[Discuss] KeePassX

[cra at WPI.EDU (Chuck Anderson)]

On Tue, Jul 23, 2013 at 08:11:44PM -0400, Richard Pieri wrote:
> Tom Metro wrote:
> >A password safe could use strong encryption to protect the keys used by
> >the one-time authentication algorithm. Ideally, you'd want to have the
> >option to have that info encrypted using a different password than the
> >one protecting your passwords.
> 
> Try this little thought experiment. Take all of the passwords that
> you use on a daily basis. Put them into KeePass or whatever with a
> strong password (I'm partial to Baekdal's analysis) on the key
> chain. Get this database onto your shiny thing.

> Now, for one entire day, every time you need a password you MUST use
> the the phone application to retrieve it.  No cheating: no
> "remembering" your passwords. No reliance on browser password key
> chains. OS key rings like the Gnome key ring and Machintosh Keychain
> cannot be used. SSH Agent is right out. Every password has to be
> looked up on the phone every time it is needed.

Why?  Who says you aren't allowed to remember the ones you most
frequently use?  Or for "low value" passwords like web forums, just
let the browser remember them.  It is still of value to have them
stored in a password database like KeepassX, and it is still useful to
have them be unique-per-site to alleviate the collateral damage when a
site gets hacked.

> I don't know about you but if I tried to subject myself to that I'd
> have a hole in a wall needing repair and I'd be out what used to be
> an expensive shiny thing.

It isn't all or nothing, black or white.

BTW, there is a nifty command line/shell Keepass client called kpcli.