[tw] Re: TiddlyWiki as a password store

[PMario]

On Thursday, September 17, 2015 at 10:12:52 AM UTC+2, Tobias Beer wrote:
>
> I was wondering if using a combination of encryption and maybe TiddlySpot
> was safe enough for recreating something like keepass 
>  or mitto  with TiddlyWiki 
> (minus any 1-click-login).
>
> Thoughts?
>

The encryption may be safe enough, but the workflow isn't. 

eg: 
 - keepass removes plain text passwords from the system memory after 10 
seconds. 
 - If you decrypt TW all the stuff is plain text in the browser. If you 
copy a password it will stay in memory. 
- switching the browser window into the background, will not activate 
the encryption agina ... 

eg: 
 - autofill passwords with keepass has a special mechanism to avoid "key 
locking" 
 - if you copy / paste a PW with TW "key locking" will be trivial 

So in no way I personally would use TW as a cloud based password store. Not 
because of the javascript based encryption software but because of the 
unsafe workflow. 

just my thoughts
mario

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/3a9d8ba2-ab38-4798-9a12-9f567869509d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: TiddlyWiki as a password store

[PMario]

On Thursday, September 17, 2015 at 11:08:53 AM UTC+2, Tobias Beer wrote:
>
> Some good points. So the scores are roughly...
>
> Keepass 10 : TiddlyWiki 1
>
> May I ask what you use?
>

KeePass2 .. It works well with windows and ubuntu. So I can use the same 
password store file for both environments. ... The only problem atm is my 
mobile device :) It uses ubuntu touch. 


There is also one more thing. You wrote: "and maybe TiddlySpot"

TiddlySpot uses basic http with username, password authentication at the 
moment. This mechanism is all plain text. 

So logging on to tiddlyspot on a public wifi is an invitation for a "man in 
the middle " 
attack. 

As I wrote. Most of the time the encryption mechanisms are not the 
vulnerable elements. 

Users and their "bad habbits" are one element. eg: using the same and easy 
to guess passwords for way to many sites. 

... and ... the annual cost and complexity to enable https:// is the second 
element, why the web is still an insecure place. 

--- OT

https://letsencrypt.org/ may be an interesting approach to create free 
certs. ... But the last time I visited the project page, they where not 
finished yet. .. So time to have a new look ;)

-m

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/d63c589d-d3ed-4fa4-be34-ee7f65dd93bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: TiddlyWiki as a password store

[Tobias Beer]

Thanks Mario,

Some good points. So the scores are roughly...

Keepass 10 : TiddlyWiki 1

May I ask what you use?


Best wishes,

— tb

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/9d0efae0-0c96-484e-9d19-7d6ea59c93e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: TiddlyWiki as a password store

[Spangenhelm]

Hi guys! Good question: I guess you are right about the security risks for 
a cloud-based use (i effectively use tw for storing my credentials but 
offline only so far, and it is clearly missing a autofill feature though!)

Btw Mario you said you were using ubuntu touch on your mobile? So do i ! 
What brand is your phone? Bq? mine is (Aquaris 4.5 Ubuntu Edition) and i'm 
pretty happy with it altough there is no easy to sync it with the cloud 
except via google.. Or have you find a way to do so? Webdav/Cardav and 
things like that do not seems to be available yet afaik...

Tchuss

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/edd43b07-8334-4417-a8af-7d4d35adf7dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: TiddlyWiki as a password store

[PMario]

On Thursday, September 17, 2015 at 2:27:24 PM UTC+2, Spangenhelm wrote:
>
> Hi guys! Good question: I guess you are right about the security risks for 
> a cloud-based use (i effectively use tw for storing my credentials but 
> offline only so far, and it is clearly missing a autofill feature though!)
>

I'm "kind of ok" for offline use but I still have some doubts and "open 
URL" and "autofill" are a big win with the native programs. 

 OT
I did create a new thread :) 
https://groups.google.com/forum/#!topic/tiddlywiki/XxHuCL3AyeM
 EOT

-mario

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/d05a9112-3fe7-4a9f-9f84-e4a949c25f61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.