There's one problem here: by storing passwords in a series of flat files, you give away that a password to a given site or location exists. That alone can be data that a user doesn't want to share.
I use a similar (and old) solution using GPG for password management, however it differs in one important way: it stores passwords in a database rather than a series of flat files. If I combine it with private browsing, I can simultaneously store passwords for particular websites while not letting a random trespasser know I even visit them.
Funny you should mention this. I have a post-in-progress I'm writing about my experiences moving from KeePassX to Pass. I sync my password information online, so Pass has obvious problems. I ended up mounting the Pass directory as an EncFS volume, which still gives up information about how many entries there are, but not what they are.
http://www.arg0.net/encfs
by storing passwords in a series of flat files, you give away that a password to a given site or location exists
Those file names are arbitrary. While it's certainly easier to just name them after the site or resource you access with the password within, you can give them some cryptic identifiers.
I've considered a password management system many times but I can't think of something that's not over-engineered.
So, for the last 20 years or so, I just have a single GPG encrypted file that contains the list of my passwords for various sites and services, ssh keys, and whatnot. I usually read and write that file in Emacs, or gpg -o - out to shell with an alias for quick read-only access.
The file is easy to backup and easy to distribute even carelessly: I even had it on my public www server at some point when I needed access to the passwords over the network.
I can't think of a simpler scheme than that.
Of course, the GPG keys themselves can lock and unlock my life completely. I have them in a separate backup file that is also encrypted using GPG but with a symmetric cipher. Thus, I don't depend on any extra files to decrypt my GPG keys.
As the passphrase for that symmetrically encrypted file is basically the master password to my life and because I've never needed it yet I store the password in a suitable physical location. But I can still distribute the backup file itself: even obtaining the passphrase to the symmetric cipher doesn't really expose my secrets yet. It will only give access to my GPG keys which in turn need my regularly-used private-key-passphrase to be useful at all.
I used to do the exact same thing as you, actually -- all the way down to keeping your keys with a symmetric pass & storing that in a secure physical location (for me, a safe deposit box). I switched to pass about a year ago because:
-it's the same scheme, the only difference is that your passwords are broken into individual encrypted text files instead of just one (potential SPOF advantage).
-it's more secure because you can set it up so your passwords never reach stdout (or any human readable display at all for that matter) with pass -c.
-it's just as easy to backup:
gpg-zip --symmetric ~/.password-store
-pass itself is extremely portable.
-pass is way more convenient:
pass -c my/password
is far quicker and several orders of magnitude less annoying than
My solution is similar--I have a tiny script of bash and gawk called "greppass" that I use to pull passwords from a colon-delimited text file. I don't encrypt mine (ssh, don't tell anybody) because the whole volume is encrypted, which I consider to be good enough.
I recently switched from 1Password to pass (on a mac). At first I missed how easy it was to hit "cmd+\" to fill in a web login form, but I made a little shortcut that has similar functionality.
First, I created an automator action that grabs the current URL from Chrome and strips out the hostname. This gets passed to a new Terminal window that runs a shell script that calls "pass -c" for the hostname.[0] Then the script calls terminal-notifier [1] and a notification pops up that reminds me of the username and any other info for that site (but not the password). [2]
Then I bind that service to the "cmd+\" keyboard shortcut and I have something that ends up being more reliable than 1password's often flaky form filling functionality. It includes the extra work of entering username manually and pasting in a password, but so far I like this system a lot better. Also, for sites that use the same login from multiple hostnames, I just create symlinks to a "canonical" pass entry.
Hope this is useful to some people on a mac!
[0] I couldn't figure out how to have pass ask for a gpg pinentry window when it was getting run from a non-interactive shell. So I use automator to create a new terminal window, then destroy it at the end.
This is useful - thanks for this. I think I'm going to give something like this a try. 1Password has been getting incredibly flakey over the past few years, and I'm just tired of dealing with it (especially in Safari).
