Re: [dev] suckless password manager
FYI recently the fd.o guys started working on a secrets storage spec http://www.freedesktop.org/wiki/Specifications/secret-storage-spec i find it quite interesting because they want to have a spec that multiple applications will start using. If you want to help steering them to be compatible with a no-bloat setup, it's still not too late. my initial thoughts: http://lists.freedesktop.org/archives/authentication/2009-July/03.html Dieter
[dev] suckless password manager
Currently I have only found one simple password manager: pwsafe. It can be used from command line, can work with X clipboard and uses good cryptography I think. But it is not supported now and it's code depends on readline, autotools, written in C++ and consists of one .cpp file. As I can see suckless projects mostly works with X11 in the unix way. pwsafe also do some trick with X11: it puts password into clipboard and clears it after you put password somewhere with middle-click. So if someone there understands both cryptography, X11 and UNIX well it can be a good idea for new suckless project. Maybe code can be simplified by switching to another database structure not compatible with PasswordSafe.
Re: [dev] suckless password manager
It can't work with X, but use of GPG instead of creating new encryption scheme is interesting. So the only thing to implement is secure use of X11 clipboard and integration with GPG or some PGP library. Perhaps you could alter the script to pipe the nth line into xsel, or change the format of the 'database' e.g. gmail hunter2 supersecritsight.org 1234 and prompt the user for a site? (man read, xmessage?) From xsel's man page: -t ms, --selectionTimeout ms Specify the timeout in milliseconds within which the selection must be retrieved.
Re: [dev] suckless password manager
Actually, I think passwordmanagers are not secure. All your passwords are just as strong as your PM encryption. I have an mnemoc/algorithm which enables me to generate a quite strong password (without penpaper) which depends on the name of the webpage and/or username I use there. On Dec 10, 2009 11:55 PM, anonymous aim0s...@lavabit.com wrote: On Thu, Dec 10, 2009 at 11:14:15PM +0100, Nibble wrote: Hi, It is just a little toy, but ma... It can't work with X, but use of GPG instead of creating new encryption scheme is interesting. So the only thing to implement is secure use of X11 clipboard and integration with GPG or some PGP library. And what password managers do suckless developers use? Not using any doesn't seem secure, I don't think someone can lots of good passwords.
Re: [dev] suckless password manager
On Thu, Dec 10, 2009 at 11:03:25PM +, Rob wrote: Perhaps you could alter the script to pipe the nth line into xsel, or change the format of the 'database' e.g. gmail hunter2 supersecritsight.org 1234 and prompt the user for a site? (man read, xmessage?) From xsel's man page: -t ms, --selectionTimeout ms Specify the timeout in milliseconds within which the selection must be retrieved. What timeout -t affects? Looks like nothing changed. For -t 5000 i can retrieve PRIMARY after 5 seconds, before 5 seconds and at any time.
Re: [dev] suckless password manager
What timeout -t affects? Looks like nothing changed. For -t 5000 i can retrieve PRIMARY after 5 seconds, before 5 seconds and at any time. You're right, perhaps it's an xsel bug? Perhaps you could echo password | xsel -i sleep 0.5 xsel -c # or -d? Maybe xclip offers more
Re: [dev] suckless password manager
On Thu, Dec 10, 2009 at 2:14 PM, Nibble nibble...@gmail.com wrote: It is just a little toy, but maybe it could be useful for someone else ;) http://nibble.develsec.org/hg/toys/file/da45af463c1c/passman I've done a similar toy with VIM + GPG back in the day: :-) http://snk.tuxfamily.org/bin/secure-edit.sh It's very important that the intermediate unencrypted file is destroyed upon script termination!
Re: [dev] suckless password manager
Maybe xclip -l 1 -i could do the work. BTW I have just simplified the script even more (using umask instead of chmod's). Last changes are in the hg tip. http://nibble.develsec.org/hg/toys/file/a12b1de0a2cc/passman On Thu, 10 Dec 2009 23:46:31 + Rob robpill...@gmail.com wrote: What timeout -t affects? Looks like nothing changed. For -t 5000 i can retrieve PRIMARY after 5 seconds, before 5 seconds and at any time. You're right, perhaps it's an xsel bug? Perhaps you could echo password | xsel -i sleep 0.5 xsel -c # or -d? Maybe xclip offers more
Re: [dev] suckless password manager
You're right, perhaps it's an xsel bug? Perhaps you could echo password | xsel -i sleep 0.5 xsel -c # or -d? Maybe xclip offers more pwsafe clears PRIMARY right after you use it. Then it exits. That way you can use it only one time and you can be sure no one can see you password after pwsafe exits. There is a project ideas page in the wiki. Maybe password manager can be added there?
Re: [dev] suckless password manager
Thanks for the tip :) I updated passman accordingly and now it uses shred -fuz instead of rm -f. On Thu, 10 Dec 2009 16:03:35 -0800 Suraj Kurapati sun...@gmail.com wrote: On Thu, Dec 10, 2009 at 2:14 PM, Nibble nibble...@gmail.com wrote: It is just a little toy, but maybe it could be useful for someone else ;) http://nibble.develsec.org/hg/toys/file/da45af463c1c/passman I've done a similar toy with VIM + GPG back in the day: :-) http://snk.tuxfamily.org/bin/secure-edit.sh It's very important that the intermediate unencrypted file is destroyed upon script termination!
Re: [dev] suckless password manager
Thanks for the tip :) I updated passman accordingly and now it uses shred -fuz instead of rm -f. Also if you want to make code shorter you can use [ expr ] echo true || echo false instead of if..else.
Re: [dev] suckless password manager
Alexander Surma dixit (2009-12-11, 00:07): Actually, I think passwordmanagers are not secure. All your passwords are just as strong as your PM encryption. That's why I keep most of my less-used passwords in a GPG-encrypted-to-self file with a vim configuration for transparent decryption, reencryption and wiping afterwards. This is obviously not 100% secure, but for a moderately trusted personal setup it's quite sufficient. Best, -- [a]
Re: [dev] suckless password manager
Factotum + secstore: * http://doc.cat-v.org/plan_9/4th_edition/papers/auth * http://man.cat-v.org/p9p/4/factotum * http://man.cat-v.org/p9p/1/secstore On Thu, Dec 10, 2009 at 11:07 PM, anonymous aim0s...@lavabit.com wrote: Currently I have only found one simple password manager: pwsafe. It can be used from command line, can work with X clipboard and uses good cryptography I think. But it is not supported now and it's code depends on readline, autotools, written in C++ and consists of one .cpp file. As I can see suckless projects mostly works with X11 in the unix way. pwsafe also do some trick with X11: it puts password into clipboard and clears it after you put password somewhere with middle-click. So if someone there understands both cryptography, X11 and UNIX well it can be a good idea for new suckless project. Maybe code can be simplified by switching to another database structure not compatible with PasswordSafe.