WingNews logo WingNews
top | item 17592788

(no title)

DanBlake | 7 years ago

Does a password management / U2F solution exist that would let you view all password titles with a master password but only dispense the actual passwords, one at a time, via a button press? Would prevent having your entire password DB stolen if you were keylogged/mitmd/whatever.

Picture of what I kind of mean here : https://pbs.twimg.com/media/Diylx-0X4AIjrqO.jpg

*edit- slide #2 and #3 are backwards. The passwords are stored on the USB device, if that wasnt clear. Master password allows you to view password titles and essentially 'unlock' the usb device. However, every action needs to be confirmed one by one. So for instance, you could in theory export 'all' passwords in one shot, but it would present you with that prompt on the device itself.

discuss

order

ylk|7 years ago

I'm storing a GPG key on a yubikey (set to always require a touch to decrypt [1]) and use that with pass [2].

pass stores the password, username (and whatever else you want) in a simple textfile, which is gpg encrypted. There's a browser extension for it, a GUI implementation and lots more (all on the website at link [2]).

[1]: https://developers.yubico.com/PGP/Card_edit.html [2]: https://www.passwordstore.org/

Edit: Addressing your edit: you could use pass with pass-tomb (puts all the separate password files in a folder and encrypts that, see website) and use a GPG key with password to encrypt all that (and re-enter that on every separate password decryption attempt). Don’t know any other password manager that would allow you to do exactly that..

DanBlake|7 years ago

Looks like the trezor has native support for ALMOST this exact functionality: https://www.youtube.com/watch?v=5Jva-vcFQjE (it for whatever reason, stores the passwords on dropbox, instead of in the device...)

palisade|7 years ago

Dropbox isn't secure. They have a master key override and have many times already unlocked boxes without the user's permission. Also, they cache your credentials, anyone who gets a hold of the cache file can put it on another machine and get into the box without authenticating.