# lightweight password manager



## trutlze (Jan 4, 2013)

Hi,

I want to store passwords securely and I want it to be independent from X, Qt and other big libraries.

One method might be an encrypted text-file (one could write shell-scripts that create a memory disk for editing/reading the unencrypted password file, erase the disk securely afterwards, etc.)
But I wonder if there are already any cli-applications that fit my requirements and if there is anyone having experience with such a tool.

There are for example


pass
pwman
cpm

Can you tell me something about them?


----------



## bes (Jan 4, 2013)

Take a look at sysutils/pwsafe security/pwman security/pwman3


----------



## trutlze (Jan 4, 2013)

Do you think that they are well designed and working good?

As far as I can see pwman3 uses python and sql, so it doesn't fit the requirement of beeing independant from big libraries.


----------



## bes (Jan 4, 2013)

I had to use sysutils/pwsafe, I had no complaints about her and she had none about me.


----------



## DutchDaemon (Jan 4, 2013)

security/kpcli

```
$ make all-depends-list
/usr/ports/ports-mgmt/pkg
/usr/ports/lang/perl5.16
/usr/ports/security/p5-Crypt-Rijndael
/usr/ports/devel/p5-Term-ReadKey
/usr/ports/textproc/p5-Sort-Naturally
/usr/ports/security/p5-File-KeePass
/usr/ports/shells/p5-Term-ShellUI
/usr/ports/devel/p5-ReadLine-Gnu
/usr/ports/devel/p5-Clone
/usr/ports/devel/p5-Test-Manifest
/usr/ports/converters/p5-MIME-Base64
```


----------



## trutlze (Jan 5, 2013)

security/kpcli seems to be an advantage if you are using or want to use security/keepassx. It needs lang/perl5.

To me a password manager would be lightweight if it is a bourne shell script (/bin/sh()) or written in C and maybe needs security/gnupg to run ... 
pass (see above) is going in the right direction, I think. But it seems to be written mainly for linux (it's a shells/bash-script).

I'm curious about additional ideas/thoughts/experiences.


----------



## trutlze (Jan 5, 2013)

sysutils/pwsafe seems to use base systems openssl libraries, is written in C++ and has very little dependencies. But the files are from late 2005. Why isn't it developed further? Is it already the best implementation possible? Which encryption methods are used (If I remember correctly, some methods were proofed to be insecure since 2005)?


----------



## lib13 (Jan 5, 2013)

keychain works great for me: 
https://code.google.com/p/keychain/


----------



## trutlze (Jan 12, 2013)

Well, in the meanwhile I gave pwsafe a try and it seems to act just fine. But I'm somewhat uncertain because of not knowing if pwsafe is still state-of-the-art ...
Is there any "security-professional" out there who is reading this and feeling a need to spread his/her wisdom


----------



## jamie_none (Jan 21, 2013)

I used pwman & still do. I'm not wild about it because it likes to crash a lot (well, for me anyway), but... the files are stored in pgp encrypted XML, so you can get at them with just plain old gpg if you really need to. Which is what I liked about it.

Just make sure and back up your passwords. I'd probably switch to something else, if I weren't so lazy.


----------



## tracphil (Jan 29, 2013)

This is what I have used on Linux before and I loved it. Its multi-user like and the schema is somewhat extensible:

http://www.harry-b.de/dokuwiki/doku.php?id=harry:cpm

I have not tried compiling it on FreeBSD and it is not in ports.

It looks very similiar to the gui of security/pwman


----------



## AlexJ (Feb 4, 2013)

trutlze said:
			
		

> security/kpcli seems to be an advantage if you are using or want to use security/keepassx.



IMHO you rejected it wrongly. 

http://keepass.info/ project is a very popular one and ported practically on any platform.
It use single file database encrypted by industry's standard AES algorithm.
*DD* pointed you out to the one of popular console version, but the same encrypted database file can be used practically everywhere. I remember I used it even on my old Nokia 6260 via java applet.
On Windows there's exist two versions of KeePass (I personally prefer 1.x since it doesn't use monstrous .NET)
For a Unix based desktop you already found one security/keepassx.
For iPhone users it is "MyKeePass" from itunes store.
For Android based devices it is "KeePassDroid" form Google's play store.
The KeePass encrypted database it is well organized tree, may contain attached files and GUI interfaces have a lot of useful features bisides of just keeping passwords.

Back to the console version security/kpcli of KeePass, - it's pretty hard to find a Unix machine that doesn't has Perl installed and it works the same everywhere on any hostings. So if you want to manage single, portable across platforms encrypted database, I think it is the only one popular project that actively supported on all platforms.

