Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Password Management - General Questions

  1. #1
    Join Date
    Dec 2008
    Location
    East of Eden (tx)
    Posts
    331

    Default Password Management - General Questions

    Over the years, I have accumulated MANY passwords for many different things. In addition to routine website passwords, there are passwords for logging onto my computers, debit cards, ATM machines, my cell phone and apps there, setting up my router, for my DSL modem, wifi connections, email accounts, website administration, and a host of other things. Then there are bank, financial and other very sensitive websites that I do not let my browser save.

    In addition to usernames and passwords, there are security questions and just notes that don't need to be public.

    Right now I keep them all in a GPG encrypted spreadsheet. Naturally, I printed out a copy (16 pages) that stays on my desk, with me when I travel or in a safe. Decrypting the file to update or use it leaves an unencrypted copy somewhere if I don't delete it and empty the trash. There has to be a better way.

    Kwallet seems to be the "Password Manager" preferred by openSUSE. It works just fine in Kontact to keep up with multiple email account logins and that is all I use it for. Mozilla Firefox does a good job of taking care of low sensitivity website logins (like here). I cannot figure out how to use Kwallet for other passwords.

    The other "Password Manager" that shows up in Yast software management is KeepassX but it seems to be more of a browser plugin for website passwords.

    PC Magazine ranks LastPass as the top open-source password manager. Again it is primarily a browser plugin for routine website and webmail login. They do have a "local vault" that might adapt to what I need. Does anyone have any experience with it?

    Maybe I am seraching for the wrong thing. What is it that I am looking for?

    Can someone point me in the right direction?

    Cordially,
    TwoHoot
    #1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
    #2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
    #3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,889
    Blog Entries
    3

    Default Re: Password Management - General Questions

    I can only tell you what I do.

    I use a text file, which I keep encrypted. I occasionally mail it to myself as encrypted mail (pgp encrypted), and I keep a copy of that mail on my laptop and other computers. As long as I can read encrypted mail, I can access my password database.

    For routine use, I do allow "firefox" to save passwords. I setup a security key for "firefox", so I have to type in a password for that once per firefox session. Similarly, I have some passwords in "kwallet", and I have to unlock that once per KDE login. I set "kwallet" to stay open once it has been opened.

    You talk about "firefox" and low sensitivity passwords. But if you have firefox keep the password encrypted, then I don't see that you have to restrict it to low sensitivity. The biggest risk today is phishing sites. And "firefox" is less likely to be tricked by a phishing site.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: Password Management - General Questions

    LastPass can also handle generic notes including attaching files to notes. https://lastpass.com/features_free.php scroll down to "Store What Matters and Keep Your Data Safe".

    This Firefox extension might be interesting if you prefer Kwallet to Firefox itself https://addons.mozilla.org/en-US/fir...io/?src=search There are good reasons why LastPass suggest to disable browsers build in password management. Is only encrypted if you also use master password, else pretty much clear text so a bit too easy to extract.

    I only use LastPass in a simple way, have no interest in "Streamline Online Shopping" or other auto filler tricks. Is old product and as far as I know they have not messed up. Cloudy servers in US = TOS decided by company with optional input from stately forces or how is it working?, what could go wrong? They did use quite weak encryption setting, not same as encryption standard, for a while but that has been fixed https://helpdesk.lastpass.com/securi...ations-pbkdf2/ Also have no idea of how good their mobile apps are. Has worked almost flawless for me on Firefox for 3 years or so. There can be sites where it mess up auto-login but often there are fixes. I mostly use it manually so LastPass only hints there is login available, then I activate it. No toolbar or anything silly, just one button. I never got in to auto everything because I dislike it. Use it for certain things though and it mostly works.

    On Windows I also used AxCrypt http://www.axantum.com/AxCrypt/ - was convenient and that is super important if you plan to edit.

    Not sure it is good idea to print out and carry all your codes. Bad habit and what LastPass or similar is for. LastPass has more tools, check "LastPass Portable for Firefox", "LastPass Sesame (openSUSE)" and "LastPass Pocket (openSUSE)". Have not played with them yet but I see openSUSE mentioned There is a bit more for Windows.

  4. #4

    Default Re: Password Management - General Questions

    This is a common problem (and not everyone does something sensible about it):

    Quote Originally Posted by TwoHoot View Post
    Over the years, I have accumulated MANY passwords for many different things. In addition to routine website passwords, there are passwords for logging onto my computers, debit cards, ATM machines, my cell phone and apps there, setting up my router, for my DSL modem, wifi connections, email accounts, website administration, and a host of other things. Then there are bank, financial and other very sensitive websites that I do not let my browser save.

