Password managers

nunotex · Aug 12, 2023

Hello all,

I'm looking for password manager solutions that works with major browsers (chromium, firefox).
I will work with both browsers on several machines on amd64 and aarch64.

Both browsers internal password managers work great but I'm looking for a wide solution with better control of passwords database.

security/gopass + browser plugin seems to be a good solution.

Any thoughts or better solutions?

Thanks

Crivens · Aug 12, 2023

A little black book and a pen?

rawthey · Aug 12, 2023

security/keepassxc works fine for me and has the advantage that the password vault is stored on your own device instead of somewhere on the cloud waiting for hackers to break into it.

The KeePassXC-Browser extension for Firefox works fine but I've never managed to get the Chromium extension to work so need to copy and paste info from the keepassxc window on the rare occasions I use Chromium.

I have the Keepass2Android Offline app on my phone and tablet which works fine with the password database file copied from my PC

SirDice · Aug 12, 2023

rawthey said:
so need to copy and paste info from the keepassxc window on the rare occasions I use Chromium.

Use the auto-type functionality of Keepass. CTRL-ALT-A and it'll fill in automagically.

Keepass it is for me. Both on Windows and FreeBSD. Password database can be shared between the two.

rawthey · Aug 12, 2023

SirDice said:
Use the auto-type functionality of Keepass. CTRL-ALT-A and it'll fill in automagically.

Thanks, that works fine with chromium. Autotype is a feature I hadn't previously explored

SirDice · Aug 12, 2023

rawthey said:
Autotype is a feature I hadn't previously explored

It's the primary feature that made me use Keepass

That said, it heavily relies on window titles. And this can be a bit of a hassle with browsers. Especially if you have multiple tabs open.

Kai Burghardt · Aug 12, 2023

Crivens said:
A little black book and a pen?

I’d only do that for select passwords, such as the master password of a password database (in case of password fatigue). 300+ passwords in a book (cryptographically weak or not even encrypted at all) is a security nightmare. I mean, I hope you do follow the best practice and do not reuse passwords, right?

nunotex said:
Any thoughts or better solutions?

Yeah, at the risk of sounding unhelpful, but do not use passwords. There is the GSSAPI. At my alma mater I could obtain a Kerberos ticket (automatically done at login time) and access all access-restricted staff websites without additional authentication (by that I mean additional user interaction).

Now, I know you can’t demand such seamless integration – this very forum only allows password-based authentication, too – but in principle the idea of sending passwords to a remote webserver can be deemed an anachronism.

rawthey said:
security/keepassxc works fine for me and has the advantage that the password vault is stored on your own device […]

Does it provide a TUI (text user interface)? Ten+ years ago I chose security/yapet simply because of its intuitive ncurses-based TUI. In my opinion such a crucial tool should not depend on running X11, you know.

sko · Aug 12, 2023

I've been using sysutils/password-store for over 5 years now - its basically only shellscripts using standard tools (gpg and git), so no lock-in to a 'custom' binary format or database, its just a git-repo with gpg-encrypted text files. it's also easily understandable and extensible if none of the available plug-ins fits some special use-case.
browser-plugins for firefox and chrome are also available.

If you don't like a fast&simple cli approach, there are also a qt and rofi frontends available: sysutils/qtpass sysutils/rofi-pass

hruodr · Aug 12, 2023

Crivens said:
A little black book and a pen?

Or a script with

openssl aes-256-cbc -e -a -salt -md md5 -in $1

for encrypting a file and and other with

openssl aes-256-cbc -d -a -salt -md md5 -in $1

for decrypting. Would be that an idea?

Perhaps the file built so, that one gets the required pass with grep.

UPDATE: correction in flag for decrypting.

Crivens · Aug 12, 2023

As recent happenings with Bitcoin wallets have shown, good crypto is hard to do. You have to trust the implementation that the keyspace is not limited to a brute force able range. With a little black book, you need to obtain physical possession of the thing and be undetected. This is much harder these days as lifting your passwords using a bad browser plugin.

hruodr · Aug 12, 2023

Crivens said:
With a little black book, you need to obtain physical possession of the thing and be undetected.

Yes, but you cannot do copy and paste, and it is hence unpractical for long passwords that you need
to defend from brute force attacks.

Keeping the password list on your computer is only a problem when someone gets access to your computer.
A little encryption is in any case not bad.

fraxamo · Aug 13, 2023

hruodr said:
Or a script with

openssl aes-256-cbc -d -a -salt -md md5 -in $1

for encrypting a file and and other with

openssl aes-256-cbc -d -a -salt -md md5 -in $1

for decrypting.

