[Discuss] Password managers

[invalid at pizzashack.org (Derek Martin)]

On Fri, May 08, 2020 at 03:08:52PM -0400, Steve Litt wrote:
> On Fri, 8 May 2020 13:42:36 -0400
> Daniel Barrett <dbarrett at blazemonger.com> wrote:
> > Here is my password manager that seems to meet most of your
> > requirements.
> > 
> > 1. Store username/password pairs in a tab-delimited text file, one
> > entry per line, with 3 columns: username, password, and freeform text.
> > 
> > 2. Encrypt the password file with gpg. Use Emacs's EasyPG thereafter
> > to edit the file as needed.

I do the same basic idea but I use one file per password and
individually encrypt them.  The reasons I do it this way, rather than
the way you do it:

1. I don't have to encrypt/decrypt the whole file, which risks
   exposing all of your passwords instead of just the one you need
   NOW, should you somehow mishandle it (or someone is spying on you,
   etc.).

2. I find that different accounts have different pieces of info they
   require, which are not consistent (some want both an e-mail and a
   username, others use e-mail for both, some have secret questions,
   etc.).  I also create a unique e-mail address for everyone I do
   business with, which is tedious but helps with spam prevention and
   limiting the effects of those entities getting hacked.

3. I don't use pwgen because nobody can decide on one standard to
   generate passwords.  Bad enough sometimes they don't tell you what
   is allowed until you fail the first time, or even not at all... you
   just have to guess.  So I just make one up on the fly, add it to my
   terminal

4. I find it's not really any extra effort to just decrypt the
   indivudal file manually, and copy-paste from my terminal than it is
   to do it from a script.

> About #3: Every password you use is on your clipboard, available to
> anyone who grabs a terminal. Clipboard contents survive the opening and
> closing of terminals, and I think there are utilities to view your
> entire paste buffer. Therefore...

If someone can get a terminal as you on your machine without your
knowledge, you likely have much bigger problems.

Also, that doesn't seem to be the case, at least not on a reasonably
modern Linux UI.  I just tried it on whatever I'm running on my Ubuntu
18 install--copied some text (by selecting it) from gnome-terminal,
closed the window, and then tried to paste it--and it did not work.
And FWIW this was what I expected, so I assume it's been that way for
quite some time...

And also IIRC there are two kinds of X clipboards, the primary
selection, and the clipboard, and the primary selection only holds one
thing, and is overwritten by copying a different thing...  But the
clipboard, which typically is what you get using keyboard shortcuts to
copy/paste, IIRC, holds a list of things--so don't do that.  This is
all very fuzzy though.

> I assume that you have a big, hairy password on this password file so
> somebody who takes possession of the password file can't brute force
> it. Is it inconvenient that every time you need a password, you need to
> type in your big, hairy master password? Or do you have a way of only
> typing it once?

Personally I just type my passphrase every time... accounts I use
often I'll remember, and ones I don't...are not used often enough for
this to matter.  But there is gpg agent or that awful gnome thing
which will do this for you...if you think that's wise.

> I might have a big, hairy password to get into, perhaps, a LUKS dir,
> and then an easy, fast and insecure one to get into the file itself.
> Make sure I close the LUKS when I step away from the computer.

You WILL forget.  But that's probably fine... this really seems like
overkill to me.  Singly encrypting the file should be plenty
sufficient to keep all but sophisticated attackers out of your
password files, and IIRC doubly encrypting may actually result in
making the encryption easier to break, for those sophisticated
attackers.  Though I'm no encryption expert, and I couldn't say under
what circumstances that would be true, even if I'm not wrong about
that.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.