nick
/
blog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update(article): Language improvements to Exploring Password Managers

Browse Source
master
Nick Zana 2 years ago
parent c1f1ef2527
commit d66b521199
No known key found for this signature in database
GPG Key ID: 936524EE913D6538
1 changed files with 32 additions and 34 deletions
Show Stats Download Patch File Download Diff File

66
content/blog/2022-02-27-exploring-password-management/index.md
Unescape Escape View File

@ -10,9 +10,9 @@ complicated management schemes like password managers and a fair bit of
diligence. At the same time, passwords are used so frequently that it's most
practical to have access to all of your passwords on every device.
On the other hand, password breaches are so commonplace that just about anyone
who's used the internet in the past 20 years has probably had one compromised.
While efforts to supplement and displace passwords as the standard form of
Further, password breaches are so commonplace that just about anyone who's used
the internet in the past 20 years has probably had one compromised. While
efforts to supplement and displace passwords as the standard form of
authentication are slowly gaining traction, it's inevitable that passwords are
going to remain a core part of digital security for the foreseeable future.
@ -25,12 +25,11 @@ In this post, I'll be talking about the password managers I've used and
recommend. Then, I'll outline the properties a good password manager should
have. Finally, I'll introduce a project I've been working on related to this.
As a small disclaimer, I'm not a cryptographer. My formal training essentially
As a small disclaimer, I'm not a cryptographer. My "formal" training essentially
boils down to a few first-year intro to CS classes in I took this year in
college. However, I have spent the last few years of my life researching
privacy and digital security. So, while I'll be talking a lot about different
password managers, remember that the best password manager for you is the one
that you fully understand.
college. So, while I'll be talking a lot about different password managers,
remember that the best password manager for you is the one that you fully
understand.
## You Should Just Use a Password Manager
@ -50,11 +49,11 @@ reliable cryptography.
If you're more the self-hosting type, the [official Bitwarden
server](https://github.com/bitwarden/server) is fully Open Source and available
as a Docker image. The popular and lightweight
[vaultwarden](https://github.com/dani-garcia/vaultwarden) is an alternative
server implementation (written in Rust!) that's compatible with the regular
Bitwarden client applications, making deployment for individuals, families, and
small teams really easy.
as a Docker image. Alternatively, the popular and lightweight
[vaultwarden](https://github.com/dani-garcia/vaultwarden) is a Bitwarden server
implementation (written in Rust!) that's compatible with the regular Bitwarden
client applications, making deployment for individuals, families, and small
teams really easy.
Don't like the cloud? [KeePassXC](https://keepassxc.org/) is a Free Software
application that provides a local password database with various additional
@ -81,10 +80,9 @@ password manager. At this point, I switched to KeePassXC. It works very well,
and is probably the most sensible solution for most QubesOS users or those who
otherwise prefer an entirely local solution.
I stuck with KeePassXC for the entire time that I used QubesOS... until today.
In an effort to eliminate as many GUI applications as possible from my machine,
I've been occasionally thinking about other offline options that worked from the
terminal.
Recently, in an effort to eliminate as many GUI applications as possible from my
machine, I've been occasionally thinking about other offline password manager
options that worked from the terminal.
It wasn't until I happened to read a few blog posts by [Filippo
Valsorda](https://filippo.io/) that the idea for a real alternative began to
@ -108,8 +106,8 @@ manager"](https://www.passwordstore.org/). `pass` is actually a very clever
script run through the command line that stores passwords at `~/.password-store`
as a tree of normal directories and files.
For example, from the [`pass`](https://www.passwordstore.org/) website, it could
look something like this:
For example, from the [`pass`](https://www.passwordstore.org/) website, the
directory could look something like this:
```
Password Store
@ -125,12 +123,12 @@ Password Store
└── mobilephone
```
Each of those files contains [`gpg`](https://www.gnupg.org/)-encrypted password
for the website. They're accessed by using the `pass` command to decrypt the
files with a `gpg` private key. However, I strongly dislike the idea of relying
on `gpg` to protect my passwords. While I do have a PGP key, I avoid using it
whenever there's a more suitable alternative available. [Many cryptographers
have written about the issues with
Each of those files contains a [`gpg`](https://www.gnupg.org/)-encrypted
password for the website. They're accessed by using the `pass` command to
decrypt the files with a `gpg` private key. However, I strongly dislike the idea
of relying on `gpg` to protect my passwords. While I do have a PGP key, I avoid
using it whenever there's a more suitable alternative available. [Many
cryptographers have written about the issues with
PGP](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html), but the
biggest concern for me is the number of foot-guns with the PGP protocol and
`gpg` tool. Even in a standard configuration like `pass`, where I'm offloading
@ -145,10 +143,10 @@ opinion, the perfect encryption tool to be used with `pass`.
### Confidentiality
The most obviously-essential property of a password manager is to make sure that
nobody else can read your passwords. There are several types of adversary your
password manager needs to protect against, but it primarily boils down to
protecting your passwords even if someone gains access to your encrypted
The most obviously-essential property of a password manager is to make sure
that nobody can read its contents without the keys. There are several types of
adversary a password manager needs to protect against, but it primarily boils
down to protecting its passwords even if someone gains access to your encrypted
password database.
You should be able to post your encrypted database on your blog or send it to
@ -191,11 +189,11 @@ into an innocuous pop-up you didn't notice, to completely compromise yourself.
### Resiliency
You aren't the only one who needs access to your accounts. Should something
happen to you, or some other unforeseen situation comes up, there needs to be a
"break glass in case of emergency" -- without compromising on the password
manager's fundamental security properties. With password managers, this often
comes in the form of some adaptation of "Emergency Access." Essentially, the
idea is to provide a trusted party or parties with enough information to,
happen to you, or some other unforeseen situation come up, there needs to be a
"break glass in case of emergency" option -- without compromising on the
password manager's fundamental security properties. With password managers, this
often comes in the form of some adaptation of "Emergency Access." Essentially,
the idea is to provide a trusted party or parties with enough information to,
individually or collectively, gain access to some or all of your encrypted data.
Bitwarden has the concept of "Trusted Emergency Contacts" in their ["Emergency

Write Preview
Loading…
Cancel
Save