| HN Mirror

eli 3380 days ago

It's easy when you're the only user. Pretty tricky when you want to share entries among different groups of users.

rkeene2 3380 days ago

My password manager, hunter2 ( https://chiselapp.com/user/rkeene/repository/hunter2/ ), supports multiple users. Each user is identified by their public key and the DB is a plain text file that can be easily managed in your version control system.

https://www.justwatch.com/blog/post/announcing-gopass/

enoch_r 3380 days ago

I haven't used this (pass works fine for my use case), but Gopass was on HN a bit ago:

One of the claimed features is "multiple stores: Combine several work teams and your private store!"

lucastx 3380 days ago

Keyringer is a software that does exactly what I think you need, in a similar way than the parent's suggestion (gpg over git):

Keyringer: encrypted and distributed secret sharing software https://keyringer.pw/

megous 3380 days ago

Isn't sharing passwords a bad thing to do in general? Each user should have a separate account/identity and manage his own secrets.

giovannibajo1 3380 days ago

There are endless online services which only allow one user per logical account. In fact I would say the majority of them do it.

megous 3380 days ago

So why not create multiple accounts? ToS usually advises against sharing credentials.

will_hughes 3380 days ago

Because sometimes you're trying to manage a single resource.

eg I know some phone/sms services that only let one account manage a phone number or something.

Also, sometimes account licences are absurdly expensive.

There's some services that even though we have (say) 50 licenced users, they also want us to have licences for each admin. We're not spending $50k/year just so we can each login once or twice a year to fix/configure something for someone.

lazyasciiart 3380 days ago

But then there's netflix (and probably the same problem of multiple users/one credential for hulu, hbo go, whatever else).

Sir_Cmpwn 3380 days ago

It's probably an afternoon project to get that functionality. Since it's just a git repo, that much is easily shared. GPG supports encrypting messages for multiple recepients. Since pass is simple and open source it should be quite easy to add what you need. Send your patches upstream, I'm sure that others would find them useful too!

[0] https://git.zx2c4.com/password-store/plain/src/password-stor...

visualphoenix 3380 days ago

Although I haven't tried it myself, it looks like pass already supports this using the PASSWORD_STORE_KEY variable in the set_gpg_recipients() function. [0]

-- https://git.zx2c4.com/password-store/about/

runejuhl 3380 days ago

Or just put key IDs in a .gpg-id file:

Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed.

EDIT: Better formatting

kagebe 3380 days ago

I use it to share passwords with one other person via a suitably restricted git repo, works perfectly fine.

Edit: See sister comment by runejuhl.

KeePass recently got an Argon2 KDF and ChaCha20 as a cipher. I highly recommend it, good mobile apps, pretty simple UI, control over your own DB, sync it with your favourite tool, I use SyncThing as its Android support is excellent.

ktta 3380 days ago

I would suggest KeePassXC, which in my opinion, looks better since uses Qt rather than mono so has a more native feel.

https://keepassxc.org/

[1]: https://github.com/keeweb/keeweb/blob/c651343f80f4f3d41c7d64...

EuAndreh 3380 days ago

See also KeeWeb[0].

Also mutiplatform as KeePassXC, built on Electron. Even though it is built on JavaScript, it has 0 dependencies[1].

And the author responds well on external feedback/contributions[2].

It does support KDBX4[3].

[0]: https://keeweb.info/

[2]: https://github.com/keeweb/keeweb/issues/104

[3]: https://github.com/keeweb/keeweb/issues/326

> 0 dependencies

If bundling your devDependencies at compile time counts as "0 dependencies", nothing has any dependencies. In this case, the whole thing's built on electron - all of chrome's rendering engine is quite the dependency. The uncompressed Windows version is 137 MB on disk. Fatter than most any app should be.

https://github.com/keepassxreboot/keepassxc/issues/148

I would not suggest this as KeePassXC does not support the new KDBX4 format with the upgraded cryptography - only the old Keepass format which relies on a custom AES-based key derivation function, which I cannot in good faith recommend.

Once it's implemented I may reconsider, but for now at least, I'd shy away from it.

https://github.com/keepassx/keepassx/pull/200#issuecomment-2...

ktta 3380 days ago

Thanks for the info!

Edit: Looks like it's close

balladeer 3380 days ago

For OSX I have been using this native app MacPass - http://mstarke.github.io/MacPass. Actively developed from what I see on Github.

snowwrestler 3380 days ago

Which mobile app do you use with KeePass? I use MiniKeePass and am pretty happy with it.

ktta 3380 days ago

I'm not the user you replied to, but that app looks like the only good app, atleast for iOS.

https://keepass2android.codeplex.com/

I use the open source Keepass2Android which is open source and supports the new crypto, has just about every utility I could want.

mihaifm 3380 days ago

It's a good app but as far as I remember the integration with Dropbox wasn't working properly. I think that's the main issue with KeePass right now - getting your passwords synchronized with your phone.

SyncThing solves this quite nicely on Android at least. For iOS, I'm not sure, Apple's restrictions make proper sync near impossible in the name of battery life - even while charging or on WiFi.

peak_body_yo 3380 days ago

> Argon2 KDF and ChaCha20 as a cipher

Are these a huge improvement from what was offered previously?

Before they were using a custom AES-based key derivation function which had not been strongly peer reviewed so Argon2 is a big improvement there in my book.

ChaCha20 over the existing AES-CBC... not as much, I feel more comfortable in that it's harder to screw up the implementation of it, but that's about it. CBC mode especially can have unexpected side effects unless used very carefully, ChaCha20 or any other strong stream cipher, even AES in CTR mode is somewhat easier to understand the side effects of.

