Over the years, I have accumulated MANY passwords for many different things. In addition to routine website passwords, there are passwords for logging onto my computers, debit cards, ATM machines, my cell phone and apps there, setting up my router, for my DSL modem, wifi connections, email accounts, website administration, and a host of other things. Then there are bank, financial and other very sensitive websites that I do not let my browser save.
In addition to usernames and passwords, there are security questions and just notes that don’t need to be public.
Right now I keep them all in a GPG encrypted spreadsheet. Naturally, I printed out a copy (16 pages) that stays on my desk, with me when I travel or in a safe. Decrypting the file to update or use it leaves an unencrypted copy somewhere if I don’t delete it and empty the trash. There has to be a better way.
Kwallet seems to be the “Password Manager” preferred by openSUSE. It works just fine in Kontact to keep up with multiple email account logins and that is all I use it for. Mozilla Firefox does a good job of taking care of low sensitivity website logins (like here). I cannot figure out how to use Kwallet for other passwords.
The other “Password Manager” that shows up in Yast software management is KeepassX but it seems to be more of a browser plugin for website passwords.
PC Magazine ranks LastPass as the top open-source password manager. Again it is primarily a browser plugin for routine website and webmail login. They do have a “local vault” that might adapt to what I need. Does anyone have any experience with it?
Maybe I am seraching for the wrong thing. What is it that I am looking for?
I use a text file, which I keep encrypted. I occasionally mail it to myself as encrypted mail (pgp encrypted), and I keep a copy of that mail on my laptop and other computers. As long as I can read encrypted mail, I can access my password database.
For routine use, I do allow “firefox” to save passwords. I setup a security key for “firefox”, so I have to type in a password for that once per firefox session. Similarly, I have some passwords in “kwallet”, and I have to unlock that once per KDE login. I set “kwallet” to stay open once it has been opened.
You talk about “firefox” and low sensitivity passwords. But if you have firefox keep the password encrypted, then I don’t see that you have to restrict it to low sensitivity. The biggest risk today is phishing sites. And “firefox” is less likely to be tricked by a phishing site.
LastPass can also handle generic notes including attaching files to notes. https://lastpass.com/features_free.php scroll down to “Store What Matters and Keep Your Data Safe”.
This Firefox extension might be interesting if you prefer Kwallet to Firefox itself https://addons.mozilla.org/en-US/firefox/addon/kde-wallet-password-integratio/?src=search There are good reasons why LastPass suggest to disable browsers build in password management. Is only encrypted if you also use master password, else pretty much clear text so a bit too easy to extract.
I only use LastPass in a simple way, have no interest in “Streamline Online Shopping” or other auto filler tricks. Is old product and as far as I know they have not messed up. Cloudy servers in US = TOS decided by company with optional input from stately forces or how is it working?, what could go wrong? They did use quite weak encryption setting, not same as encryption standard, for a while but that has been fixed https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/ Also have no idea of how good their mobile apps are. Has worked almost flawless for me on Firefox for 3 years or so. There can be sites where it mess up auto-login but often there are fixes. I mostly use it manually so LastPass only hints there is login available, then I activate it. No toolbar or anything silly, just one button. I never got in to auto everything because I dislike it. Use it for certain things though and it mostly works.
On Windows I also used AxCrypt http://www.axantum.com/AxCrypt/ - was convenient and that is super important if you plan to edit.
Not sure it is good idea to print out and carry all your codes. Bad habit and what LastPass or similar is for. LastPass has more tools, check “LastPass Portable for Firefox”, “LastPass Sesame (openSUSE)” and “LastPass Pocket (openSUSE)”. Have not played with them yet but I see openSUSE mentioned There is a bit more for Windows.
This is a common problem (and not everyone does something sensible about it):
First thing is to split things up into classifications, as you seem to be doing. OK, if someone logged in to this site as me, it could be embarrassing, but not a disaster. On the other hand, stuff with banking, (potentially) bills, credit cards could have far worse implications, and you need to keep that kind of distinction in mind. Those sites that ask your mother’s maiden name and your shoe size, they’re a bit of a pain, because that info, even if it is for a low level of danger site could be used to negotiate access to some access site, so your shoe size suddenly becomes of the degree of criticality of the most critical site that you use it on (and you may well have forgotten that this was one of your fallback security questions on some site you haven’t visited for years).
Agreed.
I’m not sure that it is that simple. Kwallet seems to be used by Firefox and NetworkManager, but not by Opera, which uses its own system. now, the problem with using a browser password manager is that you can’t extract the user/password details if you need them, and you can’t append extra notes. You need to extract the details if the target website changes its log in arrangement (say, changes the URL that the site has for its log in page (my web e-mail provider used to do this every six months, or so, and hasn’t done it for some time, so are probably about to do it to me, and this very site has done it to me in the past; inconvenient!)).
Be a bit careful; I believe that KeepassX is the cloud version of Keepass (which was also in a repo for an older version of oS, not sure about current versions). Now, at the time, my feeling was saving passwords in the cloud was the very sort of thing that I didn’t want to do. Since then, I have become persuaded that there would be a convenience advantage in ‘passwords-in-the-cloud’ for cross-platform and cross-machine usage, but I am still not totally convinced that I can trust the security aspects. YMMV.
There are also some password-managers-as-browser-plugins (eg, for firefox…not sure about Chrome/Chromium), but you probably have to get those form the browser’s own ‘app-store’ of widgets and extensions.
I can say keepass does what I want;
it can generate (pseudo)-random passwords, with sets of rules (eg, which characters are allowed, password length, etc, etc)
It can store separately generated passwords
it can make its passwords available for cut 'n paste to other locations/applications
It can store supplementary notes
It organises passwords in a vaguely sensible way (ie, you can keep different classes of password in different folders within the app)
At the time, I am sure that I looked at LastPass, but I can’t recall what I didn’t like about it. Maybe, I just tried Keepass first, and found it ok.
My MO now is to generate passwords in keepass, enter them with my browser, and if the browser also offers to store it, let it (for convenience) This is not the optimum from an ‘attack surface minimisation’ point of view (there are two apps that could potentially be attacked rather than one), but there is a lot of the higher security stuff that I just won’t do with a computer (more out of fear that, eg, the banking institution itself is insecure, rather than anything else - I mean there have been cases, and those are the one we know about, and the banking industry does like to keep them quiet, obviously).
So far, the consensus seems to be about what I am doing - 1) let Kwallet and Firefox do their thing for routine stuff and 2) Don’t keep critical data on the cloud.
It was interesting to note that nrickert (who has a lot of SUSE salad creds) keeps a locally encrypted text file. Mine is an encrypted spreadsheet, but the concept is the same.
The software I would like to install would:
run locally with no internet connection (browser or other) at all
allow easy new entries, edits and deletions
employ solid encryption that automatically deletes and wipes residual unencrypted copies when closed
Do any of the applications discussed so far do this?
This is beginning to sound more like a secure local database than what is commonly referred to as a Password Manager.
Thank everyone for the thoughtful replies. You clarify my thinking. Maybe there is more to come!
Yes, it is about the same. Both make it fairly easy to add all kinds of notes.
At times, I need a local unencrypted copy of the file while editing. I keep that in an “ecryptfs” private directory. So I see it unencrypted, but it is really encrypted on disk.
> Right now I keep them all in a GPG encrypted spreadsheet. Naturally, I
> printed out a copy (16 pages) that stays on my desk, with me when I
> travel or in a safe. Decrypting the file to update or use it leaves an
> unencrypted copy somewhere if I don’t delete it and empty the trash.
> There has to be a better way.
Mine is simply a password protected spreadsheet (not PGP, yet), on an
encrypted partition.
If your home is encrypted, and the spreadsheed uses your home for
temporary space, there should not be any unencrypted copies.
I do not want to use a password manager. I type them. Some passwords
that I consider not critical I allow firefox to remember, but there is a
master password so that they are not stored in the clear.
I have seen now and then editors that are able to open PGP text files,
without saving any clear text files: Ie, working in RAM only. But
currently I don’t know any that does this in Linux.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On 2014-12-06 04:13, Carlos E. R. wrote:
> I have seen now and then editors that are able to open PGP text files,
> without saving any clear text files: Ie, working in RAM only. But
> currently I don’t know any that does this in Linux.
Correction: kgpg, which is not the same as kleopatra, although both are
for KDE4, does have an integrated text editor.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On 2014-12-06 04:42, Carlos E. R. wrote:
> On 2014-12-06 04:13, Carlos E. R. wrote:
>> I have seen now and then editors that are able to open PGP text files,
>> without saving any clear text files: Ie, working in RAM only. But
>> currently I don’t know any that does this in Linux.
>
> Correction: kgpg, which is not the same as kleopatra, although both are
> for KDE4, does have an integrated text editor.
Correction-2
vim has a plugin:
+++—-—-—-—-—-—-—-—-—-—-—-—-—-—-
vim-plugin-gnupg - Plugin for transparent editing of gpg encrypted files
This script implements transparent editing of gpg encrypted files. The
filename must have a “.gpg”, “.pgp” or “.asc” suffix. When opening such
a file the content is decrypted, when opening a new file the script will
ask for the recipients of the encrypted file. The file content will be
encrypted to all recipients before it is written. The script turns off
viminfo and swapfile to increase security.
—-—-—-—-—-—-—-—-—-—-—-—-—-—-+±
Emacs has a similar thing. I see a mention of EasyPG: apparently, just
saving with a gpg extension does it. I tried and it works nicely, but
emacs needs getting used to. It asks the destination key to use; if
you don’t select one, it uses symmetric encryption, which I’m unsure
what it is. maybe what the gpg man has under “–symmetric”. But what key
is it using?
I have seen a suggestion for CryptoTE, a gui editor. But I think it does
not use PGP.
Another for geany, but that’s an IDE.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
I think I am probably using the laziest option of all . . . using QPass
But looking at the description of what you want it seems like it would be ideal.
in the OSS repo.
This reads like exactly what I am looking for. The laziest option that works is the best option IMO.
But …
I do not see it in my OSS repo and can’t install it from Yast Software Management. Also, KeepassX is available but Keepass is not.
For experts, that might not seem like a problem - Just download it and install it from the link you provided. I can do that. The problem is that I am not competent to determine whether an application is safe and secure. Installing software willy-nilly from the internet is asking for trouble in my opinion. I try to use what openSUSE offers. Is that being paranoid or good practice?
>> http://qpass.sourceforge.net/
>
> This reads like exactly what I am looking for. The laziest option that
> works is the best option IMO.
>
> But …
>
> I do not see it in my OSS repo and can’t install it from Yast Software
> Management. Also, KeepassX is available but Keepass is not.
Just use the search package functionality on the opensuse.org site, and
you will find the qpass package in kde:extra.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
I found the Repository openSUSE Build Service - KDE:Extra in Yast “Software Repositories” and installed it. Then I was able to find and install qpass with Yast “Software Management”. Thank you for pointing me in the right direction.
When I try to install the openSUSE Build Service - MONO:Community (where KeePass should be), I get an error message that says: “Adding openSUSE Build Service - MONO:Community” failed.
> When I try to install the openSUSE_Build_Service-MONO:Community
> (where KeePass should be), I get an error message that says:
> “Adding openSUSE Build Service - MONO:Community” failed.
Typically that the URL is bad, so verify it is correct.
Me, I would add the repo manually with “zypper”, which can be more
verbose in its error messages.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
That is the way I do it, too, with the same reasoning.
I do not want to use a password manager. I type them.
Some passwords that I consider not critical I allow firefox to remember, but there is a master password so that they are not stored in the clear.
I just do not allow Firefox (or any browser) to remember any passwords. Despite my otherwise memory problems, I seem to have no problem remembering most of my passwords (and they are quite complex).
Actually, I am a touch-typist, and I think that it is my fingers that do the password-memory recall.
Looking at the ‘get it’ software search, Keepass is available for 12.2, 12.3, 13.1 and tumbleweed. Not 13.2, although I am assuming that that should read ‘Not 13.2, Yet’. One of the problems with getting things from ‘personal’ repos is that they are often not available when a new release initially comes out, so this is a worthwhile reminder of that phenomenon. A bit of a pain, but seemingly inevitable.
There are also keepassc (curses-based), keepassx and keepassx2. I am really totally unclear about the difference between keepassx and keepassx2, as the descriptions seem to be the same.
Currently, I am getting mine from the slightly obscure
Distribution home:mournblade:branches:home:rjlemley76:branches:Mono:Community / openSUSE_12.3
Vendor: obs://build.opensuse.org/home:mournblade
and it sounds like I might have to swap to something slightly different when I upgrade from 12.3. Ho, hum; good to be informed, I suppose.
They did use quite weak encryption setting, not same as encryption standard, for a while but that has been fixed 