20' and pick a new one whenever I need to set up something.

Fyi, you can also do something like
Code:
pass generate <name> <length>

I also use pass, it's simply the password manager you can ever imagine, add passmenu to it and then it becomes the best.
jkl
Long time nixers
I gave gopass a(nother) serious try this week, but the fact that its files are (necessarily?) named like the passwords (often = like the websites) is a red flag for me. If anyone gains access to my hard drive, it is immediately obvious where I’m registered, which services I use - potentially even which account I use there. Too insecure for my needs.
venam
Administrators
(06-10-2022, 12:55 PM)jkl Wrote: gopass
This one: https://www.gopass.pw/ ?

(06-10-2022, 12:55 PM)jkl Wrote: files are (necessarily?) named like the passwords (often = like the websites) is a red flag for me
I agree, using this type of pattern to store credentials can lead to big info disclosure, at least it could've at least been obfuscated in a simple manner.
jkl
Long time nixers
(07-10-2022, 10:52 AM)venam Wrote: This one: https://www.gopass.pw/ ?

That one. :)
z3bra
Grey Hair Nixers
I did an experiment with a pass-like password manager, to get around the filenames issues :

Basically add an entry named "index", containing all your entries names. Then, using a wrapper, hash the password filename with sha256, and store it under the hash, not its own name. When you need to query a password, retrieve the "index" entry which lists the actual names, select one, hash it and query the hash.

Using this technique, your password list is encrypted too, and you need access to the store itself to know it's content. Also, you might want to salt your entries names (you can use your gpg key for that for example when using pass(1))
jkl
Long time nixers
According to a number of GitHub tickets, the gopass developers plan to have full repository encryption with the “age” backend that might eventually replace GPG. Once implemented, I may switch over.