Password Protection / Password programs

jackmetal · 2005-07-28 15:03:48

I've been wondering how safe the signons.txt file for Firefox is.... I've been using Firefox to handle my logins recently, but I want a better/safer way. ;-)

What got me to wondering, was I've been testing out programs to handle my passwords/logins, etc... I'm currently testing Revelation, Gringotts and PWManager.. I've looked at ked, FPM, gorrilla, etc...

So far, I haven't found anything that will compare to my old Roboform on Windows. I currently run Roboform w/CrossOver office so that I still have 'some' access to all the information I have in it (hundreds of bookmarks, probably 100+ login/passwords, encrypted notes, identites, etc..).

What programs do you guys use for this?

Dusty · 2005-07-28 15:07:02

I use gnupg... I store my info in a text file and encrypt it with a password.

Dusty

jackmetal · 2005-07-28 15:20:03

I've thought about doing that. I use gnupg for all of my email encryption.

The main issue I have with that, is I have so many different passwords, and being picky - I don't really want to have to open/decrypt the file, manually copy/paste between it. ;-)

I've been reading every thread I come across on numerous boards to see what alternatives there are and so far I haven't stumbled across one that works for me yet.

The main things I need from one is:

1) encrypted data (most of them handle this)
2) easy access: by this I mean either I use that program as my bookmark manager and it launches the browser, puts in my username/password, etc.. - OR - like Roboform, when I get to a site that it has information for, it will put it in automatically or ask me. I guess I'm being lazy here.

I thought kwallet would do something like that, but so far I haven't been able to figure it out. I'm still testing it and others, so maybe I can figure it out at some point. I was just hopeing that there might be some previous roboform users that might have found a suitable linux replacement... I've been looking (off and on) for a couple years and haven't found one yet. I'm persistent though, I'll keep looking. ;-)

Dusty · 2005-07-28 15:27:04

Just for the record, I use gpg -d pws | grep 'username' for easy access. It works for me, but I get the feeling you'd want more automation.

KWallet works with Konqueror and KMail, amoung others. Doubt it supports firefox.

Dusty

Kern · 2005-07-28 18:34:59

Have you tried roboform
extension for Firefox?

jackmetal · 2005-07-28 19:48:58

Yep, I use RoboForm on the windows side. The extension works great in Firefox. But....It doesn't do anything on the Linux side. ;-)

Kern · 2005-07-29 07:47:03

duuuuh /me looks sheepish.
i downloaded the toolbar for Firefox and it opened up under Linux.
should have checked roboform.com first.

"RoboForm works under Microsoft Windows only!
Mac and Linux/UNIX are not supported"

sorry :oops:

iphitus · 2005-07-29 10:21:13

Um, whats wrong with the way firefox stores it in signons.txt? Looks encrypted enough to me.

jackmetal · 2005-07-29 11:53:25

Kern wrote:

duuuuh /me looks sheepish.
i downloaded the toolbar for Firefox and it opened up under Linux.
should have checked roboform.com first.
"RoboForm works under Microsoft Windows only!
Mac and Linux/UNIX are not supported"
sorry :oops:

No problem! I've used it for years and have asked them numerous times about a Linux version. They keep saying they have no intention of ever doing Linux.. So....I'm finding an alternative and leaving their folds. If they only work on crap OS's, I don't want 'em any more. ;-)

jackmetal · 2005-07-29 12:09:34

iphitus wrote:

Um, whats wrong with the way firefox stores it in signons.txt? Looks encrypted enough to me.

Well.....It 'may' be encrypted enough for normal users, but if you have a lot of sensitive information, I doubt it. For one thing, you can look at it and see all of the sites you have information stored for.

The url is clearly viewable, the login name and passwords are on separate lines and "clearly" marked as such (albeit - the actual info is encrypted).

No thank you! Someone could easily write a hack/exploit to specifically look for that file and gather your information. Then all they need is to browse through it and determine which lines they want to crack and run a brute force attack on that specific line.

I just recently started letting firefox save that information. I'm not being paranoid about it....but....when I looked at the file the other day to see what kind of information it stored, I was shocked that I could easily determine all of my (bank accounts, credit cards, investment accounts, etc..) and "EXACTLY" where the login and password information for each was.

