Sticking with zx2c4 pass. It is an assembly of gnupg, git, and pwgen. Trusted open source components. Works with a Yubikey (opensc and gpg-agent) to prevent private key theft via software. PassFF extension provides excellent browser integration. Android Password Store and OpenKeychain allow pass and yubikey to work on my mobile. Strong 2 factor password storage everywhere I need it.
My biggest problem these days is dealing with sites that don't allow 30+ char passwords with full range of special characters. Almost exclusively, banks.
What is it with banks and their annoyingly terrible "security" requirements? My old bank once sent me an email saying I had to reset my password. The email seemed legit, but upon following the link therein something didn't seem quite right. So I use another device to visit my bank's site directly. Upon trying to login, I get redirected to the same form I reached from the email link and had a sinking realization that my bank did indeed expect me to fill in my name, address, SSN, DOB, debit card number, and PIN just to reset my password.
I sent a strongly worded email to a handful of people at the bank asking them if they really thought it was a good idea to teach their customers that its okay to click a link in an email claiming to be from their bank and provide that much personal information. I never got more than a canned response back, but several months later they did overhaul their password reset procedure to a more typical one.
Typically management at financial institutions see "security reasons" as a quick way to end questioning from a customer.
Legacy software or partner integration requirements are almost always the reason for arbitrary changes within financial institution.
Anecdotally, I've never seen a scenario myself where this wasn't referred to as a "security measure" or similar. This includes within the institution to all non-technical employees.
They had good reasons to enact security measures as I was trying to get into my account internationally and I kept forgetting the password. I understand what you're saying though.
I suspect it's the same reasons nuclear launch facilities use floppy disks -- the solution is approved, and getting a new solution approved is viewed as too expensive/infeasible.
Not saying the argument is valid, just that it may be the reason.
That and its proven to work, has a ridiculously long track use history (for software) so the bugs are fixed or well documented, and pretty damn hard to exploit. It's not like anyone is going to plug an 8 inch floppy disk they found laying in the rural Wyoming dirt parking lot into the nuclear silo master computer to check what's on it.
Yikes! Last time I looked, the intercontinental nuclear launch codes of any major power have not yet been proved to work.
But OK, I assume they still pass whatever dry-run test procedures exist. But if it is true that they are based on floppy-disks, then I don't think sticking with them is a net win for reliability and safety.
Bits rot, especially on floppies. So if they are still using them they have created procedures for refreshing the bits from backups. By now the floppies might be little more than ceremonial objects inside the systems that really determine the launch procedure.
And those systems would have evolved informally over time and might be ever-changing, poorly understood and poorly tested.
On the other hand, when the collective idiocity better known as the Internet of Things finally comes back to bite us in the ass, we can at least be sure it wont be in the form of a nuclear winter.
I'm having a battle with HSBC in the UK at the moment and can't get past canned customer support responses either.
If there is a security issue with your card, HSBC Fraud department will send you a text, telling you to call them.
The text comes from an unknown number. The number you are told to call is not listed on their website anywhere.
At the same time they are sending letters to customers warning about how to protect from phishing attacks.
I've been trying to explain to them, that they are training their customers to accept phishing attacks, but they are having none of it.
Yes, I understand that they don't want to publicise their special number on the website - but at least put it on an unlinked page, so that if a customer visits hsbc.com and searches for the number it comes up in the results.
I've known banks that don't let you change the PIN on their cards - for "security" reasons. And banks with 5-digit maximum password lengths - "oh, it's strong enough, you need to use a token to get money out anyway" ... but not to login.
Many banks in Saudi Arabia have changed their standard for PIN length from 6 digits to 4 digits. I cannot comprehend why would anyone make such decision.
I think it's OK to have short passwords if you block access after a few wrong login attempts. The password reset Form you've described is ridiculous, though.
Your anecdote describes a very bad behaviour, but the generally simple requirements banks have is a necessity of dealing with the general public. The more complex the requirements, the more customer support with tech naifs you need. And overall, it generally kind've works for them; there are some slips through the cracks, but fraud isn't rampant - banks accounts have been successfully run this way for years for the vast majority. Make it harder for people to get their money and you've created a significant friction point that will see your less tech-savvy clients almost literally flee to other banks.
The problem with this is that if that if there is a breach your typical bank will not take responsibility and claim that the customer is liable.
It needs to be written into law in all jurisdictions, that if a bank has been negligent in security, then when responsibility for a breach is unclear the benefit of the doubt should be given to the customer and the breach classified as a bank robbery.
Talking about bank, when i tried changing my transaction password my bank sent me an acknowledgment letter which had to be submitted physically to the bank again with all the details filled onto the form then you have to wait in the queue to get signatures and approval. All being said the worst part was that the letter took more than 2 weeks to arrive at my home and the letter had transaction password which you have to change again.
My bank requires a number in the password and in the username, but doesn't seem to do any validation that the two inputs contain different numbers before storing them.
I imagine a lot of customers are using the same number in each.
Pass looks great. There are still a few reasons though why I can't bring myself to switch to it from KeePass.
1. As far as I can tell, only the passwords are encrypted; not the entire database. This is a little annoying from a privacy standpoint; since it means I have to trust whatever cloud storage system I'm using with a list of every site I have an account on.
2. No decent browser autofill. Yes, there's browserpass, but as far as I can tell it requires manually searching your password database for the site you're on, which is somewhat inconvenient and doesn't help at all against phishing attacks.
3. No InputStick support. This means if I ever have to enter a password on a computer that doesn't have pass installed, I need to open my password DB on my phone and manually retype the necessary password instead of being able to just auto-type it.
4. No autotype on desktop - This isn't quite as big of a deal, since most programs will let you copy/paste passwords just fine, but as far as I can tell no pass desktop clients include support for auto-typing login credentials. For many non-web apps that require passwords that feature is extremely helpful.
