How to create a command-line password locker (Linux.com)
Like many people, I have too many passwords to remember. To keep them straight, I wrote a simple password locker script using dialog and GnuPG (GNU Privacy Guard). The script prompts the user for a master password using a dialog box, unencrypts a file that holds a list of passwords, and opens the file in a text editor. When the editor is closed, the script re-encrypts the password file."
Posted Mar 16, 2007 22:52 UTC (Fri)
by riddochc (guest, #43)
[Link] (3 responses)
[1] http://gnukeyring.sourceforge.net/
Posted Mar 19, 2007 13:41 UTC (Mon)
by johill (subscriber, #25196)
[Link]
Posted Mar 19, 2007 16:41 UTC (Mon)
by sokol (guest, #4383)
[Link]
With dialog used in the script, the problem is that it outputs the passphrase on the stderr. So, here is an example of "how to redirect stderr to pipe without disturbin stdout which still goes to console" :
dialog --backtitle "Password Database" --title "Master Password" --clear --insecure --passwordbox "Enter the Password Database master password." 10 51 3>/dev/tty 2>&1 1>&3 | \
My 2 cets.
Posted Mar 20, 2007 18:44 UTC (Tue)
by EricBackus (guest, #2816)
[Link]
Posted Mar 16, 2007 23:04 UTC (Fri)
by mitr (subscriber, #31599)
[Link] (1 responses)
It manages the list of passwords automatically, can copy the password to X clipboard, can automatically generate random passwords.
Posted Mar 17, 2007 3:58 UTC (Sat)
by Sutoka (guest, #43890)
[Link]
Posted Mar 17, 2007 0:25 UTC (Sat)
by ajross (guest, #4563)
[Link]
Posted Mar 17, 2007 0:42 UTC (Sat)
by proski (subscriber, #104)
[Link]
I understand it's just a prototype, but writing an insecure fallback wasn't necessary to demonstrate the idea. In fact, it demonstrates something else.
Also, I don't see where $PASSWD_LIST_UNENCRYPTED comes from. It should be in a directory only accessible by the owner, and the script should check it.
Posted Mar 17, 2007 2:49 UTC (Sat)
by terminator (guest, #2292)
[Link] (3 responses)
" Use GnuPG to open a .gpg file
Whenever I open a .gpg file, vim ask for my gpg key. It's pretty straightforward.
Posted Mar 17, 2007 8:39 UTC (Sat)
by DG (subscriber, #16978)
[Link]
Posted Mar 18, 2007 18:09 UTC (Sun)
by cortana (subscriber, #24596)
[Link]
Posted Mar 19, 2007 12:29 UTC (Mon)
by sitaram (guest, #5959)
[Link]
Also understand that if you hit Ctrl-C on the password prompt at a bad point when using :x or :wq instead of a :w, your entire file is gone :-(
Get into the habit of using :w, *then* :q. And make backups -- heck it's an encrypted file so make many of them :-)
Finally, for those of you (like me) who don't really use GPG (yeah, I know, bad net citizen and all that...) and prefer a symmetric encryption, use these commands in place of the !gpg commands above:
for BufReadPost: use "openssl bf -d -a"
Posted Mar 17, 2007 3:23 UTC (Sat)
by ken (subscriber, #625)
[Link]
Has worked for years without any problems.
Posted Mar 17, 2007 5:00 UTC (Sat)
by jd (guest, #26381)
[Link]
Posted Mar 18, 2007 13:01 UTC (Sun)
by mbottrell (guest, #43008)
[Link]
Posted Mar 19, 2007 11:00 UTC (Mon)
by edmundo (guest, #616)
[Link] (1 responses)
The cryptography (AES) is implemented in JavaScript. I didn't implement that bit myself, but it wouldn't be hard to audit the code. The code and the data are in the same file.
The main advantage of this approach is that you can carry the file with you on a memory stick and access it using any computer. There are unlikely to be any intermediate files created, but you have to beware of swap, of course, so it's safer to use a computer that isn't doing anything else at the time.
If you are confident of your master password and not expecting any sophisticated attackers you could put the HTML file on a web server.
Posted Mar 19, 2007 11:51 UTC (Mon)
by sitaram (guest, #5959)
[Link]
I use a tiddlywiki with an encryption plugin for this. Works beautifully, and works on all machines, all browsers.