The reason I stuck with it so long was so that my passwords would easily sync to my iPad/iPhone, but with iCloud Keychain, I think I'm finally ready to give up on 1Password.
I came across Pass when I was looking for a password manager a while ago. I don't use it, but it is responsible for the idea behind my super simple workflow.
I have a folder, ~/pass. It contains gpg encrypted text files. They are named by category. So, a product key would be keys.ftl.gpg. A website would be sites.hackernews.gpg.
I create and edit files with emacs. It handles gpg files and lets you choose which key to use to encrypt.
For random password generation, I use pwgen.
That's it. Being files, you can ls and grep to see if you already have an account somewhere or find out the file name that belongs to a site. If you are concerned with "giving away" where you have accounts if the system is compromised, you can create larger generic files like "sites" and then use your text editor to search through them.
It's simple, easy to backup via rsync and cross platform because gpg, emacs and pwgen are on every platform. When the SSD in my Linux machine failed I was stuck using Windows for a month while the RMA went through. It was trivial to get up and running with cygwin.
Honest question: despite work-related stuff (like, for a sysadmin or whatever), in a personal scenario how many passwords do you guys have to manage so it's worth using an app for that? I only have 5 active (and other 2 old) entirely different passwords for types of usage and each have between 13-18 chars with capitals, numbers and all the shit. I just store them in my mind. What's the real/basic use case for passwords managers?
It's recommended that you have a different password for every site, not just for every type of site. If, for example, someone discovered your forum password, under your system attackers could take over all of your forum accounts.
Lots of us sign up for lots of sites to try out things, engage in one-off discussions, etc, so it's pretty necessary to have a password manager.
I'll point out that if you creates those passwords yourself, rather than using an entirely random generator, they likely have less entropy than you think, and so are more crackable. A password manager helps with that.
I use a different 32 chars alphanumeric password for every site I'm registered at (http://a.pomf.se/zpubyy.png), so it's easy to have 20+ passwords to remember (I have ~35 in my keepass database), which is a bit hard to do without a password manager.
I guess the use case is if you're a bit paranoid and want to use a strong/different password for everything.
I use different randomly generated passwords and randomly generated answers to those stupid security questions for every identity I have, which is a lot. I was willing to trade money and time to use a third party tool to manage these, because I can't remember an arbitrary number of arbitrarily long strings of nonsense.
Apparently, i have 887 entries in the osx keychain.
Mind you, some sites show up multiple times.
I try to use a different password for each new account. Since the password manager handles the credentials for me it's not much more effort than reusing the same login/password everywhere.
An alternative that doesn't leak information on site, very barebones, but you can just drop-it to your .bash_profile or similar https://gist.github.com/pyr/9870029
This looks like a very neat tool, but the difficulty with many of these systems is the need to install the password software and have access to a copy of the password data file(s)
If you login to many different systems, possibly on different OS platforms, then they all need to be kept in sync every time you change or add a new password.
Is it really worth it to do this rather than just using the keychain that comes with your OS/DE which fully integrates with your browser's auto fill functionality without extension?
I like this stuff. I'm crazy about terminal utilities and this one is a must, but when it comes to passwords, I have them stored in my head, with a pattern. I can go to a website after 5 years and still remember what I'm supposed to type, so I guess I'll stay with this option.
Known issues:
- If you're drunk, it's a bit difficult to remember anything
- If you're sick, probably won't work properly as well
- If you're dead, won't work, 100% sure
I've been using this for the last couple of months with syncing through Dropbox and it works just fine!
For quicker password access, one should try passmenu[0]. It's a dmenu-based menu with all the entries and selecting one copies password to your clipboard.
Create a new document in vim, save with the :X command and enter an encryption key. If you open the file afterwards it will ask for the key.
I've been using this for years, works like a charm.
Beware: the default encryption method is very weak and can be brute-forced by anyone who knows a few characters of the original file. Since v7.3, Vim supports Blowfish, which is much stronger.
