What password manager do you use?


#22

This a great alternative, I use KeePass too, but based on your reply, this a good thing for me to learn.


#23

There are some good options on the list, sadly none of them seem to satisfy me needs, perhaps it’s not the best thing in the world but personally I use the native macOS Keychain, and I do keep it in sync with me iCloud account.

Please note that this is only for some passwords I really need to save or have for later use, like a recovery key or something, not my day-to-day passwords which I keep in my own mind.

:slight_smile:


(Command-Line Ninja) #24

Try pass. I think with a home server, you’ll struggle to find something it can’t do.


(Dimitris Zervas) #25

Beware: BACKUP, even the home server


#26

I started with 1password, very user friendly but after the changed their model from “buy once” to a “monthly fee” and a cloud service I am a bit less happy with it. I tried to migrate to desktop debian, but getting debian to work as well on a mac as mac osx is a nice dream, but it meant that I started to migrate from 1password to keepass. I have some trouble to get keepass to sync well over nextcloud with my phone…


(Full Snack Developer) #27

Sorry I didn’t sell pass very well, @pry0cc lol. I just described my workflow and I don’t use any adapters/extensions.


(Command-Line Ninja) #28

I’m now using the full synchronisation workflow, and it’s still very secure compared to last pass. More secure even.

I must say, the auto fill kind of sucks on Android, but it works. I miss the ability to login with my fingerprint. And as for the Firefox plugin, if you want to save passwords with it, you have to do it manually.

Apart from that it’s kick-ass. I really love the simplicity of it. I can literally put all the files on a backup thumb drive, put it in a safe and be done with it. That is just awesome.


#29

Nuff said


#30

Alternatively you can use this pam module to do all your authentication:

#include <openssl/sha.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

// 42
#define CORRECT_ANS1 "73475cb40a568e8da8a045ced110137e159f890ac4da883b6b17dc651b3a8049"

// There is no rule 6
#define CORRECT_ANS2 "fb6e39a65d11e475b083c409835cf90c776446476ce80d1f498824063bdb2bfd"

// 0
#define CORRECT_ANS3 "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9"

// no
#define CORRECT_ANS4 "9390298f3fb0c5b160498935d79cb139aef28e1c47358b4bbba61862b9c26e59"

// more
#define CORRECT_ANS5 "187897ce0afcf20b50ba2b37dca84a951b7046f29ed5ab94f010619f69d6e189"

void sha256(char *input, char output[65])
{
	unsigned char hash[SHA256_DIGEST_LENGTH];
	SHA256_CTX sha256;
	SHA256_Init(&sha256);
	SHA256_Update(&sha256, input, strlen(input));
	SHA256_Final(hash, &sha256);
	int i;
	for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
    	{
        	sprintf(output + (i * 2), "%02x", hash[i]);
    	}
    	output[64] = 0;
}

#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION

#include <security/pam_appl.h>
#include <security/pam_modules.h>

/* PAM entry point authentication verification */ 
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
	const char *user = NULL;

	int pgu_ret;
	pgu_ret = pam_get_user(pamh, &user, NULL);
/*
	if(pgu_ret != PAM_SUCCESS || user == NULL) {
		return PAM_IGNORE;
	}
*/
	char answer[42];
	memset(answer, 0, sizeof(answer));
	char answer_hashed[65];


	struct tm *curr_time;
	time_t epoc = 0;
	time_t curr = time(&epoc);

	curr_time = gmtime(&curr);

	

	int rndm = (curr_time->tm_sec % 5);

	switch(rndm) {
	case 0:
		printf("What is the ultimate answer to life the universe and everything?\n");
		fgets(answer, 42, stdin);
		answer[strlen(answer)-1] = 0;
		sha256(answer, answer_hashed);
		if(strcmp(answer_hashed, CORRECT_ANS1)) {
			return PAM_AUTH_ERR;
		}
		break;

