Password management - Security & Cryptography

Users browsing this thread: 2 Guest(s)
z3bra
Grey Hair Nixers
I too have been using safe(1) for the last year, and I love it. Because it feels good to use something you made, but also because I took the time to correctly setup a password management process with it.

(08-12-2020, 04:30 AM)venam Wrote: As usual in security, you need at least 2 or more of a combination of the following: something you know, something you have, something you are.

I don't fully agree with this statement. While this is a good advice, security isn't about seeking top-notch security at all cost. In my case, relying on a GPG key (something you have) was too much involved, and I ended up avoiding my password manager like the plague, because I knew that I would struggle to recover the password for different reasons. GPG require too much involvement to secure a secret store. You gotta rotate your keys, sync them between devices, or setup a complex, multi-key system, make sure you keep the revoke key, and you can't use your secret store for that, …

safe(1) was my solution to that. It is a flat-file encrypted secret store, requiring only a master password to unlock its entries. The master password is saved in the store itself (only to check that you typed your password correctly), so the store is "self-contained", meaning that to retrieve a secret, all you need is the secret entry you need, the master password and the tool to decrypt it.

As I backup the store in "THE CLOUD", I can quickly and easily fetch the store from my phone, and unlock it there (safe compiles just fine on my phone !). The file format is also simple enough that using openssl to decrypt an entry should be possible too (I should try it out someday).

The main issue I had in the past with password based key stores is that you always had to type the password for every single operation (encrypt AND decrypt). So modifying an entry would require to type it twice. Not practical at all !
That's why I also created an agent for sage, conveniently named safe-agent(1). It will accept connections from a socket and either store the key in-memory when someone writes on the socket, or send the in-memory key to a client reading from the socket. The master password is NEVER exchanged between client and agent.

This can, of course, be a security concern, just as with ssh-agent and gpg-agent, so you're not forced into using it. It's just a more convenient way to use the tool.

As for security, it's all about how far you can push the security cursor, without impacting too much the usability.


Messages In This Thread
Password management - by z3bra - 28-04-2015, 07:35 AM
RE: Password management - by venam - 28-04-2015, 07:46 AM
RE: Password management - by bsdkeith - 28-04-2015, 08:54 AM
RE: Password management - by venam - 28-04-2015, 09:13 AM
RE: Password management - by bsdkeith - 28-04-2015, 09:39 AM
RE: Password management - by venam - 28-04-2015, 09:57 AM
RE: Password management - by z3bra - 28-04-2015, 10:20 AM
RE: Password management - by venam - 28-04-2015, 10:26 AM
RE: Password management - by z3bra - 28-04-2015, 01:50 PM
RE: Password management - by October - 28-04-2015, 08:47 PM
RE: Password management - by bsdkeith - 29-04-2015, 04:45 AM
RE: Password management - by z3bra - 29-04-2015, 10:28 AM
RE: Password management - by ThePlantMan - 30-04-2015, 12:54 PM
RE: Password management - by greduan - 02-05-2015, 09:53 AM
RE: Password management - by srp - 14-05-2015, 06:11 PM
RE: Password management - by xero - 15-05-2015, 03:56 PM
RE: Password management - by neeasade - 21-08-2015, 10:56 AM
RE: Password management - by jvarg - 22-08-2015, 09:05 AM
RE: Password management - by swathe - 23-08-2015, 06:43 PM
RE: Password management - by October - 24-08-2015, 07:15 PM
RE: Password management - by z3bra - 27-05-2016, 11:57 AM
RE: Password management - by movq - 27-05-2016, 01:47 PM
RE: Password management - by sagittarius - 15-06-2016, 02:05 PM
RE: Password management - by venam - 15-06-2016, 02:34 PM
RE: Password management - by pranomostro - 15-06-2016, 06:22 PM
RE: Password management - by z3bra - 16-06-2016, 01:51 PM
RE: Password management - by pranomostro - 16-06-2016, 03:54 PM
RE: Password management - by josuah - 17-06-2016, 09:14 AM
RE: Password management - by z3bra - 31-08-2016, 12:36 PM
RE: Password management - by tigoesnumb3rs - 31-08-2016, 01:01 PM
RE: Password management - by neeasade - 31-08-2016, 02:52 PM
RE: Password management - by jkl - 31-08-2016, 03:06 PM
RE: Password management - by z3bra - 31-08-2016, 07:32 PM
RE: Password management - by jkl - 31-08-2016, 07:35 PM
RE: Password management - by venam - 01-09-2016, 02:01 AM
RE: Password management - by z3bra - 01-09-2016, 04:47 AM
RE: Password management - by aah - 17-05-2017, 04:41 AM
RE: Password management - by Dworin - 31-05-2017, 03:05 AM
RE: Password management - by kerunaru - 31-05-2017, 05:01 AM
RE: Password management - by yossarian - 01-06-2017, 12:55 AM
RE: Password management - by buttcake - 13-07-2017, 08:49 AM
RE: Password management - by venam - 08-12-2020, 04:30 AM
RE: Password management - by jolia - 08-12-2020, 04:36 AM
RE: Password management - by z3bra - 08-12-2020, 06:31 AM
RE: Password management - by venam - 08-12-2020, 07:04 AM
RE: Password management - by Dworin - 08-12-2020, 10:57 PM
RE: Password management - by pfr - 10-03-2021, 09:04 PM
RE: Password management - by freem - 10-03-2021, 10:24 PM
RE: Password management - by z3bra - 16-03-2021, 07:37 PM
RE: Password management - by pfr - 17-03-2021, 12:35 AM
RE: Password management - by z3bra - 17-03-2021, 11:34 AM
RE: Password management - by Guest0x0 - 17-03-2021, 09:35 PM
RE: Password management - by z3bra - 18-03-2021, 10:30 AM
RE: Password management - by Seirdy - 16-06-2022, 09:57 PM
RE: Password management - by maksim - 03-10-2022, 06:14 AM
RE: Password management - by jkl - 06-10-2022, 12:55 PM
RE: Password management - by venam - 07-10-2022, 10:52 AM
RE: Password management - by jkl - 11-10-2022, 01:55 PM
RE: Password management - by z3bra - 13-10-2022, 07:27 PM
RE: Password management - by jkl - 09-11-2022, 09:20 AM
RE: Password management - by pfr - 15-11-2022, 12:49 AM
RE: Password management - by x0ba - 08-08-2023, 02:34 AM