A much better way of doing it would be to encrypt the entire file so that none of the information in clearly viewable. At least that would make it a little harder to crack into. ;-)

tomfitzyuk · 2006-08-07 16:56:41

iphitus wrote:

Um, whats wrong with the way firefox stores it in signons.txt? Looks encrypted enough to me.

heh, how can something *look* encrypted enough?

hello

which looks more encrypted:
npych vs wmauc

One is encrypted (using a simple cipher I just made up) and one is sequence of random letters. From looking at them I couldn't tell which was more secure (though the set of random letters is more secure) though I'm no cryptanalyst... you may be

Personally I use pwsafe, it's a great console-based app which can stores passwords. You just type 'pwsafe -up bank' and it will prompt for the master password, search for the entry whose description is bank (or for which bank is a substring of the description). It then copies the username to the clipboard (though you can echo it to the standard out if you want). Once you've pasted this username into the (presumably) web form, it copies the password to the clipboard. Finally, after you've pasted this into the web form (using either middle click or Shift-Insert) it clears returns the clipboard to the state it was in before pwsafe was run.

It is tedious to have to enter the password each time you want a password but I think it's better to be safe than sorry.

Also, this app can generate random passwords for you and there's a windows app which is compatible with the encrypted database of passwords so portability is of minimal bother (not sure about Mac).

phrakture · 2006-08-07 17:24:15

tomfitzyuk wrote:

iphitus wrote:
Um, whats wrong with the way firefox stores it in signons.txt? Looks encrypted enough to me.
heh, how can something *look* encrypted enough?

Easilly. Your example does not assume one simple fact. Firefox does save passwords. It doesn't open a text file and dump random dat to it and go "poof! a password!". Thus your example is moot.

If you would have shown, say, the md5 and sha ciphers of some text, then most people would have said "looks encrypted enought to me" - hell, I would.

tomfitzyuk · 2006-08-07 20:07:12

I'm not doubting something can look encrypted, but can *you* tell that something is encrypted *enough*.

What I'm saying is, can you tell the strength of a cipher just by looking at the ciphertext. Which I don't think you can

phrakture · 2006-08-07 20:32:40

tomfitzyuk wrote:

I'm not doubting something can look encrypted, but can *you* tell that something is encrypted *enough*.
What I'm saying is, can you tell the strength of a cipher just by looking at the ciphertext. Which I don't think you can

No but I'm pretty sure that's the point. In *my* eyes, encrypted at all is encrypted enough. It's enough to deter casual "crackers", but if someone is determined enough to get at your data, they'll get at it. Every cipher will eventually be broken....

allucid · 2006-08-07 20:36:35

I use gpass: http://projects.netlab.jp/gpass/

There is also passwordmaker, which I haven't looked into in detail: http://passwordmaker.org/

jaboua · 2006-08-07 21:39:58

Encrypted or not, firefox, thunderbird and epiphany shows saved passwords in the GUI with little job unless you set the master password or what it was called. For epiphany the passwords are in Edit -> Personal data -> Passwords tab -> Show password checkbutton. It takes about 10 secs to do it all, and all the passwords with usernames and URLs show up unencrypted. I don't have thunderbird or firefox in front of me atm, but I've done it before. Big security issue...

magnum_opus · 2006-08-09 02:05:23

i don't know if they still do it but as of mozilla suite circa 1.5 years ago the passwords were encrypted by going from base 64 to base 10 i believe it was (possibly 16), i found out when i was trying to recover a password that i had forgotten

not particularly hard to crack.

they might have upgraded it but thats the risk you have to take for mobile profiles.

Arch Linux

#1 2005-07-28 15:03:48

Password Protection / Password programs

#2 2005-07-28 15:07:02

Re: Password Protection / Password programs

#3 2005-07-28 15:20:03

Re: Password Protection / Password programs

#4 2005-07-28 15:27:04

Re: Password Protection / Password programs

#5 2005-07-28 18:34:59

Re: Password Protection / Password programs

#6 2005-07-28 19:48:58

Re: Password Protection / Password programs

#7 2005-07-29 07:47:03

Re: Password Protection / Password programs

#8 2005-07-29 10:21:13

Re: Password Protection / Password programs

#9 2005-07-29 11:53:25

Re: Password Protection / Password programs

#10 2005-07-29 12:09:34

Re: Password Protection / Password programs

#11 2006-08-07 16:56:41

Re: Password Protection / Password programs

#12 2006-08-07 17:24:15

Re: Password Protection / Password programs

#13 2006-08-07 20:07:12

Re: Password Protection / Password programs

#14 2006-08-07 20:32:40

Re: Password Protection / Password programs

#15 2006-08-07 20:36:35

Re: Password Protection / Password programs

#16 2006-08-07 21:39:58

Re: Password Protection / Password programs

#17 2006-08-09 02:05:23

Re: Password Protection / Password programs

Board footer