The two openssl commands posted are exactly the same. Copy-and-paste error? I'm guessing that one or the other must be different?

hruodr · Aug 13, 2023

fraxamo said:
The two openssl commands posted are exactly the same. Copy-and-paste error? I'm guessing that one or the other must be different?

Yes, a lapsus. For encoding:

openssl aes-256-cbc -e -a -salt -md md5 -in $1

for decoding:

openssl aes-256-cbc -d -a -salt -md md5 -in $1

Do

man openssl-enc

jecxjo · Aug 13, 2023

hruodr said:
Yes, a lapsus. For encoding:

openssl aes-256-cbc -e -a -salt -md md5 -in $1

for decoding:

openssl aes-256-cbc -d -a -salt -md md5 -in $1

Do

man openssl-enc

If you're going to go cli for it, could checkout password-store. It's a script wrapping pgp and git. If you wanna drop the app all your passwords are stored in plaintext files that are encrypted with your pgp key. I know there is an Android app for it too and since you're pulling from your personally defined git repo you can keep as close to the vest while being able to sync your passwords between boxes and mobile.

Its in the ports tree too

hruodr · Aug 14, 2023

jecxjo said:
If you're going to go cli for it, could checkout password-store. It's a script wrapping pgp and git.

For what I would need that?

baaz · Aug 14, 2023

hruodr said:
Or a script with

openssl aes-256-cbc -e -a -salt -md md5 -in $1

for encrypting a file and and other with

openssl aes-256-cbc -d -a -salt -md md5 -in $1

for decrypting. Would be that an idea?

Perhaps the file built so, that one gets the required pass with grep.

UPDATE: correction in flag for decrypting.

Just use vim -x .

hruodr · Aug 14, 2023

baaz said:
Just use vim -x .

It seems also emacs has such a feature.

jecxjo · Aug 15, 2023

hruodr said:
For what I would need that?

I was just suggesting if one is going the cli route there are simple sane tools for doing this type of solution. I went the openssl cli route for a few years but now I have my passwords sync between two desktops and my phone using self hosted git server and a pgp key that is in no way public.

sko · Aug 15, 2023

jecxjo said:
I was just suggesting if one is going the cli route there are simple sane tools for doing this type of solution. I went the openssl cli route for a few years but now I have my passwords sync between two desktops and my phone using self hosted git server and a pgp key that is in no way public.

same here - I used the switch to a yubikey (used as smartcard for GPG keys) as an excuse to also switch to password-store (tried e.g. keepass before, but they are all a bit restrictive and clunky and in no way accessible if there's e.g. a bug). SSH logins, email signing/encrypting and passwords (and other) encryption is since done with the keys on the yubikey, which needs its own password for unlocking (the only one I can and have to remember by now...). The git repository for pass is synced to several servers and my desktops and laptops and backed up to tarsnap.
Thanks to password-store only being encrypted text files you can store absolutely anything in it - from addresses or SSH/GPG keys, tax data or even base64 encoded images/scans, anything that might be presentable as text. Other solutions often restrict you to a few pre-defined fields, but this is a true unix solution using basic tools, hence it can be used very universally.

hruodr · Aug 15, 2023

jecxjo said:
I was just suggesting if one is going the cli route there are simple sane tools for doing this type of solution.

sko said:
same here - I used the switch to a yubikey (used as smartcard for GPG keys) as an excuse to also switch to password-store

My arument for OpenSSL and grep is, that they are omnipresent. For remote accessibility I could use scp.

nunotex · Aug 17, 2023

Resuming we have:

security/keepassxc + KeePassXC-Browser add-on
security/gopass + Gopass Bridge add-on

Anyone using gopass?

drxdev · Feb 18, 2024

For me password-store works the best. Very intuitive.

tingo · Feb 21, 2024

Nobody mentioned bitwarden?
For those interested in self-hosting, we have security/vaultwarden and www/vaultwarden-web_vault

Al Seitsinger · Feb 21, 2024

Crivens said:
A little black book and a pen?

I'm sure you're just as surprised as I am to learn that this is professionally discouraged. I find it most reliable. The alternative--saving these things online--is the most laughable solution.

patmaddox · Feb 26, 2024

My work uses 1password (a commercial solution). The firefox plugin works on FreeBSD, and security/1password-client2 provides CLI.

Password managers

nunotex

Crivens

Administrator

rawthey

SirDice

Administrator

rawthey

SirDice

Administrator

Kai Burghardt

sko

hruodr

Crivens

Administrator

hruodr

fraxamo

hruodr

jecxjo

hruodr

baaz

hruodr

jecxjo

sko

hruodr

nunotex

drxdev

tingo

Al Seitsinger

patmaddox