Page 1 of 1

Password storage idea

Posted: Sun Dec 30, 2018 1:31 am
by ab1jx
I'm just passing this along because it seems to work for me, I've been doing it a year and a half or so and don't see any drawbacks. No, I'm not going to tell you how to arrange your socks too.

In a secure place, I use /root/pwd, I have lots of files with names like 2017-07.txt, 2018-11.txt. Each file is filled with entries like:

Code: Select all

somesite username password date
notes, (if any)

another site
When I want to find something I go into /root/pwd and do something like
grep -i walmart *.txt
and it generally pops up. I haven't been perfectly consistent over the years, some of these passwords date back to 2006. Sometimes I have to dig a little. When I have to reset a password it goes in there too, either edited into the original file or in a new file with the current month. When I clone the SD card that's a backup of course, and I tar them up and FTP to other machines sometimes.

I have hundreds of these silly passwords, sometimes to sites I've never even bought anything from. They started out in one file, then another for some reason, but they all have a .txt extension so grep finds them. No special software at all.

Re: Password storage idea

Posted: Sun Dec 30, 2018 2:43 am
by scruss
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.

I'm not at a Raspberry Pi right now (in a rather nice hotel in Boonville, MO) but you can install KeepassX from the repos. It uses a properly encrypted password store that's also portable across all major operating systems. It's secure enough that you can keep the store on Dropbox or similar and access from any computer or smartphone.

Re: Password storage idea

Posted: Sun Dec 30, 2018 4:31 am
by klricks
scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.

I'm not at a Raspberry Pi right now (in a rather nice hotel in Boonville, MO) but you can install KeepassX from the repos. It uses a properly encrypted password store that's also portable across all major operating systems. It's secure enough that you can keep the store on Dropbox or similar and access from any computer or smartphone.
+1
I use keepass2 as well on Win10, Android phone and on RPi. I don't do cloud so I just copy the same password database file to each device.

Code: Select all

sudo apt update
sudo apt install keepass2

Re: Password storage idea

Posted: Sun Dec 30, 2018 5:21 am
by code_exec
scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.
Couldn't agree more.

Re: Password storage idea

Posted: Sun Dec 30, 2018 11:46 am
by Burngate
That, and always make sure you have clean underwear, in case you have an accident.*

Or just make sure no-one can steal your computer or SD card.

*I was standing in the kitchen, then I woke up in the ambulance.
My daughter was panicking, the neighbours were panicking, the paramedics were most concerned about my condition, but I felt fine.
What most worried me was I hadn't changed my knickers - what would they think at the hospital if they had to strip me?

Re: Password storage idea

Posted: Sun Dec 30, 2018 12:14 pm
by andrum99
It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.

Re: Password storage idea

Posted: Sun Dec 30, 2018 3:17 pm
by ElEscalador
Keepass fo sho

Re: Password storage idea

Posted: Sun Dec 30, 2018 3:48 pm
by code_exec
andrum99 wrote:
Sun Dec 30, 2018 12:14 pm
It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.
Isn't LastPass a Chrome/Chromium extension?

https://chrome.google.com/webstore/deta ... egeplioahd

Re: Password storage idea

Posted: Mon Dec 31, 2018 10:01 am
by Burngate
scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords.
So who has physical access to my computer? No-one.
Who's going to be able to take my SD card? No-one.

So why is it a bad idea?

And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?

Re: Password storage idea

Posted: Mon Dec 31, 2018 12:55 pm
by n67
There is a large gap between things that are actually good ideas - that work just fine in practice, as long as you're discreet about it - and things that you can publicly recommend to newbies.

This forum deals exclusively in the later.

Edit: Realized I'd misspelled a word. Check out:

https://en.oxforddictionaries.com/usage ... r-discrete

Re: Password storage idea

Posted: Mon Dec 31, 2018 1:35 pm
by klricks
Burngate wrote:
Mon Dec 31, 2018 10:01 am
....
And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?
The database is protected by a master password which must be typed into the app before the database can be accessed. So the database is secure.... (unless the user has saved the master password in some plain text form on the laptop).

