Storing passwords

20 replies [Last post]
oshirowanen
Offline
Joined: 02/28/2014

What's the recommended FSF method of storing passwords?

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

I don't know if it's FSF-recommended, but I use KeePass2. It's fully FLOSS and there's a PPA available on Launchpad that's compatible with Trisquel. It runs on Mono.

Dark Orange
Offline
Joined: 03/28/2014

KeePass is best

elodie
Offline
Joined: 02/01/2014

KeePass2 should be avoided. It depends on Mono. Which is a huge beast with a huge potential for security holes.
KeePass is a better choice as it needs Wine or Windows and no other dependencies.

The KeePass format has the advantage of having quite a lot of apps using it. You have apps for Android and J2ME too. For *nix native you have KeePassX which is quite slim. The downside: there is no documentation.

Andrew Stephenson
Offline
Joined: 04/11/2014

I hear a brain is quite secure these days (unless you get interrogated).

On Sat, 2014-04-12 at 14:39 +0200,
name at domain wrote:
> KeePass2 should be avoided. It depends on Mono. Which is a huge beast with a
> huge potential for security holes.
> KeePass is a better choice as it needs Wine or Windows and no other
> dependencies.
>
> The KeePass format has the advantage of having quite a lot of apps using it.
> You have apps for Android and J2ME too. For *nix native you have KeePassX
> which is quite slim. The downside: there is no documentation.
>

Dark Orange
Offline
Joined: 03/28/2014

lolz

jxself
Offline
Joined: 09/13/2010

Yes - Your head is best, and this will probably help because you only need to keep the one secret in your head, while having strong passwords for each thing you need and no need to keep passwords saved away in a database:

http://jxself.org/password-generator.shtml

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

You're right that the best place is your head.

However, IMO the method you describe will merely prevent the Script Kiddie style bots which try common passwords. Other than those all the method you give does is introduce another documented level of cryptographic hashing to what will mostly be a human decided pair by some system. Therefore any cracker who profiles you as an individual and knows the definitely not random habits of human choosing will still be able to crack this. If you look around the web you'll find many security experts advise for password security you need lots of _real_ entropy not human pseudo-random 'imagination' and definitely not anything based on a system or it's one cracked, all cracked.

jxself
Offline
Joined: 09/13/2010

I'd like to see you try. The script published does not reflect the same one I use and breaking the SHA2 hashing algorithm itself would not be trivial. Even if it were, SHA3 and other hashing algorithms are also available.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

So there's no need for shadow passwords in GNU/Linux then?

jxself
Offline
Joined: 09/13/2010

You misunderstand. The hashing in my script isn't used to hide a password. Rather, it is the password.

lembas
Offline
Joined: 05/13/2010

>I hear a brain is quite secure these days (unless you get interrogated).
I wonder how good an argument this is considering you still need to input the password using hardware and software, potentially vulnerable to keyloggers and network sniffers &c. And it certainly cuts down on the complexity (and in worst case the number) of the remembered passwords.

In related news I'm always shocked to see people logging in to various services using public computers, not aware of the risk or trusting the machine not to be compromised. One course, using one time pads would negate any such worries but somehow I doubt too many people use such devices.

briareoh (not verified)
briareoh

Try Revelation.

oshirowanen
Offline
Joined: 02/28/2014

Can't I use something like GnuPG?

alguien
Offline
Joined: 03/27/2014

Whatever you use, make sure the license respects your freedom. KeepassX is nice

shokin
Offline
Joined: 03/01/2013

I use no software. All passwords in my head and brain.

Dark Orange
Offline
Joined: 03/28/2014

use MATHEMATICS to generate and remember strong password

and remember only logic

G4JC
Offline
Joined: 03/11/2012

Here's at least two options.

If you have to use your head you can try XKCD's famous Horse Staple Battery Method: http://xkcd.com/936/
Generator - http://correcthorsebatterystaple.net/

Alternatively there's KeepassX (Same as Keypass but doesn't need Mono), plus it's in the native repo so you don't have to worry about sketchy PPA:
http://packages.trisquel.info/search?keywords=keepassx&searchon=names&suite=toutatis&section=all

Why to be weary of PPAs:
http://www.techrepublic.com/blog/linux-and-open-source/hand-of-thief-malware-could-be-dangerous-if-you-install-it/

oshirowanen
Offline
Joined: 02/28/2014

What's more secure?

1. Use my normal internet connected computer to install and use keepassx and use the passwords from keepassx as and when needed while connected to the internet

2. Use a separate disconnected computer which has a fully encrypted hard drive, create a text file to store the passwords. This computer will never be connected to the internet ever and will only be switched on as and when a password has been forgotten from my own memory.

I don't mind the inconvenience of option 2 if it's more secure. I mainly want a super secure backup just incase I forget a password in my head.

trillobyte

I am a member!

Offline
Joined: 08/10/2012

see post # 6.

Best Regards

libre fan
Offline
Joined: 08/14/2011

Hello everybody,

Yes, KeepassX is a good choice (and yes FSF recommends to avoid Mono-based apps).

To generate random passwords, you can use KeypassX or a CLI app like apg. I don't know if both apps use the same algorithm or not. Maybe it's a good thing to use passwords generated from different algorithms.

KeepassX has a good page of help once you launch the program.

Cheers