[Discuss] Password managers

[slitt at troubleshooters.com (Steve Litt)]

On Fri, 8 May 2020 13:42:36 -0400
Daniel Barrett <dbarrett at blazemonger.com> wrote:

> On May 7, 2020, Tom Metro wrote:
> >Here are the characteristics I consider minimum acceptable for a
> >password manager: open source implementation; [...] code that only
> >changes when I explicitly download and install a new version; [...]
> >good random password generator [...] no browser integration; no cloud
> >storage [...]  
> 
> Very nice write-up, Tom!
> 
> Here is my password manager that seems to meet most of your
> requirements.
> 
> 1. Store username/password pairs in a tab-delimited text file, one
> entry per line, with 3 columns: username, password, and freeform text.
> 
> 2. Encrypt the password file with gpg. Use Emacs's EasyPG thereafter
> to edit the file as needed.
> 
> 3. Retrieve passwords using a simple script that calls gpg to decrypt,
> grep to find the line you want, and cut to isolate the username &
> password. Optionally, call xclip to copy username & password into the
> window manager's clipboard for easy pasting.
> 
> 4. Use bash & pwgen to generate random passwords between 18-24
> characters:
> 
>   pwgen -y -s -N1 $[$RANDOM % 6 + 18]
> 
> 5. To retrieve passwords remotely, use SSH with public key
> authentication.
> 
> I've been using this system for ~15 years. The only downside is it's
> not spouse-friendly (unless your spouse groks the Linux command line).

Hi Dan,

I'm going to do something like this: Thanks for the info. I'll make
some changes...

About #3: Every password you use is on your clipboard, available to
anyone who grabs a terminal. Clipboard contents survive the opening and
closing of terminals, and I think there are utilities to view your
entire paste buffer. Therefore...

I'd like to write my retrieved password into a temporary file, and then
somehow write that temp file's contents into the field. Whatever xkill
does to read which window you clicked, I need to do something similar
so my program can read which input field I clicked and then spit out
its letters one at a time.

I'm going to make my password lengths less variable than yours,
probably using %3 instead of %6.

I'm going to arrange for a piece of punctuation to be inserted when
creating the password. Most accounts require a punctuation in the
password, but they all differ as to *which* punctuation they allow.

I assume that you have a big, hairy password on this password file so
somebody who takes possession of the password file can't brute force
it. Is it inconvenient that every time you need a password, you need to
type in your big, hairy master password? Or do you have a way of only
typing it once?

I might have a big, hairy password to get into, perhaps, a LUKS dir,
and then an easy, fast and insecure one to get into the file itself.
Make sure I close the LUKS when I step away from the computer.

Thanks for telling us about this. This is my kind of password storage.
I'll probably do it, or something like it.

SteveT

Steve Litt 
May 2020 featured book: Troubleshooting Techniques
     of the Successful Technologist
http://www.troubleshooters.com/techniques