On 03/26/2018 12:52 AM, rhkra...@gmail.com wrote: > I started reading up on password managers in order to consider using one.
Good! Welcome aboard. > Here are some of what I think are my criteria for a password manager: > > * encrypted storage on my own machines (no storage "in the cloud") > * ability to transfer to other devices, including Android tablets and > phones--either all the passwords or just one for some special logon on a > machine I don't normally use. Currently I do almost everything (that > requires > a password) on one of my desktop computers. I have a laptop that I use very > occasionally. Occasionally I've had to go to a library (or similar) to use a > Windows machine. I do have an Android tablet and phone, and, in general, I > don't use that for confidential type stuff (no banking, for example), but > that > could change if either I feel very secure or in some sort of extreme > emergency. > * (a repeat of part of the previous bullet) a means to easily take an > individual password to another machine for occasional use of another machine > * a means to recover all the passwords if the password manager becomes > defunct (and this also implies backup and restore capabilities) > * a means to automatically generate secure passwords > * a means to automatically update passwords on the target websites (to > facilitate regular / frequent password changes)--this is probably a > stretch--I > mean something that would work its way through the various screens and > prompts > to change a password with a minimum of manual intervention by me > I think pass (https://www.passwordstore.org/) meets most of your requirements. It's a glorified shell script that calls gpg under the hood to create passwords that are stored locally (under ~/.password-store). - It does not have a network component. - You can transfer individual password files, decrypt them yourself with gpg, etc. - Very straightforward to decrypt with a simple shell script. - Uses pwgen to generate passwords, if requested. You can customize generation a bit (no special characters, etc.) - It does not handle automatic password updates. It would also be trivial to modify the script to use some other password generator, and of course you can input your own passwords. The pass package in Debian also includes the passmenu utility, which uses dmenu to automatically type in your password for you. I highly recommend you use this or some other frontend, as copy-pasting passwords becomes a chore. Let the password manager type it out for you! That is one disadvantage of pass, though. It does not have a built-in frontend, so it requires you to install some other piece if you want to use it more efficiently. Also note, if you decide to use passmenu, I think there was some bug where it did not properly escape text when typing it in for you. Not sure if it was patched or if the bug is still open. If it gives you trouble, just grab the latest version from the pass git repository. > As an alternative to a password manager, I may create my own memorizable > password generator "algorithm" that I can mostly use "in my head". For > instance, it could be something like this: > * think up a multiword phrase, possibly with a mnemonic connection to the > target website (or, have a means to extract them from a book, e.g., the 3rd > sentence of the 5th chapter of War and Peace--or maybe the first sentence in > the book that contains the word bank would become the passphrase for my bank). > * have a consistent substitution algorithm, which might do things like > this: > * capitalize the nth letter of each word (or the nth letter of the > first > word, the (n+1)th letter of the 2nd word, ... > * substitute (or insert) a punctuation mark for (like above) the mth > letter of each word (or the mth letter of the first word, the (m+1)th letter > of > the 2nd word, ... --the puntuation might be selected in, for example, > keyboard > order (or reverse keyboard order) across the numeric keys (e.g., !@#$%^&*() > (although maybe some of those might be invalid in (some?) passwords) > * some other similar generation rules > > Obviously, having "published" these ideas, my actual implementation will be > somewhat different ;-) About that, I would suggest you just use diceware (http://world.std.com/%7Ereinhold/diceware.html). The page includes instructions on adding special characters/etc to increase entropy/satisfy dumb requirements. The reason for this is that you are guaranteed a certain amount of entropy even if your method of generating passwords is revealed, even if they know which wordlist that you use. Something like what you describe might possibly be safer, but you can't really quantify how much security you would be giving up by omitting some step, or how worried you should be about having some of the steps revealed by accident or by other, more nefarious means. Don't take chances when generating passwords. Also, diceware passwords are surprisingly easy to remember, even if they don't have some kind of mnemonic relation to the site it's for. Remembering multiple 6~8-word passwords is not that hard if you use them relatively often.
