Securely store passwords

Menelkir

Active Member

Reaction score: 289
Messages: 225

Keepass. It creates an encrypted file with your user/pass and you can customize like a catalog, using categories and stuff and even downloading favicons for the sites. There's also extensions for browsers to work with it, or just copy/paste. Also, keepass accept storing 2FA.
Need a frontend? security/keepass security/keepassxc
Still feel insecure? Create a container with security/veracrypt and store your keepass file inside, now you can store the container even in a anonymous ftp. :p
 

rotor

Member

Reaction score: 22
Messages: 75

I keep my passwords (a few dozen of 'em) in a spreadsheet.

The spreadsheet is kept in an encrypted file. On Windows and FreeBSD, veracrypt. On Linux Mint zulucrypt.

This fits my needs quite well.
 

ralphbsz

Son of Beastie

Reaction score: 2,299
Messages: 3,207

Text file (edited with an ASCII editor). Also contains lots of comments. It is stored only in encrypted form (now with openssl encryption, used to be GPG, but Gnu made GPG too complicated to use). The resulting file is then stored only on encrypted disks, both locally (on an Apple file system disk) and in the cloud (at a provider, that uses encrypted hardware with the SSH file system), so there are multiple layers of encryption.

Well, and some passwords are also on yellow stickers on the edge of the monitor, or paper lists.
 

gpw928

Aspiring Daemon

Reaction score: 213
Messages: 523

some passwords are also on yellow stickers on the edge of the monitor, or paper lists.
Current thinking on risk analysis provides support for such approaches.

The analysis says that it is actually quite rare for a password to be breached by physical intrusion.

By far the most usual compromise is by a plethora of broadly based "electronic methods".

But I recommend a Post-It note under the keyboard. It's more secure because it's harder to find ;).
 

Jose

Daemon

Reaction score: 897
Messages: 1,090

Well, and some passwords are also on yellow stickers on the edge of the monitor, or paper lists.
I'm 100% certain you know how to take a screenshot, but not everyone does. Including some in Congress, who take a picture of their screen with their phone. Unfortunately, the sticky with the passwords is legible.
As Twitter users quickly noted, a photo that Brooks tweeted of his computer screen showing Alabama’s trespassing statute also showed a piece of paper that appeared to include a PIN number and a Gmail account password.
 

Lamia

Aspiring Daemon

Reaction score: 207
Messages: 770

KeepassXC is strongly advised over Keepass, from what I learnt.
 

Lamia

Aspiring Daemon

Reaction score: 207
Messages: 770

I would bail out of a debate on both. That was my inference after comparing both. Of course, one is Qt-based and the other is mono-based. And KeepassXC is a fork of the other.

There are tonnes on articles on them online.
 

sko

Aspiring Daemon

Reaction score: 380
Messages: 677

I use sysutils/password-store. Simple, text based, tree structured portable data store, uses security/gnupg. Also universal.

'pass' kicks the shit out of all the above, the dev's website https://www.passwordstore.org/

edit: oh gpw928 beat me to it.

+1 for pass
Have been using it for several years now together a ubikey to store and carry around my gpg-keys.

It doesn't restrict you what you wan to store in it like most solutions (as its basically just gpg-encrypted text files), plus there are plugins available for almost anything (e.g. OTP) and you can very easily write your own scripts. As it is basically a wrapper aroung gpg & git, you can also leverage those tools to make it fit your needs. E.g. I've been using git branches to have a "private" and "work" tree of passwords for a while (reverted to using only folder-based organization because I fat-fingered my branches once because git hates me...)

There's even some GUIs available nowadays (e.g. QtPass), but haven't really used them...


At work we're using Passbolt (self-hosted), which also relies on GPG in the background, but isn't as feature-rich yet as some other solutions, although they are adding more and more stuff and listen to their users requirements. It's purely browser-based, so no need for any apps/widgets/etc except a browser-plugin which also manages your keys.
 

tux2bsd

Active Member

Reaction score: 38
Messages: 153

+1 for pass
There's even some GUIs available nowadays (e.g. QtPass), but haven't really used them...
There's even android & ios apps. I've not used them though, just cli version - it's so easy.
Unfortunately, the sticky with the passwords is legible.
Medical Doctors being the exception.
 

rootbert

Well-Known Member

Reaction score: 152
Messages: 409

security/keepass because it is audited ... keepassxc is not audited. Though in some cases I use security/kpcli
 

decuser

Well-Known Member

Reaction score: 126
Messages: 270

KeepassXC, it's cross-platform and secure. I use it on my Mojave systems, FreeBSD systems, and Linux. KeepassXC is an actively developed fork of the nearly unchanging KeepassX (last release 2016), which is a fork of the original Keepass... which is still actively developed.
 

decuser

Well-Known Member

Reaction score: 126
Messages: 270

'pass' kicks the shit out of all the above, the dev's website https://www.passwordstore.org/

edit: oh gpw928 beat me to it.
Intriguing. I will give it a shot, but I do a lot more with Keepassxc than just put passwords in it. For example, when I create a new XYZ account, I may back it with one of several email accounts. I also get the backup codes in case something goes awry. When I decommission an account (but haven't deleted it yet), I like to note that in the database. Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?
 

gpw928

Aspiring Daemon

Reaction score: 213
Messages: 523

pass(1) just encrypts a file using gpg, and maintains that file in a file-system based tree structure, where the path name provides the key (e.g. Forums/FreeBSD/gpw928).
I routinely add URLs and sundry aide-mémoires into the file, along with a password. Within that context, you could enforce any structure you wanted.
 

