From: Rick Moen <rick@linuxmafia.com>
To: balug-talk-balug.org@lists.balug.org
Subject: Re: [Balug-talk] Ask balug: Managing Passwords
Date: Thu, 5 May 2005 16:39:29 -0700
X-Mas: Bah humbug.
User-Agent: Mutt/1.5.6+20040907i
Quoting Bill Moseley (moseley@hank.org):
> My question is how do you track your passwords? Do you
gpg encrypt a
> file on your machine? Or do you just store it as plain
text and not
> worry about it? Or is your password list not available on
your
> machine?
Because I use a PalmPilot quite a lot, I rely on a 3DES-encrypting password store for PalmOS called Keyring (http://gnukeyring.sourceforge.net/). Thus, I am able to have globally unique passwords absolutely everywhere (except in places it truly doesn't matter), and need remember only one password, that of Keyring itself.
The Keyring database file gets backed up onto my Linux workstation using JPilot, which serendipitously happens to include Keyring conduit software, letting me view/edit/enter Keyring records if I wish.
Keyring includes a nifty, customisable pseudorandom password generator. The JPilot conduit has one, too, but not nearly as nice.
> I was thinking of using gpg to encrypt locally, but
it's kind of a
> pain to edit — although I'm sure there's a way to get vim
to open the
> file and re-encrypt it on saves. Oh, I guess it's not that
hard:
kgpg helps (KDE thing):
http://developer.kde.org/~kgpg/
Some people like MyPasswordSafe, which is Qt-based and uses
Blowfish:
http://www.semanticgap.com/myps/
It's actually a GUI-ised fork of Password Safe:
http://passwordsafe.sourceforge.net/
Password Gorilla does the same trick on Password Safe, but
using tcl/tk instead of Qt:
http://www.fpx.de/fp/Software/Gorilla/
TkPasMan is (obviously) another tcl/tk-based thing:
http://www.xs4all.nl/~wbsoft/linux/tkpasman.html
KWallet (included in kdeutils) is the canonical KDE
implementation:
http://docs.kde.org/en/3.2/kdeutils/kwallet/
Revelation is a gtk+/GNOME2 thing:
http://oss.codepoet.no/revelation/about/
pwsafe is a command-line password-management tool:
http://nsd.dyndns.org/pwsafe/
> A friend I asked once uses a plain text file. He said
he doesn't
> encrypt since the private key is available on the same
machine (seems
> a passphrase solves that), and if someone gets in as root
he's hosed
> anyway.
This is why I try to never get into my Keyring store from JPilot's conduit if humanly possible, only from my PalmPilot: The threat models are slightly more manageable.
Date: Fri, 6 May 2005 15:38:32 -0700 (PDT)
From: "Mark R. Cervarich" <mark@shelfspace.com>
To: balug-talk-balug.org@lists.balug.org
Subject: Re: [Balug-talk] Ask balug: Managing Passwords
On Wed, 4 May 2005, Bill Moseley wrote:
> So, I'm just looking for suggestions on managing passwords (or any > text) I want available on my machine but in a reasonably secure way.For my "important passwords", I've been using:
http://freshmeat.net/projects/passwordms/
"The Password Management System is a simple password manager for the
console that uses blowfish for encryption and CDK for the
interface."
It's simple, it works from the command line, and it's very safe.
I heard about it when Marcel Gagne wrote about it in Linux
Journal:
http://www.marcelgagne.com/cwl012005.html