Re: Password Manager opinions and recommendations

To: debian-user@lists.debian.org
Subject: Re: Password Manager opinions and recommendations
From: Ben Finney <bignose@debian.org>
Date: Mon, 26 Mar 2018 09:07:13 +1100
Message-id: <[🔎] 85tvt3yfla.fsf@benfinney.id.au>
References: <[🔎] 201803251152.13825.rhkramer@gmail.com> <[🔎] a3f56c05-0b67-9038-d914-522fe3d8cf89@riseup.net>

likcoras <likcoras@riseup.net> writes:

> I think pass (https://www.passwordstore.org/) meets most of your
> requirements. It's a glorified shell script that calls gpg under the
> hood to create passwords that are stored locally (under
> ~/.password-store).

I concur with the recommendation for Password Store, in this case.
(that link again, <URL:https://www.passwordstore.org/>).
Someone who has been manually handling their password database should be
right at home with the Password Store system.

> - It does not have a network component.

Password Store uses Git to store the entries, and Git natively allows
distribution of the repository via SSH or HTTPS (and others, of course).

> - You can transfer individual password files, decrypt them yourself
> with gpg, etc.

This is very important! Our password data is too crucial to be locked
into a custom data format needing a specific tool. Password Store avoids
this by using only standard, general-purpose tools.

> - Very straightforward to decrypt with a simple shell script.
> - Uses pwgen to generate passwords, if requested. You can customize
> generation a bit (no special characters, etc.)

For more useful passphrases I can recommend Diceware or ‘xkcdpass’
<URL:https://pypi.python.org/pypi/xkcdpass>. That's a separate tool
though, Password Store does not yet integrate with it.

> - It does not handle automatic password updates.

True. This could be implemented in a custom client though.

Which raises another advantage of Password Store: it is a description of
a password manager *without* specifying the client. There are many
clients that work with this system, as can be seen at the website.

<URL:https://www.passwordstore.org/#other>

So I use the ‘pass’ command-line client on some machines, QtPass desktop
client on others, and the Android app (available from the F-Droid app
store <URL:https://f-droid.org/repository/browse/?fdid=com.zeapo.pwdstore>)
to carry them with me.

-- 
 \          “Isn't it enough to see that a garden is beautiful without |
  `\      having to believe that there are fairies at the bottom of it |
_o__)                                             too?” —Douglas Adams |
Ben Finney

Reply to:

References:
- Password Manager opinions and recommendations
  - From: rhkramer@gmail.com
- Re: Password Manager opinions and recommendations
  - From: likcoras <likcoras@riseup.net>

Prev by Date: Re: Password Manager opinions and recommendations
Next by Date: Re: Printing impossible
Previous by thread: Re: Password Manager opinions and recommendations
Next by thread: Re: Password Manager opinions and recommendations
Index(es):
- Date
- Thread