We all know that passwords sucks, that they are the nightmare of all administrators and security guys. So many hacks have been eased because the victims reused the same password everywhere : email account, forum, bank, critical systems…
Sadly, so far, there is even not the beginning of a replacement solution. Passwords will be there for long, so we would better use them accordingly.
Yes, I am aware of many on-line services like FisrtPass, KeePass, 1stPassword, etc. However, I don’t feel comfortable with having all my password somewhere on-line, even if they claim – and I believe they are sincere, that they use strong encryption and can’t access to it.
Instead, I use a combination of the Firefox password manager and the Pwgen add-on. I use this add-on to quickly and conveniently generate a random password when I subscribe to a web service. When Firefox prompts for it, I just choose to remember the password automatically. SSO quick and dirty.
For the other passwords that I can’t and don’t need to memorize, I store them in a local encrypted file.
To edit the file, I simply use Vim with this nice GPG plugin:
- copy gpg.vim to /home/$user/.vim/plugin
- if not done yet, generate you GPG key :
$ gpg --gen-key
- Encrypt your password file and erase it:
$ gpg --encrypt --recipient 'your name' passwords $ rm passwords
- Now, it’s done. Just edit password.gpg to decrypt and access to your passwords (you will be prompted for your passphrase):
$ vim passwords.gpg
If you don’t like the overhead of GPG, a more straightforward solution is to use the OpenSSL extension :
- Copy the openssl.vim file to /home/$user/.vim/plugin as well.
- Now, to encrypt to file to, say, AES (note the .aes file extension which makes sense for the plugin):
$ openssl aes-256-cbc -in passwords -out passwords.aes
- Decryption will occur as soon as you edit the file with Vim:
$ vim passwords.aes
I believe that, if not perfect, it is pretty secure. I mean not more, not less than your system is. Anyway I don’t have any need for an on-line manager. And you, how do you manage your passwords? Let us know about your tips.
I use lastpass with two factor authentication, secure enough for my needs.
I wrote an encrypted password repository in C++ (Qt4) which provides customizable templates for various classes of web activity. It has the usual bells and whistles (a password generator with adjustable complexity, use of the clipboard, auto launch of browser, auto-paste, activity log, etc). I use it to store not only passwords, but all sorts of private information (account numbers, security questions, credit card numbers, etc).
@crrodriguez: I didn’t know about their “Sesame” service, which is a nice feature.
@Jeff: it sounds very interesting. It is exactly the kind of tool I am looking for. Have you or do you plan to release it?
I am using Keepass to store my passwords. Simple and effective :).
I use Firefox Sync.
Unlike Lastpass and 1Password, their server is open source (howto run it at http://docs.services.mozilla.com/howtos/run-sync.html), so I trust the server implementation a lot more. Although I haven’t pored through the source myself, the simple fact that the only way to recover data is through the recovery key makes me quite confident in them (ie. they have no stupid “password reset” option, it’s my responsibility alone to secure my key). Authenticating a new device requires either physical access to one of your other devices, or access to the recovery key.
Since passwords are stored locally, I also use a master password with Firefox – even if you don’t use Sync, you really should use a master password, otherwise your passwords are all but plain text.
So far I’ve been generating passwords by the good old method of keyboard bashing and copy-pasting random snippets, but I’m installing the pwgen addon now to see if it doesn’t make password generation a bit simpler. I really wish Firefox had a built-in “create a random password and store it” feature.
One thing that might be less secure about my setup than Lastpass is lack of multifactor authentication. With Lastpass Sesame, an attacker needs both to know your password, and have that physical usb drive (of course, a trojan could copy the contents of the usb drive, so the Lastpass system is not as secure as password+yubikey). With Firefox Sync, they need either my physical device or my recovery key (currently only stored on printed paper), so I’ve got the physical part of two-factor auth, but no password. I’m not sure it’s that much less safe than Lastpass – physical access is something I control, while passwords are cracked by the million each day – but it still means I don’t store my most important password (email) in Firefox Sync. That one’s committed to memory. I’m not sure what the best solution would be though, security is tough!
@k
Thanks, good post.
Yes, Firefox Sync looks good and you summarize well pros and cons of each solutions.
Note that you are still limited to Internet passwords inside a single browser, while other solutions tend to work system wide.
However, Firefox Sync is still a cloud solution even if they have no direct access to your content.
For my most important passwords, I still don’t want to store it online. So I keep using the gpg file, and I also use the keychains offered in the OS.
Now that I mainly run Mac OS, I can tell that the Mac keychain works pretty nicely. Google it and you will see that the crypto is strong and well done… but it is still vulnerable (though the attack requires to have a user account on the system, so the use case is pretty limited).
When I was on Linux for my desktop, I also used Gnome Keyring which was also not bad.
I haven’t checked it, but it seems that Windows 8 is now also having a password manager.