On Wed, Mar 30, 2011 at 12:12:11PM -0600, Andrew McNabb wrote: > On Wed, Mar 30, 2011 at 11:08:44AM -0600, Jeff Anderson wrote: > > > > It seems like a logical design-- GPG is a tried and tested encryption > > technology, why not use it as a backend for a password manager? Is there > > something inherently wrong with that idea? > > I think it would be really handy for people like you (and me) who like > to be able to edit files by hand, but most people probably wouldn't > particularly appreciate the feature. I'm guessing that the existing > password managers use well-tried and well-tested encryption libraries, > but they focus more on UI issues than on having a variety of data > backends. Additionally, you probably don't really need public key > cryptography for a password manager.
I agree that for most cases, a public key system is overkill, but I have managed to run into an edge case with a password manager where I would have been much happier with a public/private key. One way that I've seen a password manager used was for assigning passwords. You'd go to a web application, and enter a new keepassx passphrase. The site would then send you a keepassx formatted password store that you could open with the passphrase that you entered. The idea was to avoid printing passwords when distributing new ones. Using a password store seems to be an appropriate way to get around printing, but sending your passphrase over the network, even with SSL, is probably a bad idea. With potential XSS vulnerabilities, a browser is a very nasty place to put a master passphrase for a new password store. Using GPG, you could easily implement a method to assign or share common passwords without having to go outside your password manager. The application or person creating the password simply needs to create it, and encrypt it with the recipient's public key. No need for the password creator and recipient to share a common secret. This case isn't common enough for me to put in the work to patch keepassx, but it could be a fun project. Of course, there are plenty of security questions that can be raised about assigned passwords, and sharing common passwords, but it is indeed a common practice to do both. Jeff Anderson
pgpUOGts7pqTY.pgp
Description: PGP signature
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