If these ever get fixed, there's a decent chance I'd switch.
> 4. No autotype on desktop - This isn't quite as big of a deal, since most programs will let you copy/paste passwords just fine, but as far as I can tell no pass desktop clients include support for auto-typing login credentials. For many non-web apps that require passwords that feature is extremely helpful.
I may not understand what you mean by "autotype on desktop", but I use the dmenu password-store extension which is the executable "passmenu". It allows the command line option "--type" which is quite close I think to what you desire.
Yeah, that's basically what autotype is on KeePass; except KeePass is a bit more flexible since it lets you configure custom autotype sequences (e.g. `<username><tab><password><tab><enter>`) on a per-application basis.
This seems like a fairly decent substitute if you're on Linux. Doesn't look like it'll work on Windows or MacOS though.
I use KeePassX, but I haven't figured out how to do any of these fancy things. What do you use for browser autofill, InputStick, autotype, etc?
Also how do you store your password file and sync across devices?
And what do you use on iOS? I haven't found a very convenient workflow for my phone. No phone app I've found can keep synced with a password file that's stored on Google Drive.
I'm using KeePass Professional Edition, not KeePassX. Pretty sure they both use the same database format and are both cross-platform, so you should be able to switch pretty easily if KeePassX doesn't do everything you want.
For browser autofill I'm using the KeePassHttp plugin with ChromeIPass.
For InputStick I'm using Keepass2Android with KP2A InputStick.
Autotype is a built-in feature of KeePass on desktop.
Password database is stored on Google Drive, encrypted with a 2-part file and password based key. The file-based component of the key is stored locally offline on all my devices. Changes to the database get synced automatically by Google Drive on my PCs and by Keepass2Android on my phone.
I'm not sure about iOS, unfortunately. My phone is running Android, so I haven't really looked into KeePass clients for iOS.
What is KeePass Professional Edition? When I Googled for that the best thing I could find is "Professional Edition" on this page: http://keepass.info/download.html
Is that what you mean? It looks like it's written using Mono for non-Windows platforms. I might have shied away for that reason. What platform do you use it on? I'd love to know if it works well on non-Windows platforms (OS X, Linux).
Yes, that's what I'm referring to. I mostly use it on Windows, so I can't really comment on how well it works on MacOS or Linux. My understanding though is that it's basically a straight port, so most of the same functionality should be available.
Another option you might want to look at is KeePassXC. It's a fork of KeePassX, and it has built-in (though off-by-default) support for keepasshttp.
"so I can't really comment on how well it works on MacOS or Linux."
Linux: rock solid for several years now. We have several KP databases shared by 20 odd people that contain several thousand entries. I use it on Gentoo and Arch desktops. It runs under Mono plus a few extras to do things like sending links to browsers and autotype etc.
Not OP but I do some of these things with KeePass as well.
For autofill, KeeFox works well for me on Firefox - there's probably something similar for Chrome. I think KeePass will do autotype if you right-click on an entry but it's not a feature that I really use so I'm not sure.
I store my password DB in my home folder and use syncthing to synchronize it to my other computers and my phone.
I don't know about iOS but I use KeePassDroid on Android and it works pretty well.
1. Right, that's what I meant; the file and directory names aren't encrypted, which probably reveals which sites you have an account on. Sorry for the confusion.
2. Is that really auto-fill though? Seems more like KeePass's auto-type. I meant like a browser extension that knows what site you're on and fills in the appropriate username/password combo automatically.
4. Cool, that looks like a decent solution for auto-typing. I hadn't heard of that before. Linux-only though from what I can tell, so it won't work for me in the general case.
KeePass has built-in password history too, but I do really like the idea of using git for that; that's one of the reasons why I'm interested in pass.
This article is about a novel technique that supplies dummy passwords on DOM level and intercepts network requests to replace them with actual secrets. This is not about protecting your master key, it’s about protecting the actual passwords from a variety of attacks, including script injection.
The article is about a password manager, as the article's title implies. Novel techniques are red flags in my book. Horcrux sounds like untested wizardry that hasn't yet stood the test of time.
I used pass for a while before I moved on to gopass. It's a drop-in replacement for pass with a bunch of useful features (like encrypting a password-store for multiple people, or "mounting" password stores). Hope it gets picked up and supported more, it's pretty nice.
While these systems shouldn't have these length limits, a 25-character pure alphanumeric random password already has nearly 149 bits of entropy, which might be stronger than other cryptographic primitives that are use in these systems, if you trust that there are no effective attacks against your RNG. Brute force against such a password may already not be the easiest way to attack the systems that use it.
Oh, this looks wonderful. I've used one big gpg encrypted file for years, still better than all password managers I tried.
I'm wondering if there is a way to combine find and show with pass though. Like pass find <keyword> and show the password in one command. I realize I could probably use the grep command, but then I'd have to put the keyword into the encrypted file as well, and I'd need to decrypt all files to find it.
Edit: Gah, I was just thinking this should just be an alias, but the output of pass find can't just be fed to show either..
NEO has open source OpenPGP applet (in contrast of 4) but if you read the link carefully they provide rather strong points why it doesn't matter and closed hardware can even be more secure.
Just thought I would mention: PassFF does not works with the current version of firefox. The current plugin does not work and is not supported. According to the author, we should wait for the Web-Extensions version which will be coming... no idea... soon? I asked about 2 months ago. So pass is basically just a command line password manager unless you run firefox developer edition.
Sometimes I think there should be a list of sites that don't allow long passwords - so that people can be aware of sites that don't take passwords seriously.
My biggest problem these days is dealing with sites that don't allow 30+ char passwords with full range of special characters. Almost exclusively, banks.