Password management - Security & Cryptography
z3bra
It's been more than a year since I started this thread, and I must say I only made a poor improvements on this topic...
I'm now using a "pass(1)" like application (pgp encrypted file tree) more and more, that I backup online. I generate random password that I know can't remember anymore.

I'm yet not satisfied with it, as I can't use it on different hosts without moving my GPG private key along, which makes it totally pointless. For now, when I need a password, I ssh into my main computer, print a password to stdout, and copy it by hand when I use it on another terminal.
If you've ever typed a sha256 hash by hand, you probably know that feel...

Any idea on how I can improve it?
vain
(27-05-2016, 11:57 AM)z3bra Wrote: Any idea on how I can improve it?

I'm curious to hear what others suggest.

I'd simply ditch the online backup to reduce the attack surface. Maybe you then feel comfortable enough to use a simple password-based encryption, so you don't need to keep the private key around. Finally, use peer-to-peer rsync or git or whatever to sync the files among your machines.

---

What I don't like about the whole situation is that I have to enter passwords all day long. Essentially, my password database is always unlocked. This pretty much sucks.
sagittarius
(24-08-2015, 07:15 PM)October Wrote: I've heard about yubikeys, they've interested me. Will probably get one later on and mess with it.

Was interested by a yubikey as well. I won one few weeks ago during a CTF, and it is in my laptop case since then... I have been using keepass for years and I don't really have the motivation to change it. It fits my needs so far.

Two factor authentication is a plus, but only big services support it, and except Github, I don't like them. I want to be able to connect to my Github account on my (no so smart)phone, therefore I don't use two factor auth here.

I don't want to use for ssh auth for servers I can't physically access (basically my main server hosted on OVH where the highest level of security is applied), because it is too easy to screw up and lock the server forever. Experienced it on my laptop and fixing it has been a pita.

Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.
venam
(15-06-2016, 02:05 PM)sagittarius Wrote: Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.

Here's an article by someone who used to frequent nixers.net: http://cmacr.ae/blog/2013/12/25/yubikey-openssh/

I have also been wondering about yubikey but as you've mentioned, 2FA is a pain. I'd rather use or the yubikey or a password not both at the same time.
pranomostro
I just use spm and keep them locally, but this isn't really a problem because I actually remember my passwords.
The password manager is just for being sure I don't forget them :D
z3bra
@pranomostro, What spm ?
pranomostro
https://notabug.org/kl3/spm.git

Really simple script, uses gpg2 for encrypting/decrypting.

The only thing that bothers me that updates sometimes break the configuration.

But otherwise, it's good. It fits my need.
josuah
I like the idea of a physical key attached among my other keys for my passwords. So I bought one of these pill box (or even a bigger one) to attach to my keys. I can write down the password on a piece of paper (no, wait, may be a bad idea), or having these on an usb key in it.

But for now I remember these. With an one for all the worthless website that want you to have an account.
mpcsh
I use `pass(1)` to manage everything. I moved to it from `mpw(1)` (http://masterpasswordapp.com), which I quite liked, but became unwieldy when passwords needed to be changed. I host my pass repo on my own server, accessible only with my SSH keys, and it's available on my phone. I also like https://oneshallpass.com as the more portable but slightly less desktop-friendly solution.
z3bra
How do you use the pass(1) database from you phone?




Members  |  Stats  |  Night Mode  |  Help