lightweight password manager

T

trutlze

Hi,

I want to store passwords securely and I want it to be independent from X, Qt and other big libraries.

One method might be an encrypted text-file (one could write shell-scripts that create a memory disk for editing/reading the unencrypted password file, erase the disk securely afterwards, etc.)
But I wonder if there are already any cli-applications that fit my requirements and if there is anyone having experience with such a tool.

There are for example


Can you tell me something about them?
 
Do you think that they are well designed and working good?

As far as I can see pwman3 uses python and sql, so it doesn't fit the requirement of beeing independant from big libraries.
 
security/kpcli
Code: 
$ make all-depends-list
/usr/ports/ports-mgmt/pkg
/usr/ports/lang/perl5.16
/usr/ports/security/p5-Crypt-Rijndael
/usr/ports/devel/p5-Term-ReadKey
/usr/ports/textproc/p5-Sort-Naturally
/usr/ports/security/p5-File-KeePass
/usr/ports/shells/p5-Term-ShellUI
/usr/ports/devel/p5-ReadLine-Gnu
/usr/ports/devel/p5-Clone
/usr/ports/devel/p5-Test-Manifest
/usr/ports/converters/p5-MIME-Base64
 
security/kpcli seems to be an advantage if you are using or want to use security/keepassx. It needs lang/perl5.

To me a password manager would be lightweight if it is a bourne shell script (/bin/sh()) or written in C and maybe needs security/gnupg to run ...
pass (see above) is going in the right direction, I think. But it seems to be written mainly for linux (it's a shells/bash-script).

I'm curious about additional ideas/thoughts/experiences.
 
sysutils/pwsafe seems to use base systems openssl libraries, is written in C++ and has very little dependencies. But the files are from late 2005. Why isn't it developed further? Is it already the best implementation possible? Which encryption methods are used (If I remember correctly, some methods were proofed to be insecure since 2005)?
 
Well, in the meanwhile I gave pwsafe a try and it seems to act just fine. But I'm somewhat uncertain because of not knowing if pwsafe is still state-of-the-art ...
Is there any "security-professional" out there who is reading this and feeling a need to spread his/her wisdom ;)
 
I used pwman & still do. I'm not wild about it because it likes to crash a lot (well, for me anyway), but... the files are stored in pgp encrypted XML, so you can get at them with just plain old gpg if you really need to. Which is what I liked about it.

Just make sure and back up your passwords. I'd probably switch to something else, if I weren't so lazy. :)
 
trutlze said:
security/kpcli seems to be an advantage if you are using or want to use security/keepassx.
Click to expand...

IMHO you rejected it wrongly.

http://keepass.info/ project is a very popular one and ported practically on any platform.
It use single file database encrypted by industry's standard AES algorithm.
DD pointed you out to the one of popular console version, but the same encrypted database file can be used practically everywhere. I remember I used it even on my old Nokia 6260 via java applet.
On Windows there's exist two versions of KeePass (I personally prefer 1.x since it doesn't use monstrous .NET)
For a Unix based desktop you already found one security/keepassx.
For iPhone users it is "MyKeePass" from itunes store.
For Android based devices it is "KeePassDroid" form Google's play store.
The KeePass encrypted database it is well organized tree, may contain attached files and GUI interfaces have a lot of useful features bisides of just keeping passwords.

Back to the console version security/kpcli of KeePass, - it's pretty hard to find a Unix machine that doesn't has Perl installed and it works the same everywhere on any hostings. So if you want to manage single, portable across platforms encrypted database, I think it is the only one popular project that actively supported on all platforms.

