Re: comparing password managers in Debian, synchronizing on multiple devices

[David Wright]

On Tue 25 Oct 2016 at 08:43:15 (+0200), deloptes wrote:
> Ben Finney wrote:
> 
> > I prefer integration to all applications on the desktop: i.e., the
> > program should simply place the passphrase in the clipboard, allowing me
> > to paste it into whatever form I visit. That covers the browser as well.
> 
> I've been using gpg since 2002 and never heard of PassStore or pass or
> whatever. But through all those years I used the kwallet and now tdewallet.
> Exactly because it is integrated into the system/desktop.
> 
> The idea to upload encrypted password on some cloud service is scary , but
> perhaps I am a bit old fashioned. Passwords are usually kept in a safe
> place. Especially private keys are not meant to be shared  so I did not
> understand what are you doing with your private gpg key? Do you have it
> printed on paper?
> 
> I think what you are describing is a bit of useless, but a summary of all
> password managers and storage systems is still pretty usefull. With my
> previous post I wanted to point out that completeness is what I would
> expect from a debian wiki article. You can save the filtering criteria for
> yourself. Let the people decide by providing information on the key
> features of each application.

Eh? Getting information on these packages is all too easy. What's more
difficult is mining people's knowledge of whether these key features
are beneficial, disadvantageous, a security risk, or just neutral,
nice to have.

I knew about pass: it contains the string "password manager" in its
description. Perhaps you missed it because it has no tags in the
Packages file, not one. Anyway, the full desciption reads:
"lightweight directory-based password manager
"Stores, retrieves, generates, and synchronizes passwords securely
 using gpg, pwgen, and git."

I can't see the point in just duplicating that information on a wiki
page. There's a list of possibilities at
https://wiki.archlinux.org/index.php/List_of_applications/Security#Password_managers
and you know that their websites will trumpet their key features.

But I can see the added value in running that information past
a set of criteria like "The database must be in a format already known
to be readable by other, mature, well-maintained software" to quote
just one. That sort of knowledge is what gets discussed here, and
a summary in one place would be very useful. It might look like
the sort of grid often seen in Wikipedia (though it might need a
lot of footnotes explaining why it passed/failed to come up to
scratch).

Cheers,
David.

Re: comparing password managers in Debian, synchronizing on multiple devices

[Ben Finney]

deloptes  writes:

> The idea to upload encrypted password on some cloud service is scary

Then don't upload it to a cloud service :-)

Instead, upload it to a specific host, one that you can make an informed
trust decision about.

> Passwords are usually kept in a safe place.

Yes. Do you consider encrypted files, that can only be unlocked by one's
private key, to be safe?

> Especially private keys are not meant to be shared  so I did not
> understand what are you doing with your private gpg key? Do you have
> it printed on paper?

The private key for unlocking the database stays on the device where I'm
using it. So yes, that means I need to be able to trust the device on
which I unlock my passphrase database.

That's entailed within the task: to access one's secret passphrases, one
must do that on a device one trusts with that task.


(Good sigmonster, have a cookie.)

-- 
 \ “Try adding “as long as you don't breach the terms of service – |
  `\  according to our sole judgement” to the end of any cloud |
_o__)  computing pitch.” —Simon Phipps, 2010-12-11 |
Ben Finney

Re: comparing password managers in Debian, synchronizing on multiple devices

[deloptes]

Ben Finney wrote:

> I prefer integration to all applications on the desktop: i.e., the
> program should simply place the passphrase in the clipboard, allowing me
> to paste it into whatever form I visit. That covers the browser as well.

I've been using gpg since 2002 and never heard of PassStore or pass or
whatever. But through all those years I used the kwallet and now tdewallet.
Exactly because it is integrated into the system/desktop.

The idea to upload encrypted password on some cloud service is scary , but
perhaps I am a bit old fashioned. Passwords are usually kept in a safe
place. Especially private keys are not meant to be shared  so I did not
understand what are you doing with your private gpg key? Do you have it
printed on paper?

I think what you are describing is a bit of useless, but a summary of all
password managers and storage systems is still pretty usefull. With my
previous post I wanted to point out that completeness is what I would
expect from a debian wiki article. You can save the filtering criteria for
yourself. Let the people decide by providing information on the key
features of each application.

regards

Re: comparing password managers in Debian, synchronizing on multiple devices

[William Satterthwaite]

I think a table; something like this would be prudent. I only know about
FPM2 as that is what I use, would be interesting in seeing a summary of
alternatives.