Re: Password storage idea

Posted: Mon Dec 31, 2018 5:45 pm
by Burngate
So it's a bit like the guy who didn't want his house burgled - so he kept his house keys in a safe, the key to which he kept in his garage, with the key to that in the car. Someone stole his car.

Actually, I keep my passwords on a sheet of A4 paper - it's difficult to encrypt, but then my handwriting is all but illegible, so I'm quite safe. Ish.

Re: Password storage idea

Posted: Mon Dec 31, 2018 6:29 pm
by rpdom
Burngate wrote:
Mon Dec 31, 2018 5:45 pm
Actually, I keep my passwords on a sheet of A4 paper - it's difficult to encrypt, but then my handwriting is all but illegible, so I'm quite safe. Ish.
I keep some of mine in a notebook, but I don't write down the details in plain text, I use my own encryption scheme.

Re: Password storage idea

Posted: Mon Dec 31, 2018 9:20 pm
by scruss
Burngate wrote:
Mon Dec 31, 2018 10:01 am
Who who has physical access to my computer? No-one.
Who's going to be able to take my SD card? No-one.

So why is it a bad idea?
No-one that you know of, in both cases. Unencrypted data have the habit of turning up in the darnedest places. Encrypted data do too, but since it just looks like noise, no search/indexing system will flag it as interesting.
And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?
If you feel confident that you can crack the Advanced Encryption Standard (AES) algorithm, along with the other raft of security features that KeePass includes, then it's not secure at all.

Re: Password storage idea

Posted: Tue Jan 01, 2019 1:45 am
by andrum99
code_exec wrote:
Sun Dec 30, 2018 3:48 pm
andrum99 wrote:
Sun Dec 30, 2018 12:14 pm
It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.
Isn't LastPass a Chrome/Chromium extension?

https://chrome.google.com/webstore/deta ... egeplioahd
It is, but I assumed Chrome extensions were platform-specific. Do Chrome extensions work on any platform?

Re: Password storage idea

Posted: Tue Jan 01, 2019 9:17 am
by mikerr
Yes chrome extensions work on any Chrome browser, on any OS or platform, ARM or x86, same for Firefox.

I use lastpass and it works fine on the pi via chrome extension

Re: Password storage idea

Posted: Tue Jan 01, 2019 11:36 am
by Burngate
scruss wrote:
Mon Dec 31, 2018 9:20 pm
If you feel confident that you can crack the Advanced Encryption Standard (AES) algorithm, along with the other raft of security features that KeePass includes, then it's not secure at all.
From that page:
One master password decrypts the complete database.
Alternatively you can use key files. Key files provide better security than master passwords in most cases. You only have to carry the key file with you, for example on a floppy disk, USB stick, or you can burn it onto a CD. Of course, you shouldn't lose this disk then.
For even more security you can combine the above two methods: the database then requires the key file and the password in order to be unlocked. Even if you lose your key file, the database would remain secure.
Additionally, you can lock the database to the current Windows user account. The database can then only be opened by the same person who created it.
So the bad guy just needs your master password and/or key file.

We went on holiday, having double-locked all the doors, etc., as you do. We got back to find they'd got in by breaking a window. (actually they meant to burgle a different house, down the road - they just got the wrong address)

I was just about to put my card in the ATM when a big guy in kevlar stab-vest elbowed me out of the way. He then proceeded to carefully remove a remarkably well-made spy camera, attached to the top of the ATM and focussed on the key-pad. I consider myself lucky, that time.

I think my main point is that security is only as strong as the weakest link, and there's no point in making all the rest of it military grade - the bad guys aren't going to be looking at how well you've done with the bits you've thought about; they'll be looking for whatever you've missed.