Re: comparing password managers in Debian, synchronizing on multiple devices
Daniel Pocock <daniel@pocock.pro> writes:
> Therefore, how are people choosing a password manager and solving this
> in practice?
A primary criterion for my data is: Avoid depending on a service I can't
quickly replicate elsewhere with all my data intact.
This tends strongly toward standard protocols, and services that are
published as free software.
So, for a password manager:
* The database must be in a format already known to be readable by
other, mature, well-maintained software.
(This disqualifies an application-specific storage format that might
have been readable when I first checked but doesn't remain compatible
over time.)
* The encryption must be immediately available to decrypt with standard
tools, using keys in a standard format and available in an obvious
place to use.
(This disqualifies software that says it supports a standard
encryption algorithm but its keys or encrypted data are not right
there for me to try decrypting in a hurry with standard tools.)
* The synchronisation must default to, and encourage, standard
widely-implemented file synchronisation systems.
(This disqualifies software that has a non-default option for some
protocol that most of the application's users don't use, therefore
it's not as widely user-tested and more likely to be unreliable when I
need it.)
* The synchronisation must default to, and encourage, choosing an
independently-maintained hosting provider.
(Similar to the above, if most people default to a single hosting
provider then the federated hosting will not be nearly well tested
enough to assure reliability in a pinch.)
* The synchronisation must easily and obviously allow a user to set up
their own (or ask a skilled friend to set up) hosting, on at least an
equal standing with other synchronisation methods.
For me, at present the best option is Password Store (a.k.a. ‘pass’).
> - which password managers have a built-in mechanism for synchronizing
> or merging password lists on multiple devices?
By setting a Git remote to a private hosted repository, all my devices
can sync the password database by Git push and pull.
> - who is using some other mechanism such as Git or ownCloud to sync?
Git is not an other method, it's built in to the application :-)
> Some other factors that come to mind for a comparison table:
>
> - support for PGP
Password Store uses standard OpenPGP, as implemented by GnuPG.
> - support for other strong crypto (e.g. smartcard)
Don't know about this.
> - merging algorithm for multiple devices
Password Store uses a separate encrypted file for each entry, so merges
are only a matter of managing a directory tree.
> - multi-user / team capabilities
I've seen discussion of this in the Password Store community; it usually
comes down to managing one's GnuPG keys.
Password Store allows the database to be encrypted to (i.e. unlockable
by any of) multiple GnuPG keys.
> - browser integration
I prefer integration to *all* applications on the desktop: i.e., the
program should simply place the passphrase in the clipboard, allowing me
to paste it into whatever form I visit. That covers the browser as well.
--
\ “But it is permissible to make a judgment after you have |
`\ examined the evidence. In some circles it is even encouraged.” |
_o__) —Carl Sagan, _The Burden of Skepticism_, 1987 |
Ben Finney
Reply to: