1. 19

  2. 14

    “There are password management apps that generate and store passwords for you like LastPass, but they can’t be trusted as they store your passwords on their servers.”

    I’m pretty sure they only store the encrypted database on their servers (your passwords are encrypted with your master password before being sent to the server), which is equivalent to using Dropbox or Google Drive to sync your encrypted file.

    1. 1

      Yes, I use Lastpass because I read that all of their encryption and decryption is done on-device using Javascript. Their servers never see your master password or your site passwords, they only pass the encrypted blob back and forth.

      It’s also rather handy to have it built-in to all major browser, generate gibberish passwords, and have mobile apps too.

      1. [Comment removed by author]

        1. 1

          That would violate terms and conditions not to mention wouldn’t someone notice it is/was doing that? Agreed they have the ability but not the legal ability.

          1. 2

            Even if we assume no malice on their part: If their servers get cracked, you still have a problem.

    2. 12

      I use KeePass2/KeePassX (keypass.info).

      It’s not the prettiest thing out there, but it’s free, works on Windows/Mac/Linux/Android/iOS, and encrypts everything locally so you can use whatever sync solution you like to keep the database up-to-date.

      1. 5

        I use KeePassX too on my Mac, with some satisfaction. Note that KeePass tries hard to not leave the unencrypted passwords in memory or in the swap. I expect the vim solution to not offer the same guarantee.

        1. 1

          Yes, I was surprised he hadn’t seen Keepass as an option.

        2. 9

          If you’re using vim at all, you can probably use pass as a password manager. It’s quintessentially unix-ey; uses GPG for encryption, git for distribution (so you can very easily use your own git server if “The Cloud™” doesn’t appeal) and the underlying filesystem for database structure. It’s definitely a better bet than this.

          1. 3

            Link: pass

            1. 1

              It’s implemented as a giant bash script. Even though I like bash, it’s not the kind of language I want to use to manage passwords.

              See: http://git.zx2c4.com/password-store/tree/src/password-store.sh

            2. 4

              There are a couple of apps which locally encrypt your passwords and then back it up in the location of your choice (iCloud / Dropbox) etc but they cost something like $50.

              There are apps that are free. For example, I’m using zx2c4’s pass.

              It takes advantage of GPG and allows to save passwords locally and on Git. Also it’s possible to sync using Dropbox just by using symlink.

              To generate passwords, I use pwgen. It has command arguments (I’m using --ambiguous --capitalize --numerals --symbols 16) to make password more human-readable for easier typing into, in my case, mobile phone.

              Because each password is a file, I can easily see how long I haven’t changed password for particular file. Also, I can use tools like dmenu to have menu of passwords just before it prompts for a master password.

              1. 4

                now, wouldn’t it be nice to be able to run cat .pawwords| openssl enc -base64 -d -bf-cbc -k mykey | grep that_stupid_website ? well after few attempts, seems that that it is not doable. see this http://www.krenel.org/locking-yourself-in-a-cryptographic-implementation/


                1. 3

                  I use vim-gnupg.

                  1. 2

                    Would aes256-cbc be better than blowfish in this case with vim encryption or no? And is as even possible with vim (what library does vim use)

                    1. 1

                      Perhaps, but vim doesn’t appear to support it. Check out the :help cryptmethod, mine only has zip and blowfish (MacVim 7.4.258).

                      Also I believe counter modes are better than CBC. OpenSSH prioritizes aes-ctr over aes-cbc nowadays, and even puts arcfour above cbc. GCM is also interesting.

                      Edit regarding blowfish, I found the following on wikipedia:

                      Bruce Schneier, Blowfish’s creator, is quoted in 2007 as saying “At this point, though, I’m amazed it’s still being used. If people ask, I recommend Twofish instead.”

                    2. 2

                      The password generator script in the post uses random.choice which is not a cryptographically secure source of entropy. From the python docs [1]:

                      The Mersenne Twister is one of the most extensively tested random number generators in existence. However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes.

                      That’s a bit confusing as the issue isn’t that it’s deterministic. It’s that given enough output, you can predict future output.

                      This attack might not be feasible against a 4 word long password, but why risk it when there are alternatives? random.SystemRandom is probably cryptographically secure, but doesn’t explicitly say it in the docs [2]. My own password generator [3] uses PyCrypto’s CSPRNG [4].

                      [1] https://docs.python.org/2/library/random.html

                      [2] https://docs.python.org/2/library/random.html#random.SystemRandom

                      [3] https://github.com/beala/xkcd-password

                      [4] https://www.dlitz.net/software/pycrypto/api/current/Crypto.Random.random-module.html

                      1. 1

                        random.SystemRandom is probably cryptographically secure, but doesn’t explicitly say it in the docs [2].

                        It actually does. SystemRandom defers to os.urandom, which per its own docs

                        …should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation.

                      2. 2

                        I use http://www.fpx.de/fp/Software/Gorilla/, and its cross-platform.

                        1. 1

                          I use 1Password on mac, the iOs devices and I’m addicted to it. The problem with solutions that do not support syncing is that they are not practical as most of us use more than 2 computers. I would like o have an option, like truecrypt, on 1Password well it will permit me to show a false container on one hand and/or a secret password which will delete all my data at once.

                          Regarding encryption one has to decide if he trusts the current encryption level offered by tools or not. For my needs is more than acceptable. There’s no hint of anyone breaking a 1password keychain yet. So, I’m fine saving a copy of the encrypted keychain on iCloud.

                          Password managers that can not be used as a browser bundle are somewhat clumsy to use for me, because most of the things I need a password that is secure, non-pronounceable, with 12+ chars, etc. Are websites! Forums, email forms, etc.

                          Now in regard to my favorite editor, you don’t need any option in .vimrc. Just run vim as vim -x secure.txt and will open/create the file, prompt a password and encrypt the file using blowfish. But blowfish is known to be kind of weak, so if you really want to use vim I would suggest something like vim-journal which uses OpenGPG instead.

                          Writing a password generator in ruby takes 15 seconds. Of course it can be done seriously, using proper error handling and many command line options. That’s not a problem, the problem is the easy of use.