Password Manager
Supports snycing
Features
FPM2
No
Cipher: ACS-256
- Generates passwords up to 255 characters long, with options for
numbers, symbols and avoiding ambiguous characters (1 and I etc.)
- Password categories and filtering
- Search on typing
- Store addition reference information (url, notes, username)
- Password launchers
- Copy password to Primary selection or clipboard without showing it.
- Can use a key file
- Export/Import passwords to/from XML for moving between managers


About syncing, I use Mega.nz, because client side encryption, but some
inbuilt syncing system would be better, ideally peer to peer, so it
never leaves my devices.

On 25/10/16 06:44, deloptes wrote:
> Daniel Pocock wrote:
>
>>
>> On 24/10/16 13:05, Daniel Pocock wrote:
>>>
>>> There have been various discussions in here and in some derivative
>>> projects like Ubuntu about choosing and using password managers,
>>> especially the way to sync their password lists across multiple devices.
>>>
>>> Given the way we do things in Debian it is important not to depend on a
>>> service like Dropbox to sync the password files.
>>>
>>> Therefore, how are people choosing a password manager and solving this
>>> in practice?
>>>
>>> - which password managers have a built-in mechanism for synchronizing or
>>> merging password lists on multiple devices?
>>>
>>> - who is using some other mechanism such as Git or ownCloud to sync?
>>>
>>> I've made a list of some of the password managers in Debian:
>>>
>>> https://packages.qa.debian.org/a/assword.html
>>> https://packages.qa.debian.org/p/password-gorilla.html
>>> https://packages.qa.debian.org/p/password-store.html
>>> https://packages.qa.debian.org/r/revelation.html
>>> https://packages.qa.debian.org/k/keepass2.html
>>> https://packages.qa.debian.org/k/keepassx.html
>>> https://packages.qa.debian.org/k/kedpm.html
>>> https://packages.qa.debian.org/f/fpm2.html
>>> https://packages.qa.debian.org/c/cpm.html
>>> https://packages.qa.debian.org/p/passwordsafe.html
>>>
>>> There are quite a few and so it is hard for somebody to know the best
>>> place to start, maybe a comparison table in the wiki will be needed.
>> Wiki now created:
>>
>> https://wiki.debian.org/PasswordManagement
>>
>>
>>> Some other factors that come to mind for a comparison table:
>>>
>>> - support for PGP
>>> - support for other strong crypto (e.g. smartcard)
>>> - merging algorithm for multiple devices
>>> - multi-user / team capabilities
>>> - browser integration
>>>
>>> I notice that Tails chose to include KeePassX, although there is some
>>> uncertainty how it was selected:
>>>
>>> https://labs.riseup.net/code/issues/9231
>>>
>>> Can anybody comment on its history there?
>>>
> What about the wallet? In KDE4 and former KDE3 now Trinity Desktop we use
> the kwallet now tdewallet to store the passwords. I know gnome has also
> one, but I don't know it's name. I think each desktop has or should have a
> kind of integrated password manager. It is worth mentioning this.
>
> https://userbase.kde.org/KDE_Wallet_Manager
> https://utils.kde.org/projects/kwalletmanager/
> https://en.wikipedia.org/wiki/KWallet
>
> regards
>
>
>



signature.asc
Description: OpenPGP digital signature

Re: comparing password managers in Debian, synchronizing on multiple devices

[Ben Finney]

Daniel Pocock  writes:

> Therefore, how are people choosing a password manager and solving this
> in practice?

A primary criterion for my data is: Avoid depending on a service I can't
quickly replicate elsewhere with all my data intact.

This tends strongly toward standard protocols, and services that are
published as free software.

So, for a password manager:

* The database must be in a format already known to be readable by
  other, mature, well-maintained software.

  (This disqualifies an application-specific storage format that might
  have been readable when I first checked but doesn't remain compatible
  over time.)

* The encryption must be immediately available to decrypt with standard
  tools, using keys in a standard format and available in an obvious
  place to use.

  (This disqualifies software that says it supports a standard
  encryption algorithm but its keys or encrypted data are not right
  there for me to try decrypting in a hurry with standard tools.)

* The synchronisation must default to, and encourage, standard
  widely-implemented file synchronisation systems.