    In addition to usernames and passwords, there are security questions and just notes that don't need to be public.
    First thing is to split things up into classifications, as you seem to be doing. OK, if someone logged in to this site as me, it could be embarrassing, but not a disaster. On the other hand, stuff with banking, (potentially) bills, credit cards could have far worse implications, and you need to keep that kind of distinction in mind. Those sites that ask your mother's maiden name and your shoe size, they're a bit of a pain, because that info, even if it is for a low level of danger site could be used to negotiate access to some access site, so your shoe size suddenly becomes of the degree of criticality of the most critical site that you use it on (and you may well have forgotten that this was one of your fallback security questions on some site you haven't visited for years).

    Quote Originally Posted by TwoHoot View Post
    Right now I keep them all in a GPG encrypted spreadsheet. Naturally, I printed out a copy (16 pages) that stays on my desk, with me when I travel or in a safe. Decrypting the file to update or use it leaves an unencrypted copy somewhere if I don't delete it and empty the trash. There has to be a better way.
    Agreed.

    Quote Originally Posted by TwoHoot View Post
    Kwallet seems to be the "Password Manager" preferred by openSUSE. It works just fine in Kontact to keep up with multiple email account logins and that is all I use it for. Mozilla Firefox does a good job of taking care of low sensitivity website logins (like here). I cannot figure out how to use Kwallet for other passwords.
    I'm not sure that it is that simple. Kwallet seems to be used by Firefox and NetworkManager, but not by Opera, which uses its own system. now, the problem with using a browser password manager is that you can't extract the user/password details if you need them, and you can't append extra notes. You need to extract the details if the target website changes its log in arrangement (say, changes the URL that the site has for its log in page (my web e-mail provider used to do this every six months, or so, and hasn't done it for some time, so are probably about to do it to me, and this very site has done it to me in the past; inconvenient!)).

    Quote Originally Posted by TwoHoot View Post
    The other "Password Manager" that shows up in Yast software management is KeepassX but it seems to be more of a browser plugin for website passwords.
    Be a bit careful; I believe that KeepassX is the cloud version of Keepass (which was also in a repo for an older version of oS, not sure about current versions). Now, at the time, my feeling was saving passwords in the cloud was the very sort of thing that I didn't want to do. Since then, I have become persuaded that there would be a convenience advantage in 'passwords-in-the-cloud' for cross-platform and cross-machine usage, but I am still not totally convinced that I can trust the security aspects. YMMV.

    There are also some password-managers-as-browser-plugins (eg, for firefox...not sure about Chrome/Chromium), but you probably have to get those form the browser's own 'app-store' of widgets and extensions.

    Quote Originally Posted by TwoHoot View Post
    PC Magazine ranks LastPass as the top open-source password manager. Again it is primarily a browser plugin for routine website and webmail login. They do have a "local vault" that might adapt to what I need. Does anyone have any experience with it?
    I can say keepass does what I want;
    • it can generate (pseudo)-random passwords, with sets of rules (eg, which characters are allowed, password length, etc, etc)
    • It can store separately generated passwords
    • it can make its passwords available for cut 'n paste to other locations/applications
    • It can store supplementary notes
    • It organises passwords in a vaguely sensible way (ie, you can keep different classes of password in different folders within the app)


    At the time, I am sure that I looked at LastPass, but I can't recall what I didn't like about it. Maybe, I just tried Keepass first, and found it ok.

    My MO now is to generate passwords in keepass, enter them with my browser, and if the browser also offers to store it, let it (for convenience) This is not the optimum from an 'attack surface minimisation' point of view (there are two apps that could potentially be attacked rather than one), but there is a lot of the higher security stuff that I just won't do with a computer (more out of fear that, eg, the banking institution itself is insecure, rather than anything else - I mean there have been cases, and those are the one we know about, and the banking industry does like to keep them quiet, obviously).

  5. #5
    Join Date
    Dec 2008
    Location
    East of Eden (tx)
    Posts
    331

    Default Re: Password Management - General Questions

    So far, the consensus seems to be about what I am doing - 1) let Kwallet and Firefox do their thing for routine stuff and 2) Don't keep critical data on the cloud.