Great utility, though is less useful than browser extension that makes it easier to store/restore credentials. Also, lack of mobile support would prevent me from switching to it from Lastpass.
This looks cool. There's one piece missing that would make it ideal for me: I want to replicate the encrypted files onto my android tablet and access them from an app there.
Yeah, if there were an Android app I'd try this out in a heartbeat. I use Lastpass currently but I haven't been liking the direction it's recently taken. This seems like a much more elegant solution, but it's a no-go if I can't use it on my phone.
I use ccrypt to encrypt a file containing my passwords. To find a password you can do: ccat password-file | grep <some-keyword>. Simple and to the point.
[+] [-] YokoZar|12 years ago|reply
I use a similar (and old) solution using GPG for password management, however it differs in one important way: it stores passwords in a database rather than a series of flat files. If I combine it with private browsing, I can simultaneously store passwords for particular websites while not letting a random trespasser know I even visit them.
[+] [-] ama729|12 years ago|reply
https://en.wikipedia.org/wiki/KeePass
[+] [-] ghoul2|12 years ago|reply
https://github.com/abgoyal/password-store2
Take a look. I am using it personally, Its not in a release-able state yet, though. I have had no time to work on it.
[+] [-] rmc|12 years ago|reply
[+] [-] richdougherty|12 years ago|reply
I guess you could do something with pass's multiline option.
What database do you use?
[+] [-] rpdillon|12 years ago|reply
[+] [-] spindritf|12 years ago|reply
Those file names are arbitrary. While it's certainly easier to just name them after the site or resource you access with the password within, you can give them some cryptic identifiers.
[+] [-] akjs3786hasd|12 years ago|reply
[+] [-] yason|12 years ago|reply
So, for the last 20 years or so, I just have a single GPG encrypted file that contains the list of my passwords for various sites and services, ssh keys, and whatnot. I usually read and write that file in Emacs, or gpg -o - out to shell with an alias for quick read-only access.
The file is easy to backup and easy to distribute even carelessly: I even had it on my public www server at some point when I needed access to the passwords over the network.
I can't think of a simpler scheme than that.
Of course, the GPG keys themselves can lock and unlock my life completely. I have them in a separate backup file that is also encrypted using GPG but with a symmetric cipher. Thus, I don't depend on any extra files to decrypt my GPG keys.
As the passphrase for that symmetrically encrypted file is basically the master password to my life and because I've never needed it yet I store the password in a suitable physical location. But I can still distribute the backup file itself: even obtaining the passphrase to the symmetric cipher doesn't really expose my secrets yet. It will only give access to my GPG keys which in turn need my regularly-used private-key-passphrase to be useful at all.
[+] [-] corndoge|12 years ago|reply
-it's the same scheme, the only difference is that your passwords are broken into individual encrypted text files instead of just one (potential SPOF advantage).
-it's more secure because you can set it up so your passwords never reach stdout (or any human readable display at all for that matter) with pass -c.
-it's just as easy to backup:
-pass itself is extremely portable.-pass is way more convenient:
is far quicker and several orders of magnitude less annoying than Speaking from experience, I would say you're better off using pass than a single gpg'd text file.[+] [-] massysett|12 years ago|reply
[+] [-] gcb0|12 years ago|reply
I just write them down at home with a mental rule for replacing char position.
[+] [-] jon_black|12 years ago|reply
[+] [-] k2enemy|12 years ago|reply
First, I created an automator action that grabs the current URL from Chrome and strips out the hostname. This gets passed to a new Terminal window that runs a shell script that calls "pass -c" for the hostname.[0] Then the script calls terminal-notifier [1] and a notification pops up that reminds me of the username and any other info for that site (but not the password). [2]
Then I bind that service to the "cmd+\" keyboard shortcut and I have something that ends up being more reliable than 1password's often flaky form filling functionality. It includes the extra work of entering username manually and pasting in a password, but so far I like this system a lot better. Also, for sites that use the same login from multiple hostnames, I just create symlinks to a "canonical" pass entry.
