[kwlug-disc] Storing loads of passwords

[Johnny Ferguson]

On 09/03/2010 09:45 PM, Paul Nijjar wrote:
>
> This message from Eric got discarded. Ironically, I don't have my
> password list handy, so I am not going to troubleshoot right now.
>
> - Paul
>
> ----- Forwarded message from kwlug-disc-bounces at kwlug.org -----
>
>
> On Fri, Sep 3, 2010 at 7:38 PM, Johnny Ferguson<hyperflexed at gmail.com>  wrote:
>> Looking for a solution to easily store passwords in a secure manner. My
>> current system involves a program called gpass
>> (http://projects.netlab.jp/gpass/)
>>
>> My problem with it is that it stores all the encrypted passwords in one big
>> glob, so I have a hard time sharing passwords between more than one machine.
>> If I were to disconnect the machines and add one unique password to each
>> then reconnect them, one machine would add its new password to the other
>> machine, but the other machine would lose its new password because the
>> storage is just a big glob.
>>
>> I'd prefer something which stores passwords as single files (much like
>> tomboy notes does with notes), yet still uses only a single master password
>> to unlock access to all the passwords.
>>
>> I've thought of running this system from a usb key, but I wouldn't want to
>> be out of commission if I lost the key.
>>
>> Any advice in this area would be appreciated. I'm sure we all deal with
>> having to keep track of at least 20-30 hard-to-remember and constantly
>> changing passwords, but I'm certain there must be a better way.
>
> LastPass. Full stop.
>
> I was going to develop a solution myself involving a webservice and
> GPG... but I never got around to it because I discovered LastPass.  It
> *will* handle merging of password changes on different machines, even
> though it handles everything as one encrypted blob.  It encrypts using
> AES 256.  It will also do form filling, store notes, etc.
>
> It work best as a plugin for browsers, but it also has standalone GUI
> versions, and versions for your smartphone (if you pay $12/yr for
> LastPass Pro).  You can even to two-factor authentication with a
> YubiKey if you're really paranoid.  I haven't seen a commandline
> version... but you could probably write one if you really needed it
> (the protocol is open)
>
> If you're concerned about its security, Security Now episode 256 and
> 257 deal with it (256 is the fundamentals, and 257 is Q&A).  You can
> grab it here: http://twit.tv/sn256
>
> I haven't found a downside yet, even though I've only been using it
> for a few weeks (since Security Now #256).  I highly recommend it.  I
> may not be there Monday (out during the day, may not make it back in
> time), but if I am I can show it.
>
> Cheers,
>
> Eric
>

Checked out the website. Am I the only one that finds it strange they 
claim to require javascript to secure your authentication over HTTPS? I 
understand this is to make the service accessible with cell phones, but 
I don't really need this feature.

It does seem decent, but it has a lot of features I'm not sure I need. 
The yubikey looks cool though (hadn't seen this gadget before). I think 
for now I'll stick to running gpass on a single machine (using remote X 
sessions from my "slave" machines), until I can verify LastPass is what 
I need, or I find a simpler tool to do what I want.

I don't think it'd be too hard to make some kind of yubikey 
authenticated web-based password vault. The only thing that would be 
tricky with that is clearing the clipboard after you're done with the 
tool (something gpass does quite well). With a web-based system you get 
portability, but you have to remember to copy some arbitrary text to 
clear your password from the clipboard (which is paranoid, but it can't 
hurt).

Is LastPass open-source? I didn't see any source on their site. I just 
feel safer knowing myself and hundreds of other people can see the code 
that we're entrusting our sensitive information to.

-Johnny

>
>
> ----- End forwarded message -----
>