    It was interesting to note that nrickert (who has a lot of SUSE salad creds) keeps a locally encrypted text file. Mine is an encrypted spreadsheet, but the concept is the same.

    The software I would like to install would:
    • run locally with no internet connection (browser or other) at all
    • allow easy new entries, edits and deletions
    • employ solid encryption that automatically deletes and wipes residual unencrypted copies when closed


    Do any of the applications discussed so far do this?

    This is beginning to sound more like a secure local database than what is commonly referred to as a Password Manager.

    Thank everyone for the thoughtful replies. You clarify my thinking. Maybe there is more to come!

    Cordially,
    TwoHoot
    #1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
    #2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
    #3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,889
    Blog Entries
    3

    Default Re: Password Management - General Questions

    Quote Originally Posted by TwoHoot View Post
    It was interesting to note that nrickert (who has a lot of SUSE salad creds) keeps a locally encrypted text file. Mine is an encrypted spreadsheet, but the concept is the same.
    Yes, it is about the same. Both make it fairly easy to add all kinds of notes.

    At times, I need a local unencrypted copy of the file while editing. I keep that in an "ecryptfs" private directory. So I see it unencrypted, but it is really encrypted on disk.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Password Management - General Questions

    On 2014-12-06 00:46, TwoHoot wrote:

    > Right now I keep them all in a GPG encrypted spreadsheet. Naturally, I
    > printed out a copy (16 pages) that stays on my desk, with me when I
    > travel or in a safe. Decrypting the file to update or use it leaves an
    > unencrypted copy somewhere if I don't delete it and empty the trash.
    > There has to be a better way.


    Mine is simply a password protected spreadsheet (not PGP, yet), on an
    encrypted partition.

    If your home is encrypted, and the spreadsheed uses your home for
    temporary space, there should not be any unencrypted copies.


    I do not want to use a password manager. I type them. Some passwords
    that I consider not critical I allow firefox to remember, but there is a
    master password so that they are not stored in the clear.


    I have seen now and then editors that are able to open PGP text files,
    without saving any clear text files: Ie, working in RAM only. But
    currently I don't know any that does this in Linux.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Password Management - General Questions

    On 2014-12-06 04:13, Carlos E. R. wrote:
    > I have seen now and then editors that are able to open PGP text files,
    > without saving any clear text files: Ie, working in RAM only. But
    > currently I don't know any that does this in Linux.


    Correction: kgpg, which is not the same as kleopatra, although both are
    for KDE4, does have an integrated text editor.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  9. #9
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Password Management - General Questions

    On 2014-12-06 04:42, Carlos E. R. wrote:
    > On 2014-12-06 04:13, Carlos E. R. wrote:
    >> I have seen now and then editors that are able to open PGP text files,
    >> without saving any clear text files: Ie, working in RAM only. But
    >> currently I don't know any that does this in Linux.

    >
    > Correction: kgpg, which is not the same as kleopatra, although both are
    > for KDE4, does have an integrated text editor.


    Correction-2

    vim has a plugin:

    +++—-—-—-—-—-—-—-—-—-—-—-—-—-—-
    vim-plugin-gnupg - Plugin for transparent editing of gpg encrypted files

    This script implements transparent editing of gpg encrypted files. The
    filename must have a ".gpg", ".pgp" or ".asc" suffix. When opening such
    a file the content is decrypted, when opening a new file the script will
    ask for the recipients of the encrypted file. The file content will be
    encrypted to all recipients before it is written. The script turns off
    viminfo and swapfile to increase security.
    —-—-—-—-—-—-—-—-—-—-—-—-—-—-++-

    Emacs has a similar thing. I see a mention of EasyPG: apparently, just
    saving with a gpg extension does it. I tried and it works nicely, but
    emacs needs getting used to. It asks the _destination_ key to use; if
    you don't select one, it uses symmetric encryption, which I'm unsure
    what it is. maybe what the gpg man has under "--symmetric". But what key
    is it using?

    I have seen a suggestion for CryptoTE, a gui editor. But I think it does
    not use PGP.

    Another for geany, but that's an IDE.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  10. #10
    Join Date
    Jun 2008
    Location
    NZ
    Posts
    1,567

    Default Re: Password Management - General Questions

    I think I am probably using the laziest option of all . . . using QPass
    But looking at the description of what you want it seems like it would be ideal.
    in the OSS repo.

    http://qpass.sourceforge.net/

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •