Web lists-archives.com

Re: Password Manager opinions and recommendations

On 03/26/2018 12:52 AM, rhkramer@xxxxxxxxx wrote:
> I started reading up on password managers in order to consider using one.  

Good! Welcome aboard.

> Here are some of what I think are my criteria for a password manager:
>    * encrypted storage on my own machines (no storage "in the cloud")
>    * ability to transfer to other devices, including Android tablets and 
> phones--either all the passwords or just one for some special logon on a 
> machine I don't normally use.  Currently I do almost everything (that requires 
> a password) on one of my desktop computers.  I have a laptop that I use very 
> occasionally.  Occasionally I've had to go to a library (or similar) to use a 
> Windows machine.  I do have an Android tablet and phone, and, in general, I 
> don't use that for confidential type stuff (no banking, for example), but that 
> could change if either I feel very secure or in some sort of extreme 
> emergency.
>    * (a repeat of part of the previous bullet) a means to easily take an 
> individual password to another machine for occasional use of another machine 
>    * a means to recover all the passwords if the password manager becomes 
> defunct (and this also implies backup and restore capabilities)
>    * a means to automatically generate secure passwords
>    * a means to automatically update passwords on the target websites (to 
> facilitate regular / frequent password changes)--this is probably a stretch--I 
> mean something that would work its way through the various screens and prompts 
> to change a password with a minimum of manual intervention by me

I think pass (https://www.passwordstore.org/) meets most of your
requirements. It's a glorified shell script that calls gpg under the
hood to create passwords that are stored locally (under ~/.password-store).

- It does not have a network component.
- You can transfer individual password files, decrypt them yourself with
gpg, etc.
- Very straightforward to decrypt with a simple shell script.
- Uses pwgen to generate passwords, if requested. You can customize
generation a bit (no special characters, etc.)
- It does not handle automatic password updates.

It would also be trivial to modify the script to use some other password
generator, and of course you can input your own passwords.

The pass package in Debian also includes the passmenu utility, which
uses dmenu to automatically type in your password for you. I highly
recommend you use this or some other frontend, as copy-pasting passwords
becomes a chore. Let the password manager type it out for you!

That is one disadvantage of pass, though. It does not have a built-in
frontend, so it requires you to install some other piece if you want to
use it more efficiently.

Also note, if you decide to use passmenu, I think there was some bug
where it did not properly escape text when typing it in for you. Not
sure if it was patched or if the bug is still open. If it gives you
trouble, just grab the latest version from the pass git repository.

> As an alternative to a password manager, I may create my own memorizable 
> password generator "algorithm" that I can mostly use "in my head".  For 
> instance, it could be something like this:
>    * think up a multiword phrase, possibly with a mnemonic connection to the 
> target website (or, have a means to extract them from a book, e.g., the 3rd 
> sentence of the 5th chapter of War and Peace--or maybe the first sentence in 
> the book that contains the word bank would become the passphrase for my bank).
>    * have a consistent substitution algorithm, which might do things like 
> this:
>       * capitalize the nth letter of each word (or the nth letter of the first 
> word, the (n+1)th letter of the 2nd word, ...
>       * substitute (or insert) a punctuation mark for (like above) the mth 
> letter of each word (or the mth letter of the first word, the (m+1)th letter of 
> the 2nd word, ... --the puntuation might be selected in, for example, keyboard 
> order (or reverse keyboard order) across the numeric keys (e.g., !@#$%^&*() 
> (although maybe some of those might be invalid in (some?) passwords)
>       * some other similar generation rules
> Obviously, having "published" these ideas, my actual implementation will be 
> somewhat different ;-)   

About that, I would suggest you just use diceware
(http://world.std.com/%7Ereinhold/diceware.html). The page includes
instructions on adding special characters/etc to increase
entropy/satisfy dumb requirements.

The reason for this is that you are guaranteed  a certain amount of
entropy even if your method of generating passwords is revealed, even if
they know which wordlist that you use.

Something like what you describe might possibly be safer, but you can't
really quantify how much security you would be giving up by omitting
some step, or how worried you should be about having some of the steps
revealed by accident or by other, more nefarious means. Don't take
chances when generating passwords.

Also, diceware passwords are surprisingly easy to remember, even if they
don't have some kind of mnemonic relation to the site it's for.
Remembering multiple 6~8-word passwords is not that hard if you use them
relatively often.