  (This disqualifies software that has a non-default option for some
  protocol that most of the application's users don't use, therefore
  it's not as widely user-tested and more likely to be unreliable when I
  need it.)

* The synchronisation must default to, and encourage, choosing an
  independently-maintained hosting provider.

  (Similar to the above, if most people default to a single hosting
  provider then the federated hosting will not be nearly well tested
  enough to assure reliability in a pinch.)

* The synchronisation must easily and obviously allow a user to set up
  their own (or ask a skilled friend to set up) hosting, on at least an
  equal standing with other synchronisation methods.

For me, at present the best option is Password Store (a.k.a. ‘pass’).

> - which password managers have a built-in mechanism for synchronizing
> or merging password lists on multiple devices?

By setting a Git remote to a private hosted repository, all my devices
can sync the password database by Git push and pull.

> - who is using some other mechanism such as Git or ownCloud to sync?

Git is not an other method, it's built in to the application :-)

> Some other factors that come to mind for a comparison table:
>
> - support for PGP

Password Store uses standard OpenPGP, as implemented by GnuPG.

> - support for other strong crypto (e.g. smartcard)

Don't know about this.

> - merging algorithm for multiple devices

Password Store uses a separate encrypted file for each entry, so merges
are only a matter of managing a directory tree.

> - multi-user / team capabilities

I've seen discussion of this in the Password Store community; it usually
comes down to managing one's GnuPG keys.

Password Store allows the database to be encrypted to (i.e. unlockable
by any of) multiple GnuPG keys.

> - browser integration

I prefer integration to *all* applications on the desktop: i.e., the
program should simply place the passphrase in the clipboard, allowing me
to paste it into whatever form I visit. That covers the browser as well.

-- 
 \“But it is permissible to make a judgment after you have |
  `\examined the evidence. In some circles it is even encouraged.” |
_o__)—Carl Sagan, _The Burden of Skepticism_, 1987 |
Ben Finney

Re: comparing password managers in Debian, synchronizing on multiple devices

[deloptes]

Daniel Pocock wrote:

> 
> 
> On 24/10/16 13:05, Daniel Pocock wrote:
>> 
>> 
>> There have been various discussions in here and in some derivative
>> projects like Ubuntu about choosing and using password managers,
>> especially the way to sync their password lists across multiple devices.
>> 
>> Given the way we do things in Debian it is important not to depend on a
>> service like Dropbox to sync the password files.
>> 
>> Therefore, how are people choosing a password manager and solving this
>> in practice?
>> 
>> - which password managers have a built-in mechanism for synchronizing or
>> merging password lists on multiple devices?
>> 
>> - who is using some other mechanism such as Git or ownCloud to sync?
>> 
>> I've made a list of some of the password managers in Debian:
>> 
>> https://packages.qa.debian.org/a/assword.html
>> https://packages.qa.debian.org/p/password-gorilla.html
>> https://packages.qa.debian.org/p/password-store.html
>> https://packages.qa.debian.org/r/revelation.html
>> https://packages.qa.debian.org/k/keepass2.html
>> https://packages.qa.debian.org/k/keepassx.html
>> https://packages.qa.debian.org/k/kedpm.html
>> https://packages.qa.debian.org/f/fpm2.html
>> https://packages.qa.debian.org/c/cpm.html
>> https://packages.qa.debian.org/p/passwordsafe.html
>> 
>> There are quite a few and so it is hard for somebody to know the best
>> place to start, maybe a comparison table in the wiki will be needed.
> 
> Wiki now created:
> 
> https://wiki.debian.org/PasswordManagement
> 
> 
>> 
>> Some other factors that come to mind for a comparison table:
>> 
>> - support for PGP
>> - support for other strong crypto (e.g. smartcard)
>> - merging algorithm for multiple devices
>> - multi-user / team capabilities
>> - browser integration
>> 
>> I notice that Tails chose to include KeePassX, although there is some
>> uncertainty how it was selected:
>> 
>> https://labs.riseup.net/code/issues/9231
>> 
>> Can anybody comment on its history there?
>>

What about the wallet? In KDE4 and former KDE3 now Trinity Desktop we use
the kwallet now tdewallet to store the passwords. I know gnome has also
one, but I don't know it's name. I think each desktop has or should have a
kind of integrated password manager. It is worth mentioning this.

https://userbase.kde.org/KDE_Wallet_Manager
https://utils.kde.org/projects/kwalletmanager/
https://en.wikipedia.org/wiki/KWallet

regards

Re: comparing password managers in Debian, synchronizing on multiple devices

[Teemu Likonen]

Daniel Pocock [2016-10-24 13:05:28+02] wrote:

> Given the way we do things in Debian it is important not to depend on a
> service like Dropbox to sync the password files.
>
> Therefore, how are people choosing a password manager and solving this
> in practice?