Trihexagonal

Son of Beastie

Reaction score: 2,297
Messages: 2,866

I use real paper for passwords
When I forgot my password to get into my FreeBSD box a few years ago the only password I had left was one I had written down on paper.

It was for the forum where I ended up first posting my FreeBSD Desktop Tutorial.
 

sko

Aspiring Daemon

Reaction score: 380
Messages: 677

Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?

It doesn't use a database and doesn't force you to use arbitrary fields - it's just plain, simple text files, organized in folders (git branches are also possible) encrypted with gpg. pass(1) is essentially just some shellscripts around gnupg and git - so even if the maintainers one day decide to bin the whole project, you can still access everything.
For things like browserplugins there are a few simple conventions though:
- the first line always has to be the password (the whole line, so no prefixes or comments)
- for autofill (browserplugins) you might want to prefix lines with "email:", "login:" or "otp:" (that's usually handled by the OTP plugin), so the plugin can pick the correct entry. If it doesn't work as expected, inspect the page and search for the description/name of the box where that information should go - "webdesigners" are horrible at naming stuff and don't follow simple conventions, so e.g. login fields often have completely stupid names no plugin could automatically guess.
apart from that, everything but the first line of the textfile is yours - you can put in everything you want. I regularly store OTP recovery codes in them, sometimes even for multiple factors, and even gpg keys or certificates. You can put everything in there that can be represented by text - even store base64 encoded images would be possible.


I don't write or save my passwords. I simply memorize them.
Do you perform in a circus with that number where you can memorize dozens of 32 character long arbitrary utf8 strings?
 

tux2bsd

Active Member

Reaction score: 38
Messages: 153

I like to note that in the database. Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?
Code:
pass edit site1/account1
then edit text

it was a while ago when I got it going, just fiddling with it now on a blank machine and remember it's a bit of a pain to begin because of the gpg stuff

still recommend
 

tux2bsd

Active Member

Reaction score: 38
Messages: 153

decuser so the whole process looks like below, give it a muck around go like this then do it properly with more GPG properness (it's the gpg side that's painful)

Code:
u@buntu:~$ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Lay Dees
Email address: example@example.com
Comment:
You selected this USER-ID:
    "Lay Dees <example@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 30172473CD40DA96 marked as ultimately trusted
gpg: directory '/home/u/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/u/.gnupg/openpgp-revocs.d/62CC2D94696CBAEB2AD0270330172473CD40DA96.rev'
public and secret key created and signed.

pub   rsa3072 2021-06-15 [SC]
      62CC2D94696CBAEB2AD0270330172473CD40DA96
uid                      Lay Dees <example@example.com>
sub   rsa3072 2021-06-15 [E]

u@buntu:~$ pass init example@example.com
Password store initialized for example@example.com
u@buntu:~$ pass add potato
Enter password for potato:
Retype password for potato:
u@buntu:~$ pass potato   #THIS IS WHERE IT'LL PROMPT YOU BEFORE DISPLAYING THE PASSWORD
asdf

I can't imagine there being much different on FreeBSD so I didn't change OSes to make a quick howto
 

Trihexagonal

Son of Beastie

Reaction score: 2,297
Messages: 2,866

I have 79 files in my password folder and the oldest one is for a Yahoo account from 9-01-12, whowuzthatmaskedman.

That was my future self that made that account. I remember it like yesterday...
 

usakhncit

Active Member

Reaction score: 32
Messages: 241

When asked for his password, he scoffs at password managers and rattles off the 43 characters from his astounding oversized memory - he must be... The most interesting man in the world!
Or perhaps The most interesting woman? But seriously, I must have 200+ secure passwords. I can hardly remember the urls, much less the passwords.

43 characters!! You are paranoid !!
You need to learn something about memorizing passwords.
Let me tell you one of my password which is: "decuser is a paranoid fool".
 

Trihexagonal

Son of Beastie

Reaction score: 2,297
Messages: 2,866

My usr and root passwords are different. Each is between 20-25 characters long and I have both memorized.
The rest go in my password file after encryption and no attempt to memorize them is made. Only the password to decrypt them.

I forgot my Windows password one time and let my fingers do the walking across the keyboard from muscle memory and got it right.
 
Top