Sensible and practical password manager

lfitzgerald · 2022-06-11 19:00:28

What is a sensible setup for managing passwords? Ie. supports a good range of realistic use cases and isn't a pain to use. I'll just go over some common ones to illustrate the idea:

* Lastpass etc: I'm not letting some random company keep my passwords, don't care what BS they spout about encryption or whatever
* pass: Nice but some flaws. 1) Doesn't encrypt password names. 2) If you want to share passwords across computers you now need copy your GPG private key everywhere. 3) Uses git, so not well suited to file sync programs like Nextcloud. (git push would be okay if it did not expose the password names)
* KeepassXC: Overall not bad but the CLI is atrocious
* Plaintext files with tomb: This seemed promising, but tomb seems very slow to lock/unlock (5-10 sec) and then of course you have to secure the mounted store while it's mounted.
* Sqlite etc. with encryption like Fernet layered on top: Seems like this would work (if you're comfortable with SQL) but I'm guessing you'd have to write your own wrapper program to pass all the SQL through the right encryption. If you want version control that would probably also be annoying, depending on how you model the database.

Has anyone had success with any of these approaches or something else? I'm not looking for basic stuff like "just use vanilla pass on only one computer and have only 5 accounts you need to keep track of" - I have 100s of accounts accumulated over many years, often there is a lot of metadata since I frequently need to search through them to find some obscure account.

Last edited by lfitzgerald (2022-06-11 19:01:13)

jasonwryan · 2022-06-11 19:13:26

After trying many of them, pass is the one I settled on. I don't mind 1. And 2 is a given anyway. 3 is irrelevant as I don't use git as part of my setup, I share the passdir via syncthing. And with a custom dmenu script, the whole thing does everything I want.

dakota · 2022-06-11 20:04:49

I use pwsafe because I can use the same "safe" for both Windows and Linux (and sync them using Syncthing).

I have several hundred passwords in the safe: one password to open the safe, then copy and paste the desired username and password.

Includes organizational fields for: group, title, username, password, url, email, and notes.

As far as I know, all the fields are encrypted. It is available in the AUR.

Cheers,

firecat53 · 2022-06-12 00:01:43

You didn't specify your platform requirements, but the two most common cross-platform solutions (IMO) are:

1. Keepass. Sync across machines with your sync solution of choice (Syncthing, etc.). Also works on Android/Windows. Not typically web accessible if that's a requirement for you (possible with keepweb, but I've no experience with it). If you don't like the GUI KeepassXC, you could try keepmenu which is quite fast and usable with dmenu, Rofi, bemenu, wofi, etc.

2. Bitwarden/Vaultwarden. Self-host vaultwarden if you don't want to rely on the Bitwarden company. I have mine only accessible from my Wireguard network so it's not open to the internet. The Bitwarden browser extensions and Android app also work with vaultwarden. Again, if you don't want to be stuck using a browser extension or the Bitwarden GUI app, there is bitwarden-menu.

Check the wiki for more options!

lfitzgerald · 2022-06-12 18:25:49

jasonwryan wrote:

3 is irrelevant as I don't use git as part of my setup, I share the passdir via syncthing.

So how do you handle change history on the data? Eg. if you realize after the fact that you need to see the previous password that you changed from 3 mo ago? Do you have some alternate change tracking system, or do you just consider this not an important situation to plan for?

jasonwryan · 2022-06-12 18:34:02

Tarsnap for archives, and a separate server that I rsync backups to daily.

tucuxi · 2022-06-12 20:13:52

gopass is nice though it stores usernames in cleartext like pass.

walkingstickfan · 2022-06-24 03:21:42

I used KeePass for a number of years. When KeePassX came out, I switched because development of KeePass was painfully slow. If you don't like the CLI, don't use it. I use KeePassX to store my passwords and as a bookmarks repository.

lfitzgerald · 2022-06-24 04:03:06

walkingstickfan wrote:

I used KeePass for a number of years. When KeePassX came out, I switched because development of KeePass was painfully slow. If you don't like the CLI, don't use it. I use KeePassX to store my passwords and as a bookmarks repository.

To be fair I think overall KeepassXC is a great password manager, but I would like to use it from the shell so I can automate things. Unfortunately Keepass's interface seems kind of clunky. I managed to write some wrapper script that make it a bit nicer, but it's still not as good as pass's interface.

cfr · 2022-11-13 02:31:11

What's the issue with syncing something under git? I just set pass up and initialised it with git because it seemed like a good idea. Now I'm wondering if that was foolish.

The one thing I'm not sure about with pass is trusting it to my phone, but that's because i don't trust my phone and would be the same regardless.

jasonwryan · 2022-11-13 02:37:06

cfr wrote:

What's the issue with syncing something under git? I just set pass up and initialised it with git because it seemed like a good idea. Now I'm wondering if that was foolish.

Nothing foolish about it, per se; it all depends on the git remote.

cfr wrote:

The one thing I'm not sure about with pass is trusting it to my phone, but that's because i don't trust my phone and would be the same regardless.

Agree. I don't use my phone for banking or anything even remotely sensitive.

lfitzgerald · 2022-11-13 02:38:25

cfr wrote:

What's the issue with syncing something under git? I just set pass up and initialised it with git because it seemed like a good idea. Now I'm wondering if that was foolish.

