Password management - Security & Cryptography
z3bra
It's been more than a year since I started this thread, and I must say I only made a poor improvements on this topic...
I'm now using a "pass(1)" like application (pgp encrypted file tree) more and more, that I backup online. I generate random password that I know can't remember anymore.

I'm yet not satisfied with it, as I can't use it on different hosts without moving my GPG private key along, which makes it totally pointless. For now, when I need a password, I ssh into my main computer, print a password to stdout, and copy it by hand when I use it on another terminal.
If you've ever typed a sha256 hash by hand, you probably know that feel...

Any idea on how I can improve it?
vain
(27-05-2016, 11:57 AM)z3bra Wrote: Any idea on how I can improve it?

I'm curious to hear what others suggest.

I'd simply ditch the online backup to reduce the attack surface. Maybe you then feel comfortable enough to use a simple password-based encryption, so you don't need to keep the private key around. Finally, use peer-to-peer rsync or git or whatever to sync the files among your machines.

---

What I don't like about the whole situation is that I have to enter passwords all day long. Essentially, my password database is always unlocked. This pretty much sucks.
sagittarius
(24-08-2015, 07:15 PM)October Wrote: I've heard about yubikeys, they've interested me. Will probably get one later on and mess with it.

Was interested by a yubikey as well. I won one few weeks ago during a CTF, and it is in my laptop case since then... I have been using keepass for years and I don't really have the motivation to change it. It fits my needs so far.

Two factor authentication is a plus, but only big services support it, and except Github, I don't like them. I want to be able to connect to my Github account on my (no so smart)phone, therefore I don't use two factor auth here.

I don't want to use for ssh auth for servers I can't physically access (basically my main server hosted on OVH where the highest level of security is applied), because it is too easy to screw up and lock the server forever. Experienced it on my laptop and fixing it has been a pita.

Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.
venam
(15-06-2016, 02:05 PM)sagittarius Wrote: Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.

Here's an article by someone who used to frequent nixers.net: http://cmacr.ae/blog/2013/12/25/yubikey-openssh/

I have also been wondering about yubikey but as you've mentioned, 2FA is a pain. I'd rather use or the yubikey or a password not both at the same time.
pranomostro
I just use spm and keep them locally, but this isn't really a problem because I actually remember my passwords.
The password manager is just for being sure I don't forget them :D
z3bra
@pranomostro, What spm ?
pranomostro
https://notabug.org/kl3/spm.git

Really simple script, uses gpg2 for encrypting/decrypting.

The only thing that bothers me that updates sometimes break the configuration.

But otherwise, it's good. It fits my need.
josuah
I like the idea of a physical key attached among my other keys for my passwords. So I bought one of these pill box (or even a bigger one) to attach to my keys. I can write down the password on a piece of paper (no, wait, may be a bad idea), or having these on an usb key in it.

But for now I remember these. With an one for all the worthless website that want you to have an account.
z3bra
How do you use the pass(1) database from you phone?
tigoesnumb3rs
I'm currently using pass as well. Since I set it up I started just dumping randomly generated passwords into it. I just start up 'pwgen -A 20' and pick a new one whenever I need to set up something. I have no Idea which passwords I currently use for most of the newer things I set up, but I guess thats alright: half of the tim it is a service where I can use email recovery or sth similar and the other half of the time it is a linuxmachine/vm/container where I have physical access anyways..

Using pass with dmenu or rofi is kinda neat, however there have been some issues with it: when I'm using dmenu to autotype within i3 for example I end up typing my passwords into the wrong windows sometimes.. guess I have to take a look at my script, when I have time for it. Other than that pass is really nice to use. It also has some git functionality build in so there's your version control..

As an addition to pass you could buy yourself an yubikey [2].. it's basically a small little device where you can dump you gpg keys for example and every time you need to access pass you can unlock the password store by touching the device instead of entering a password. You cannot read from the device, but I believe you can delete its contents. A friend of mine has a yubikey set up with pass. Looks really nice!

I wouldn't use any web based solutions however, since there seem to be security issues with most of them on a fairly regular basis, e.g. [0,1]. Most of them probably work similar. Software which embeds some JS snippet into random browserwindows and then starts serving my credentials.. kinda creeps me out.

[0] : https://bugs.chromium.org/p/project-zero...ail?id=917
[1] : http://thehackernews.com/2016/07/lastpas...nager.html
[2] : https://www.yubico.com/




Members  |  Stats  |  Night Mode