Saving the file back, which you mentioned, is of course the main thing that tiddlywiki does, encryption or not, being essentially a stand-alone, single-file, JS-powered, wiki "application" :-)
I personally use Keyring[1] on my old Handspring Visor, and have thought about using scripts like this before. I'm concerned about how hard it might be to properly clean up temporary files from various possible editors, especially since the trailing ~ isn't the only convention out there for saved backups. Anybody have thoughts about the security implications of these sorts of password managers?How to create a command-line password locker (Linux.com)
Usually the solution to clean up the various backup files is to create a temporary directory and blow that away afterwards.How to create a command-line password locker (Linux.com)
One way to avoid "temp file with clear text" hole is to use a pipe, so the clear passphrase is only somewhere in kernel memory, not on the disk.How to create a command-line password locker (Linux.com)
gpg -d -r "$KEY_RECIPIENT_NAME" -o $PASSWD_LIST_UNENCRYPTED --passphrase-fd 0 $PASSWD_LIST &> /dev/null
I also use Keyring, on my Treo 650. One advantage of this over a file on my computer is that I have my passwords available to me both at work and at home.How to create a command-line password locker (Linux.com)
pwsafe (http://nsd.dyndns.org/pwsafe/).An alternative
Be careful about putting passwords into X's clipboard if you're using any An alternative
program like Klipper (part of KDE, not sure if saving is
enabled by default though) or any other that will save your clipboard's
contents between sessions (you could end up with your passwords
being written to disk as plain text!).
Yeah, that's pretty much my solution too: pgg-mode in emacs. I just keep an encrypted text file on my laptop with all my passwords & credit card info. It makes it *much* easier to deal with randomly generated passwords, and the ability to cut-n-paste credit card numbers makes typical e-commerce easier to boot.How to create a command-line password locker (Linux.com)
I think the fallback to /tmp/`basename $0`.tmp and redirecting the output to it is insecure. It's an invitation for a symlink attack. If the software cannot work securely, it shouldn't fallback to insecure more. It should fail.
Symlink attacks welcome
I use vim with the following config in ~/.vimrcHow to create a command-line password locker (Linux.com)
augroup gpg
au!
au BufReadPre,FileReadPre *.gpg set viminfo=
au BufReadPre,FileReadPre *.gpg set noswapfile
au BufReadPost *.gpg :%!gpg -q -d
au BufReadPost *.gpg | redraw
au BufWritePre *.gpg :%!gpg --default-recipient-self -q -e -a
au BufWritePost *.gpg u
au VimLeave *.gpg :!clear
augroup END
Thanks! I've been using gpg through two scripts on the command line, but always view the file with vim.... this will make life much better :-)How to create a command-line password locker (Linux.com)
There are a couple of scripts on the Vim website to do this too. The one I used is at: http://vim.sourceforge.net/scripts/script.php?script_id=661How to create a command-line password locker (Linux.com)
bufreadpre doesn't work for a file that doesn't exist. So when creating a *new* password file you should create it, save&close it with a blank line or something, then edit again. I.e., on the first edit of a new file, the 2 critical settings don't "take".How to create a command-line password locker (Linux.com)
for BufWritePre: use "openssl bf -salt -a"
I use the emacs package crypt++el together with mcrypt to get emacs to handel encrypted files automatically. So when emacs detects an encrypted file it prompts for the password then automatically encrypt when saving.How to create a command-line password locker (Linux.com)
It's not personally the approach I'd use (too many copies of decrypted keys floating around and I can see some potential ways such a method could be vulnerable) but it's infinitely better than using a plaintext password file or otherwise leaving the door wide open.
How to create a command-line password locker (Linux.com)
Revelation does it for me. (http://oss.codepoet.no/revelation/)How to create a command-line password locker (Linux.com)
Fast, easy and secure.
I have experimented with a JavaScript password locker: there's a single HTML file which you view using any browser that understands JavaScript; you type in a password, and get a text box containing your passwords, etc. If you want, you can edit the text and reencrypt. Unfortunately, saving the modified file is not portable, but with Mozilla you can just use the Save menu, and there are ways of doing it with IE, apparently.JavaScript solution
on another thread about personal wikis I waxed eloquent about tiddlywiki.JavaScript solution