December 26, 2015

Secure cross-platform password management

Secure cross-platform password management is required not only because we have multiple devices but also to lock accounts by having unique passwords.  Protection from one service getting hacked so it does not compromise your other account by using the same passwords

Password Generation

If you are writing down passwords, using the same passwords for multiple accounts or creating passwords from names and birth dates then don’t whine when your accounts get hacked.

XKCD: Password Stength<figcaption class="wp-caption-text">Password Strength</figcaption></figure>

To add to the security, once a year, I have an Internet Spring Cleaning and go through all my accounts and change the passwords or delete accounts I no longer use.

I use Diceware to generate passwords via a python script

Secure Cross-platform Password Management

My Requirements

I use OS/X for work,  Linux at home and Android for mobile.   I am a heavy command-line user so I like a solution that I can use via command-line but also use GUI for easy management.

The Solutions

There are many solutions suggested from PrivacyTools.io  (Note: I highly recommend visiting), however I am going a slightly more difficult setup then recommended.   On the list I do like how Master Password is implement and may consider switching to that solution if I didn’t have everything stored in my current solution.  I also like SpiderOak’s Encrypr but would probably still generate my own passwords.  I have used KeePass in the past but the cross-platform solution seemed wonky.

Update 1/11/16 – I took another look at Master Password and there are a few drawbacks.  First, all you can generate is a password. You cannot store any other information such as user name.   I suppose you could make a file for user names and urls and then use Master Password.   Second issue is some sites have length and character restrictions which Master Password does not take into account when generating a password.   Third, some sites require passwords to be changed in a period of time.   Only way to do that is change your pass phrase which would cause you to either change all your passwords or start remembering pass phrases for each site.   SpiderOak’s Encrypr looks really good and would be an easier solution then the “Nerd” solution I outlined below.   Only missing feature is a command line client.

Update 1/14/19 - Still using Pass but now switching over to Bit Warden. Bit Warden is nice and can also manage 2FA. Currently I manage 2FA via Authy

The solution for the Nerd

Pass: The standard UNIX password manager has clients for all the major OS’s, command-line autocomplete, dmenu integration add even Firefox (however I don’t use this integration feature).   It uses your GNU PGP key for strong encryption and can be synchronized using GIT source management tool.  I use qtpass for the GUI.   There are also clients for iOS, Windows, etc.

On Android I use OpenKeychain: Easy PGP and Password Store.  I exported my GPG key my initial setup using GPG command and imported on Android after copying the file over via USB.

To add/edit the password data I export public and private key from the initial system setup using gpg and import into the other machines.

gpg --armor --export-all me@myemail.com

For Android I copy the file over via USB connection and import into via OpenKeychain and then remove the files.

I sync all my encrypted password with BitBucket.org private GIT repo which is free for individuals and lock down the account with two-factor authentication using Authy