Password managers

Hi sko,
sko said:
SSH logins, email signing/encrypting and passwords (and other) encryption is since done with the keys on the yubikey, which needs its own password for unlocking (the only one I can and have to remember by now...).
Click to expand...

As there is unreliable cell signal at my location, I had been doing some research for alternatives to 2FA via SMS and found a recommendation of Yubikey But from your quote, it seems that Yubikey can be used for other purposes than only 2FA.

As a former user of pass (https://www.passwordstore.org/) could you please explain the use of Yubikey for what you are doing, it it is not too off-topic?

Kindest regards,

M
 
mefizto said:
As a former user of pass (https://www.passwordstore.org/) could you please explain the use of Yubikey for what you are doing, it it is not too off-topic?
Click to expand...
basically, I'm using the yubikey purely as a smartcard to store my private GPG-keys on it.

I never really had any interest in using U2F, FIDO or whatnot, because it always relies on some external (and sometimes even proprietary) service and working internet connection. I deliberately chose password-store because it uses gpg and nothing "exotic" and I absolutely want/need to access my credentials etc if there is no internet connection available - it wouldn't make any sense for me to add something that requires an external service.
IMHO it's stupid to store credentials (or second factors) for infrastructure like router/gateway systems, switches, BMC etc in a service that relies on the infrastructure to work - if that goes down you are essentially unable to access anything to fix the situation. Also I often have my laptop connected to completely locked-down VLANs where I still need to access credentials or log in via SSH.
By only using its smartcard capabilities, I hold everything I need in my hand with the yubikey - either for decrypting credentials or for SSH logins via the gnupg ssh agent.

For 2FA I only use TOTP - I always refused to use SMS as it is insecure by design anyways. there's a TOTP plugin for password store, so that's fully covered.
 
Hi sko,
sko said:
basically, I'm using the yubikey purely as a smartcard to store my private GPG-keys on it.
Click to expand...
Thank you for the clarification.

Regarding the 2FA, in my understanding, the protocol that one can/must use is dependent on what the web-site supports.

Kindest regards,

M
 
I feel like we should have several good threads about password storage/security pulled together AND refreshed. Some things don't change, of course, but maybe there are some latest and greatest things or updated infos. (And in general, this is the biggest bug about most forums - no 3D organization/aggregation between threads and topics...I feel tags don't work).

nunotex

Thread 'Password managers'

Hello all,

I'm looking for password manager solutions that works with major browsers (chromium, firefox).
I will work with both browsers on several machines on amd64 and aarch64.

Both browsers internal password managers work great but I'm looking for a wide solution with better control of passwords database.

security/gopass + browser plugin seems to be a good solution.

Any thoughts or better solutions?

Thanks
  • Like
F

Thread 'Securely store passwords'

Hi,

I would like to hear what kind of solutions users of this forums are using to store passwords.

Since today it is almost impossible to remember all Usernames and Passwords, so the best way probably is to store them to some database which is secured.

- folivora
Phishfry

Thread 'Browser Password Saving'

I am wondering about other FreeBSD users browser preferences. I personally consider this feature a risk.
freezmi

Post in thread 'Someone tried or has been able to guess my password ?'

as someone that was maintaining >1k servers for one company and a bitcoin exchange for another I've been using gpg encrypted files containing passwords for about 15 years, but was required to use a password manager later on (for better 'teamwork') and I stuck with that ever since. I'm afraid that keeping more than a few passwords in memory would be simply impossible for me. I still remember a few very old phone numbers from the '90s (when they were 7 digits long), but nowadays there's no chance.

a few gotchas regarding password managers:
- make sure the pm times out and locks out after a...
  • Like
  • Thanks
cracauer@

Thread 'Your web browsing environment in 2025 - self-hosted Firefox sync?'

May I ask what everybody is doing for syncing their bookmarks and "search engines" (aka keywords), passwords and so on? I used to be full-on Google with Chrome and its sync, but Chrome has stopped to be a viable browser this month.

Switching to Firefox (previously know as Fired Fox to me) is painful. One thing I need to make up my mind about is whether to use Mozilla's hosted sync or whether I want to host my own sync server https://github.com/mozilla-services/syncstorage-rs . Hey it has been re-written in Rust, so it must work, right? Is anybody here doing that?

What are you folks...

I feel like openssl is the correct approach but with a must of modern options that weren't mentioned here, I think.
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 2000000. 👨‍🏫
 
I use security/keepass. What makes me stick to the application is that it has synchronizing of kbdx file feature. I share a kbdx file by OneDrive, and on each FreeBSD or Windows PC, use another kbdx file outside OneDrive and synchronize the file with the one under OneDrive from time to time. Thus, I can edit the kbdx file on several host and keep it synchronized across them. As I use both FreeBSD and Windows PC , I need an application that support both operating systems. (And for Android smartphone, I download the kbdx file from OneDrive and use KeePassDroid. I need to be careful not to edit kbdx file on Android.)
The problem is that its copy and paste feature and autotype feature do not work on Wayland. There is a plugin that say to have enabled autotype on Wayland, but I could not get it to work properly. So I wrote a small patch (PR 291869) to make copy and paste of user name and password possible on Wayland (not autotype, as I could not imagine how to realize it). I should report it to upstream, but did not yet.
 
I do not know what synchronize feature is. it has auto-type feature mentioned in topic but apparently it works only on x11. i do not use either one do its not a problem for me.
 
As this thread popped up again: I made a working port for the Passbolt CE[1] password manager a few months ago and had some email conversations and a video chat with someone from the company behind it, regarding making FreeBSD an officially supported platform. We've been using the pro version at work for several years now, of course hosted in a FreeBSD jail, so the topic of FreeBSD being not officially supported but "they are OK with it" popped up a few times with some minor issues we've reported over the time (all non-OS-specific).
Despite them being very positively minded towards FreeBSD and making it an officially supported platform (they even have some FreeBSD users in their team), they very early on told my this gets only a very low priority in their rather stuffed internal roadmap and I sadly never heard back since. I think I will check back one last time and then finish that port for the CE version and submit it. Maybe if there is a growing FreeBSD userbase, official support may gain a higher priority. As it is a pure php application, it's pretty much only a matter of maintaining the package dependencies anyways.

Passbolt is designed around open standards and tools and basically uses GPG under the hood - so no custom/proprietary binary vault formats or home-brewn crypto. You can always access your data in the my/postgreSQL database and decrypt it via plain GPG. I even tested that sucessfully back when I evaluated various solutions for our company, and "data sovereignty" was a hard criterion. So even if for some reason the passbolt overlay ceases to work/exist, you can simply read the data from the database and decrypt it using the gpg-key of the user(s) those entries belonged to/were shared with. They even have some export scripts available you can use or adapt for your needs (of course there are also import scripts).


[1] https://github.com/passbolt/passbolt_api
 
You must log in or register to reply here.
Back
Top