So overall, not concretely in terms of known vulnerabilities, but in terms of predicted risks, I'd say certainly. Before this change I was erring on the side of known algorithms with solutions like LastPass at least using standardized PBKDF2. With this change, KeePass went behind or middle of the pack, cryptographically compared to competition, to the frontrunner.

marksomnian 3381 days ago

Not sure about point 2, but 1Password seems to fit all the others. Really like it, personally.

https://team-sik.org/trent_portfolio/password-manager-apps/

wazanator 3380 days ago

1password along with seemingly every other mobile password manager slips up from time to time. Turn around time once something is disclosed is my main concern.

moyix 3381 days ago

1Password didn't support Linux last time I checked. There are 3rd party libraries, but most of them don't support the newer keychain format. I still use it and just look up the password on my phone when I'm on a Linux system.

nsm 3380 days ago

1password has their opvault format spec on the website and https://github.com/OblivionCloudControl/opvault can decrypt. Admittedly the UX is lacking.

moyix 3380 days ago

I've tried that library, actually. Last time I used it, it couldn't find some passwords in the vault, including (crucially) the one I use for SSO at work. It's totally possible I was just using it wrong – it would be nice if the repository had a demo command line tool or something.

BenElgar 3381 days ago

I believe 1Password only supports Windows and OS X on the desktop.

bpicolo 3381 days ago

I imagine 2. works if you buy the enterprise options?

Flat text file on an encrypted volume. I use cat or vi for editing, and grep for reading. If it's ultrasensitive, I keep it on a non-networked device and type it in. Otherwise, normally, I grep and copy/paste from terminal to password field.

I do security for a living. This technique is mocked by other so-called experts, but who's laughing today? I fully understand the security model I'm using. Lastpass users--and developers--clearly did not. Other password manager users should stifle the urge to laugh if they haven't fully reviewed their entire stack.

Also, I do not keep the encrypted volume in the cloud. It's only on my trusted device. If it's important enough to secure the password, it's important enough to bring the device.

Further, I've used variations of the same password for the past two decades for >90% of my accounts, e.g., the ones where my threat model is "do not give a fuck." When I sign up, I mentally consider whether I give a fuck the account is compromised. If I do, new random password for the list. If I don't, use the 20-year-old password.

mihaifm 3380 days ago

I like this approach, but I would also like to have the passwords on my phone and sync between desktop and phone. Any advice on how to do that using your approach?

It's not really friendly to mobile sync, so if you're heavily into that, it's not a full solution. I'm sure you can find a way to securely push the file to the phone as an exercise to the reader, but it would probably involve some philosophical security compromises or creativity.

If it's really ultrasensitive, it's 12+ character random ASCII string committed to muscle memory only. No horse battery stapling bullshit.

kevhito 3380 days ago

Please don't give security advice unless you know what you are talking about. It just spreads misinformation.

Please elucidate.

Misinformation like, "Always use a reputable cloud password manager, like LastPass?" Along with a trusty antivirus, am I right?

To be further contrarian, if the common man is going to use a password manager, use Chrome's built-in auto-fill, without antivirus or other 3rd-party bolt-ons, be they LastPass, KeepPass, 1password etc. You know who Tavis works for, right? Chrome's application security is best of breed, and its password manager does what it's designed for, at least.

kevhito 3367 days ago

I was responding to your nonsense advice that 12+ character random ASCII is somehow better or more secure than a "correct horse battery staple" or diceware-style password. They have identical security properties, given appropriate choice of N.

If you are going to memorize passwords, feel free to memorize ASCII gibberish if that's what you are into. Or memorize random phrases, since many (most?) humans find those easier to remember.

daveFNbuck 3380 days ago

A 6-word diceware passphrase has more entropy than 12 characters of ASCII and is easier to memorize. In what way is that bullshit?

Nope.

94^12 ~= 4.76e23 > 7776^6 ~= 2.21e23.

And typing 12 characters from muscle memory is faster than learning and typing "limbdumaslaterjuramondohalf", which is what diceware^6 just gave me.

The supposed mnemonic value of diceware is illusory. If it convinces people to use stronger passwords and it works for you, great.

daveFNbuck 3380 days ago

You're right, I misremembered the number of rolls for diceware. I guess your passwords have an extra bit over mine. How many 12+ character passwords are you able to memorize? How long does it take you to learn a new/changed one?

> How many 12+ character passwords are you able to memorize?

As I need to enter on a regular basis. In practice, no more than half a dozen. Usually I have 3 or 4 in use. Might be work, personal, and a couple for crypto.

> How long does it take you to learn a new/changed one?

Depending on the length, 5-10 minutes of continuous training to be confident if it's one I'm going to put into immediate use.

The point is to go straight to pure muscle memory without using a mnemonic crutch. Ultimately for a password that you're typing on a multiple-times daily basis, you're going to be relying on muscle memory anyway. If you're trying to remember what came after the correct horse battery, or if the correct came first or last, you've already lost. "limbdumaslaterjuramondo" gets me no closer to login if my password is "limbdumaslaterjuramondohalf" if I've forgotten nonsensical "half" than "+D%W}B_]7|~y" gets me to login if my password is "+D%W}B_]7|~yd" and I've forgotten "d".

You're going to be typing the password with your fingers, so learn the password by typing it with your fingers until it's automatic, not by conjuring a sequence of unconnected mental images. It actually saves time.