Hope this is useful to some people on a mac!
[0] I couldn't figure out how to have pass ask for a gpg pinentry window when it was getting run from a non-interactive shell. So I use automator to create a new terminal window, then destroy it at the end.
[1] https://github.com/alloy/terminal-notifier
[2] all of my pass entries are of the form:
[+] [-] king_magic|12 years ago|reply
The reason I stuck with it so long was so that my passwords would easily sync to my iPad/iPhone, but with iCloud Keychain, I think I'm finally ready to give up on 1Password.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] 3rd3|12 years ago|reply
[+] [-] doesnt_know|12 years ago|reply
I have a folder, ~/pass. It contains gpg encrypted text files. They are named by category. So, a product key would be keys.ftl.gpg. A website would be sites.hackernews.gpg.
I create and edit files with emacs. It handles gpg files and lets you choose which key to use to encrypt.
For random password generation, I use pwgen.
That's it. Being files, you can ls and grep to see if you already have an account somewhere or find out the file name that belongs to a site. If you are concerned with "giving away" where you have accounts if the system is compromised, you can create larger generic files like "sites" and then use your text editor to search through them.
It's simple, easy to backup via rsync and cross platform because gpg, emacs and pwgen are on every platform. When the SSD in my Linux machine failed I was stuck using Windows for a month while the RMA went through. It was trivial to get up and running with cygwin.
[+] [-] hengheng|12 years ago|reply
I know emacs an do things like that, but I never bothered enough to find out if it's as smooth to use as keepass2.
[+] [-] caio1982|12 years ago|reply
[+] [-] vertex-four|12 years ago|reply
Lots of us sign up for lots of sites to try out things, engage in one-off discussions, etc, so it's pretty necessary to have a password manager.
I'll point out that if you creates those passwords yourself, rather than using an entirely random generator, they likely have less entropy than you think, and so are more crackable. A password manager helps with that.
[+] [-] Spittie|12 years ago|reply
I guess the use case is if you're a bit paranoid and want to use a strong/different password for everything.
[+] [-] zokier|12 years ago|reply
[+] [-] jfb|12 years ago|reply
[+] [-] riffraff|12 years ago|reply
I try to use a different password for each new account. Since the password manager handles the credentials for me it's not much more effort than reusing the same login/password everywhere.
[+] [-] droptableusers|12 years ago|reply
[+] [-] slayeright|12 years ago|reply
[+] [-] Qantourisc|12 years ago|reply
[+] [-] wyager|12 years ago|reply
[+] [-] gnuvince|12 years ago|reply
[+] [-] dijit|12 years ago|reply
also if it starts using hashed versions of hostnames to store files, I don't see why a single file is better.
[+] [-] pyritschard|12 years ago|reply
[+] [-] ss64|12 years ago|reply
Here I've listed a few other password management options with pros and cons: http://ss64.com/docs/security.html
[+] [-] nox_|12 years ago|reply
[+] [-] jzelinskie|12 years ago|reply
[+] [-] doesnt_know|12 years ago|reply
[+] [-] rafaqueque|12 years ago|reply
[+] [-] harrystone|12 years ago|reply
[+] [-] daGrevis|12 years ago|reply
For quicker password access, one should try passmenu[0]. It's a dmenu-based menu with all the entries and selecting one copies password to your clipboard.
[0] https://github.com/cdown/passmenu
[+] [-] rongenre|12 years ago|reply
No mishaps so far. My default behavior with new sites now is to just let pass generate a secure pw and give up any hope of remembering it.
And yeah, I'd definitely use a mobile version.
[+] [-] jsprodc|12 years ago|reply
[+] [-] icebraining|12 years ago|reply
http://vim.wikia.com/wiki/Encryption
[+] [-] spektom|12 years ago|reply
[+] [-] asuffield|12 years ago|reply
[+] [-] zastavka|12 years ago|reply
[+] [-] jon_black|12 years ago|reply
[+] [-] infinity0|12 years ago|reply