But if you still want to keep it as much simple as possible and don't care about portability, then simply create a memory file with mdconfig() , init it as geli(), format and use it in the same way as truecrypt

I have scripts to automate it, but it heavily customized for our workflow, where idea is


```
# Init
CryptoFile='/path/to/encrypted/File'
dd if=/dev/random of="${CryptoFile}" bs=1M count=${CryptoDiskSizeMB};
mdDev=$(mdconfig -a -t vnode -f "${CryptoFile}" -s "${CryptoDiskSize}" -o reserve )
geli init -s 4096 -l ${keylen} -K "${KeyFile}" "/dev/${mdDev}";
newfs -L cryptogeli  -U  -O2  "/dev/${mdDev}.eli";
```

And using:

```
# open encrypted disk
mdconfig -a -t vnode -f "${DiskFile}";
geli attach -k "${KeyFile}" /dev/${mdDev};
mount /dev/${mdDev}.eli /mnt/crypto/${mdDev}/secret;
...
# working on an encrypted disk
...
# close encrypted disk
umount /mnt/crypto/${mdDev}/secret
mdconfig -d -u ${mdUnit}
```


----------



## Carpetsmoker (Feb 4, 2013)

In the KISS category, you can also encrypt files with Vim. Excerpt from *:help encryption*



> Vim is able to write files encrypted, and read them back.  The encrypted text
> cannot be read without the right key.
> 
> [...]
> ...



Note it's important that you set *cryptmethod* to *blowfish*, the default *zip* is not secure.


----------



## oliver@ (Feb 6, 2013)

I'm also interested in a password manager utility but - a web based one. Judging that I need access to it from places where I just have a browser, this is a must for me. There is Webkeepass but this is Java-Based and I would like to avoid pulling this dependency in - something PHP based would be nice. Does anyone know something?


----------



## AlexJ (Feb 10, 2013)

oliver@ said:
			
		

> Does anyone know something?



In a datacenters where carrying cell phone is a strong "no-no" I connecting to my _https_ server, where apache asks for authentication and do on success
`# ProxyPass [url]http://localhost:1234[/url]` 
where on  http://localhost:1234 is running 
www/anyterm
which is basically is kind of a SSH over HTTP.
When I logged to my server, I use security/kpcli that *DD* already pointed out.

So, you can have quadruple protection: https, http authorization, PAM and finally KeePass over kpcli, and you can still use the same portable encrypted password's database on any platform.

By the way on the same server I running www/owncloud which allow automatic synchronization over WebDAV, so it is easy to keep password's database synchronized over different devices and platform in the same way as over dropbox but keeping paranoiacly sensitive data on own server instead of relaying on a "cloud" that runs somewhere by nobody.


----------



## drhowarddrfine (Feb 10, 2013)

As a lone developer, I have a card in my wallet and a piece of paper in my office desk drawer. 
Secure. Lightweight. Portable. Easy to use. Works everywhere.


----------



## AlexJ (Feb 11, 2013)

drhowarddrfine said:
			
		

> As a lone developer, I have a card in my wallet and a piece of paper in my office desk drawer.



Did you check your password against security/cracklib and rainbow tables that flowing around in underground freenet network ?

I bet your passwords isn't looks like mine: *M-Ha9p<S2c)io{V<1JfecDVTa)_+wni7* or *A?pebjFCj=5qJhL5di6G}6SGG)%>wi$E*

By employing _KeePass_ you need to remember only one single master password to be able to use unique for each point of entrance such "crazy" passwords as above.

If you ask anyone who investigate "breaking news" hackers successful intrusions, they will told you that most successful attacks happened not because of software weakness, but because of weak passwords.

I know for sure that 10% of "protected" systems will be opened with password "1234" or in "hard" cases - "12345678"
More "strong" passwords - it is usually first/last names with combination of some digits on the end that usually can be recovered in less that 15 seconds.

Check this funny, but sad statistics:
http://finance.yahoo.com/blogs/the-exchange/cracking-pin-code-easy-1-2-3-4-130143629.html


----------



## Carpetsmoker (Feb 11, 2013)

AlexJ said:
			
		

> Check this funny, but sad statistics:
> http://finance.yahoo.com/blogs/the-exchange/cracking-pin-code-easy-1-2-3-4-130143629.html



It's especially striking that the least used PIN code, 8068, strikes me as quite mnemonic, it's 8086 (of Intel fame) with the last 2 digits reversed.


----------



## protocelt (Feb 11, 2013)

drhowarddrfine said:
			
		

> As a lone developer, I have a card in my wallet and a piece of paper in my office desk drawer.
> Secure. Lightweight. Portable. Easy to use. Works everywhere.



Nice to see I'm not alone in that respect!


----------



## drhowarddrfine (Feb 12, 2013)

AlexJ said:
			
		

> I bet your passwords isn't looks like mine:



Um. Yes they are. It's interesting that even with that strange combination of chars like yours, the five that I use the most I don't have to refer to my card at all and enter them from memory.


----------

