Web lists-archives.com

Re: Password Manager opinions and recommendations




On Sun, 25 Mar 2018 11:52:13 -0400 rhkramer@xxxxxxxxx said:

> I started reading up on password managers in order to consider using
> one.  
> 
> Up until now, I've made up passwords myself, and stored them in an
> encrypted file.  Some of the drawbacks include: 
> 
>    * I keep the passwords on the short side
>    * I don't change the passwords as often as I should
>    * I sometimes use the same password on more than one site
> 
> All of the above because it is not convenient enough for me to do
> better.

A redacted and grouped output of "apt-cache search password manager" on
Buster:

"pass" family:
pass - lightweight directory-based password manager
qtpass - GUI for password manager pass
pass-extension-otp - pass extension for managing one-time-password
tokens webext-browserpass - web extension for the password manager pass

"kwalletmanager" family:
kwalletmanager - secure password wallet manager
xul-ext-kwallet5 - kwallet integration for firefox

"passwordsafe":
passwordsafe - Simple & Secure Password Management
passwordsafe-common - architecture independent files for Password Safe

"keepass" family:
keepassx - Cross Platform Password Manager
keepassxc - Cross Platform Password Manager
kpcli - command line interface to KeePassX password manager databases
(I don't know the difference between keepassx and keepassxc - their
detailed description is ditto word for word.)

"keepass" continued:
keepass2 - Password manager
keepass2-doc - Password manager - Documentation
(seems to be an offspring of keepass family)

Others:
cpm - Curses based password manager using PGP-encryption
gringotts - secure password and data storage manager
impass - Simple and secure password management and retrieval system
xul-ext-password-editor - edit password manager entries in Mozilla
applications password-gorilla - cross-platform password manager
pypass - lightweight directory-based password manager in python

> My head is just not "into" reading about password managers--it just
> seems to be too boring to really get into, so, I thought I'd try
> posting here to get opinions and recommendations from the list.  (I
> am continuing my effort to read--maybe I'll get a renewed burst of
> enthusiasm after I send this ;-)

For me, I use none of the above. I generate a hundred or so random
alphanumeric strings and save them in a plain text file as an "instant
password source". I then consume them one by one whenever I need a new
password. I keep all my actual passwords with other relevant info in an
html file (a huge table) and keep them all in a high-security
environment. I just copy-paste a password from that html table whenever
I need it (it is open all the time in a background browser tab). Never
share that file between devices. That means I concentrate all my
security sensitive procedures on a single machine.

I do KISS. The more it is "featureful" (aka complicated) the more there
is a chance of password leak (bugs, momentary carelessness, more attack
vectors, etc.)

Regards
-- 
Abdullah Ramazanoglu