But if you still want to keep it as much simple as possible and don't care about portability, then simply create a memory file with mdconfig() , init it as geli(), format and use it in the same way as truecrypt

I have scripts to automate it, but it heavily customized for our workflow, where idea is

Code: 
# Init
CryptoFile='/path/to/encrypted/File'
dd if=/dev/random of="${CryptoFile}" bs=1M count=${CryptoDiskSizeMB};
mdDev=$(mdconfig -a -t vnode -f "${CryptoFile}" -s "${CryptoDiskSize}" -o reserve )
geli init -s 4096 -l ${keylen} -K "${KeyFile}" "/dev/${mdDev}";
newfs -L cryptogeli  -U  -O2  "/dev/${mdDev}.eli";

And using:
Code: 
# open encrypted disk
mdconfig -a -t vnode -f "${DiskFile}";
geli attach -k "${KeyFile}" /dev/${mdDev};
mount /dev/${mdDev}.eli /mnt/crypto/${mdDev}/secret;
...
# working on an encrypted disk
...
# close encrypted disk
umount /mnt/crypto/${mdDev}/secret
mdconfig -d -u ${mdUnit}
 
In the KISS category, you can also encrypt files with Vim. Excerpt from :help encryption

Vim is able to write files encrypted, and read them back. The encrypted text
cannot be read without the right key.

[...]

The text in the swap file and the undo file is also encrypted.

Note: The text in memory is not encrypted. A system administrator may be able
to see your text while you are editing it. When filtering text with
":!filter" or using ":w !command" the text is not encrypted, this may reveal
it to others. The 'viminfo' file is not encrypted.
Click to expand...

Note it's important that you set cryptmethod to blowfish, the default zip is not secure.
 
I'm also interested in a password manager utility but - a web based one. Judging that I need access to it from places where I just have a browser, this is a must for me. There is Webkeepass but this is Java-Based and I would like to avoid pulling this dependency in - something PHP based would be nice. Does anyone know something?
 
oliver@ said:
Does anyone know something?
Click to expand...

In a datacenters where carrying cell phone is a strong "no-no" I connecting to my https server, where apache asks for authentication and do on success
# ProxyPass [url]http://localhost:1234[/url]
where on http://localhost:1234 is running
www/anyterm
which is basically is kind of a SSH over HTTP.
When I logged to my server, I use security/kpcli that DD already pointed out.

So, you can have quadruple protection: https, http authorization, PAM and finally KeePass over kpcli, and you can still use the same portable encrypted password's database on any platform.

By the way on the same server I running www/owncloud which allow automatic synchronization over WebDAV, so it is easy to keep password's database synchronized over different devices and platform in the same way as over dropbox but keeping paranoiacly sensitive data on own server instead of relaying on a "cloud" that runs somewhere by nobody.
 
drhowarddrfine said:
As a lone developer, I have a card in my wallet and a piece of paper in my office desk drawer.
Click to expand...

Did you check your password against security/cracklib and rainbow tables that flowing around in underground freenet network ?

I bet your passwords isn't looks like mine: M-Ha9p<S2c)io{V<1JfecDVTa)_+wni7 or A?pebjFCj=5qJhL5di6G}6SGG)%>wi$E

By employing KeePass you need to remember only one single master password to be able to use unique for each point of entrance such "crazy" passwords as above.

If you ask anyone who investigate "breaking news" hackers successful intrusions, they will told you that most successful attacks happened not because of software weakness, but because of weak passwords.

I know for sure that 10% of "protected" systems will be opened with password "1234" or in "hard" cases - "12345678"
More "strong" passwords - it is usually first/last names with combination of some digits on the end that usually can be recovered in less that 15 seconds.

Check this funny, but sad statistics:
http://finance.yahoo.com/blogs/the-exchange/cracking-pin-code-easy-1-2-3-4-130143629.html
 
drhowarddrfine said:
As a lone developer, I have a card in my wallet and a piece of paper in my office desk drawer.
Secure. Lightweight. Portable. Easy to use. Works everywhere.
Click to expand...

Nice to see I'm not alone in that respect!
 
AlexJ said:
I bet your passwords isn't looks like mine:
Click to expand...

Um. Yes they are. It's interesting that even with that strange combination of chars like yours, the five that I use the most I don't have to refer to my card at all and enter them from memory.
 
You must log in or register to reply here.
Back
Top