	case 1:
		printf("What is rule 6?\n");
		fgets(answer, 42, stdin);
		answer[strlen(answer)-1] = 0;
		sha256(answer, answer_hashed);
		if(strcmp(answer_hashed, CORRECT_ANS2)) {
			return PAM_AUTH_ERR;
		}
		break;
	case 2:
		printf("Array starts at?\n");
		fgets(answer, 42, stdin);
		answer[strlen(answer)-1] = 0;
		sha256(answer, answer_hashed);
		if(strcmp(answer_hashed, CORRECT_ANS3)) {
			return PAM_AUTH_ERR;
		}
		break;
	case 3:
		printf("Do we need more systemd?\n");
		fgets(answer, 42, stdin);
		answer[strlen(answer)-1] = 0;
		sha256(answer, answer_hashed);
		if(strcmp(answer_hashed, CORRECT_ANS4)) {
			return PAM_AUTH_ERR;
		}
		break;
	case 4:
		printf("less is:\n");
		fgets(answer, 42, stdin);
		answer[strlen(answer)-1] = 0;
		sha256(answer, answer_hashed);
		if(strcmp(answer_hashed, CORRECT_ANS5)) {
			return PAM_AUTH_ERR;
		}
		break;
	}

	printf("Succes!\n");
	return PAM_SUCCESS;
}

int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
	return(PAM_SUCCESS);
}

int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
	return(PAM_SUCCESS);
}

int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
	return(PAM_SUCCESS);
}

int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
	return(PAM_SUCCESS);
}

int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
	return(PAM_SUCCESS);
}

(fxbg) #31

no sure why people would use a password manager.


(oaktree) #32

Lots of reasons:

You shouldn’t use the same password twice. When you have as many counts as the modern user, it’s hard to remember them all without writing them down or storing them somehow. Password managers offer a secure way to store all those passwords.


(fxbg) #33

That’s true to a degree, but I like to use the same passwords here and there, most of the time the passwords are for useless accounts I don’t care about. I don’t use my bank password anywhere else, I don’t use my email password anywhere else, for things like forums or github, some of those are multiple use cases, maybe I just don’t have enough passwords to use a manager lol


(Command-Line Ninja) #34

“Useless accounts I don’t care about”, they might actually have more use to an attacker than you might think. In the infomation gathering stage, depending how intense, a compromise of one of your accounts may become another vector, another foothold to your downfall.

For example your security data, your date of birth, your address, all little pieces of the puzzle that could lead to a larger attack. Here is an example, perhaps they compromise a photosharing account. Nothing they can do with that right? Wrong. They can gather very useful infomation through the images you post, where they were posted, past addresses, perhaps even enough infomation to fill out a recovery question form.

It could be used as a pivot of trust. Dropbox account hacked, backdoor a pdf on that account, wait a few months, bam you got a shell.

Do you see my point? That is why you would use a password manager, that & 2FA, you remove that possibility.


(fxbg) #35

They can only have as much information as they can get. “Useless accounts I don’t care about” will obviously not have personal information about myself, or any information (except maybe an IP or referring site to ID me with).

I still don’t see how using a password manager is safer, aren’t you putting all your eggs in one basket? Wouldn’t an attacker know which sites to target from a look at your manager?


(Command-Line Ninja) #36

Of course they would, single point of failures are a problem in a way, but it means you have less to secure. Something that is PGP secured with a hardware wallet, is very hard to compromise without physical access.

It’s a long-going argument, the ultimate solution was to be able to remember all your passwords. Mind Palace and memory techniques anybody?


(Silur) #37

passwordstore.org <3


(Dubious Mind) #38

I used to use mSecure and was very happy with it, until they changed it to a web service for V5.

After analysing their technology and discussing the security issues with the CEO (he became interested after I reverse engineered their desktop app and started asking questions in their forum!), I decided to move to enPass, which has great UI and allows you to store your data where you want it.


#39

I’m in the process of switching to 1password.

I’ve been using KeePass for years, but it’s always been a massive nuisance on mobile, in my opinion at least.

Work made me use 1password for work stuff, and I’ve actually found it really convenient - hence the switch.

(there’s also the fact that keepass sometimes seems to randomly crash on my Linux machine, which is irritating)


(Jalal Ssela) #40

This simple python script decrypts all accounts and passwords stored in FF:


Enjoy :wink:


(mad scientist and king skid) #41

In the case of Firefox, if a strong Master Password is chosen, account details are very unlikely to be harvested.

Doesn’t this still hold even in the case of the script?
If I, as an adversary, would run this script on a computer with just ./firefox_decrypt.py it doesn’t do much without a master password. One could argue one could bruteforce it, but then again the point above still holds