I have used "pass" and liked it. It's a command-line tool, written in
Bash language, and it stores passwords as separate gpg-encrypted files
in ~/.password-store. .
Pass has a Git support but I have never used that. The basic usage is to
search for named password which can be copied to clipboard. The
clipboard is automatically cleared after 20 (or so, I don't remember).

There are a couple things in pass's user interface that I don't like so
I wrote my own Bash script which is compatible with pass's storage. I
have two Linux computers and I use Unison to sync password directory
(and many other files) between them.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: comparing password managers in Debian, synchronizing on multiple devices

[Daniel Pocock]

On 24/10/16 13:05, Daniel Pocock wrote:
> 
> 
> There have been various discussions in here and in some derivative
> projects like Ubuntu about choosing and using password managers,
> especially the way to sync their password lists across multiple devices.
> 
> Given the way we do things in Debian it is important not to depend on a
> service like Dropbox to sync the password files.
> 
> Therefore, how are people choosing a password manager and solving this
> in practice?
> 
> - which password managers have a built-in mechanism for synchronizing or
> merging password lists on multiple devices?
> 
> - who is using some other mechanism such as Git or ownCloud to sync?
> 
> I've made a list of some of the password managers in Debian:
> 
> https://packages.qa.debian.org/a/assword.html
> https://packages.qa.debian.org/p/password-gorilla.html
> https://packages.qa.debian.org/p/password-store.html
> https://packages.qa.debian.org/r/revelation.html
> https://packages.qa.debian.org/k/keepass2.html
> https://packages.qa.debian.org/k/keepassx.html
> https://packages.qa.debian.org/k/kedpm.html
> https://packages.qa.debian.org/f/fpm2.html
> https://packages.qa.debian.org/c/cpm.html
> https://packages.qa.debian.org/p/passwordsafe.html
> 
> There are quite a few and so it is hard for somebody to know the best
> place to start, maybe a comparison table in the wiki will be needed.

Wiki now created:

https://wiki.debian.org/PasswordManagement


> 
> Some other factors that come to mind for a comparison table:
> 
> - support for PGP
> - support for other strong crypto (e.g. smartcard)
> - merging algorithm for multiple devices
> - multi-user / team capabilities
> - browser integration
> 
> I notice that Tails chose to include KeePassX, although there is some
> uncertainty how it was selected:
> 
> https://labs.riseup.net/code/issues/9231
> 
> Can anybody comment on its history there?
> 

comparing password managers in Debian, synchronizing on multiple devices

[Daniel Pocock]

There have been various discussions in here and in some derivative
projects like Ubuntu about choosing and using password managers,
especially the way to sync their password lists across multiple devices.

Given the way we do things in Debian it is important not to depend on a
service like Dropbox to sync the password files.

Therefore, how are people choosing a password manager and solving this
in practice?

- which password managers have a built-in mechanism for synchronizing or
merging password lists on multiple devices?

- who is using some other mechanism such as Git or ownCloud to sync?

I've made a list of some of the password managers in Debian:

https://packages.qa.debian.org/a/assword.html
https://packages.qa.debian.org/p/password-gorilla.html
https://packages.qa.debian.org/p/password-store.html
https://packages.qa.debian.org/r/revelation.html
https://packages.qa.debian.org/k/keepass2.html
https://packages.qa.debian.org/k/keepassx.html
https://packages.qa.debian.org/k/kedpm.html
https://packages.qa.debian.org/f/fpm2.html
https://packages.qa.debian.org/c/cpm.html
https://packages.qa.debian.org/p/passwordsafe.html

There are quite a few and so it is hard for somebody to know the best
place to start, maybe a comparison table in the wiki will be needed.

Some other factors that come to mind for a comparison table:

- support for PGP
- support for other strong crypto (e.g. smartcard)
- merging algorithm for multiple devices
- multi-user / team capabilities
- browser integration

I notice that Tails chose to include KeePassX, although there is some
uncertainty how it was selected:

https://labs.riseup.net/code/issues/9231

Can anybody comment on its history there?