.git/ has a lot of small files, so it Nextcloud doesn't work too well with it. Otherwise there's nothing particularly bad per se.

Last edited by lfitzgerald (2022-11-13 02:38:37)

cfr · 2022-11-13 04:23:37

jasonwryan wrote:

Agree. I don't use my phone for banking or anything even remotely sensitive.

I handle student data on it which makes me nervous, but I don't have much choice.

lrvideckis · 2022-12-16 16:58:15

lfitzgerald wrote:

jasonwryan wrote:
3 is irrelevant as I don't use git as part of my setup, I share the passdir via syncthing.
So how do you handle change history on the data? Eg. if you realize after the fact that you need to see the previous password that you changed from 3 mo ago? Do you have some alternate change tracking system, or do you just consider this not an important situation to plan for?

What's the reason to track password history? What about accounts which you've closed, and no longer need the password - isn't it safer to delete those passwords, and not have them still exist in the history?

3beb6e7c46a615a · 2022-12-16 17:43:14

I happily pay for 1password which has a great applications on all major platforms (desktop and mobile), first class Arch support, great browser integration, e2e encrypted cloud sync (including EU storage of that's important to you), shared entries for family accounts (handy to store eg social security for your children), travel mode, SSH integration (including Git signing with SSH keys), system Auth unlock (so you can eg unlock with your login fingerprint if you like) and a great CLI.

It costs a bit of money though, and it's not free software. But you have to pick your poison…

Last edited by 3beb6e7c46a615a (2022-12-16 17:43:29)

webcapcha · 2022-12-19 16:13:14

Hence this topic is generic I would ask question about pass. Is it a way to autocomplete in the bash in that way do not type parent directory name?

For example structure is

- directory
- arch_forum
- arch_wiki

If I want arch_forum pass I have to type firstly the parent directory name.

Basically I can't type pass TAB and get arch_forum or arch_wiki suggestions.

jasonwryan · 2022-12-19 16:17:11

webcapcha wrote:

Hence this topic is generic I would ask question about pass. Is it a way to autocomplete in the bash in that way do not type parent directory name?

See: https://hg.sr.ht/~jasonwryan/shiv/brows … ss?rev=tip

webcapcha · 2022-12-19 16:22:52

well I'm weak in bash. If I'm correct that script is for dmenu or similar.

Can I put it in bashrc file?

ngoonee · 2022-12-19 22:49:12

lrvideckis wrote:

lfitzgerald wrote:
jasonwryan wrote:
3 is irrelevant as I don't use git as part of my setup, I share the passdir via syncthing.
So how do you handle change history on the data? Eg. if you realize after the fact that you need to see the previous password that you changed from 3 mo ago? Do you have some alternate change tracking system, or do you just consider this not an important situation to plan for?
What's the reason to track password history? What about accounts which you've closed, and no longer need the password - isn't it safer to delete those passwords, and not have them still exist in the history?

Password history can be useful in multiple scenarios. For example when certain sites use it as a security measure to authenticate your identity in the event of a password/security bridge, they ask for 'last known password'.

And the risk of knowing past passwords is fairly small, especially if you're random generating them (which you should if you're using a password manager).

Yusefz1 · 2022-12-20 00:46:33

tucuxi wrote:

gopass is nice though it stores usernames in cleartext like pass.

cleartext but still encrypted
EDIT: made a mistake, usernames are indeed not encrypted

Last edited by Yusefz1 (2022-12-20 14:46:57)

Yusefz1 · 2022-12-20 00:47:23

I use pass https://passwordstore.org because it is really easy and simple, gopass is also good and is also Windows compatible.

Arch Linux

#1 2022-06-11 19:00:28

Sensible and practical password manager

#2 2022-06-11 19:13:26

Re: Sensible and practical password manager

#3 2022-06-11 20:04:49

Re: Sensible and practical password manager

#4 2022-06-12 00:01:43

Re: Sensible and practical password manager

#5 2022-06-12 18:25:49

Re: Sensible and practical password manager

#6 2022-06-12 18:34:02

Re: Sensible and practical password manager

#7 2022-06-12 20:13:52

Re: Sensible and practical password manager

#8 2022-06-24 03:21:42

Re: Sensible and practical password manager

#9 2022-06-24 04:03:06

Re: Sensible and practical password manager

#10 2022-11-13 02:31:11

Re: Sensible and practical password manager

#11 2022-11-13 02:37:06

Re: Sensible and practical password manager

#12 2022-11-13 02:38:25

Re: Sensible and practical password manager

#13 2022-11-13 04:23:37

Re: Sensible and practical password manager

#14 2022-12-16 16:58:15

Re: Sensible and practical password manager

#15 2022-12-16 17:43:14

Re: Sensible and practical password manager

#16 2022-12-19 16:13:14

Re: Sensible and practical password manager

#17 2022-12-19 16:17:11

Re: Sensible and practical password manager

#18 2022-12-19 16:22:52

Re: Sensible and practical password manager

#19 2022-12-19 22:49:12

Re: Sensible and practical password manager

#20 2022-12-20 00:46:33

Re: Sensible and practical password manager

#21 2022-12-20 00:47:23

Re: Sensible and practical password manager

Board footer