this post was submitted on 16 Jun 2023
22 points (100.0% liked)

Linux

157 readers
1 users here now

Everything about Linux

RULES

founded 2 years ago
MODERATORS
 

Do you have any ideas for a password safe that stores its data locally (an encrypted cloud drive is available for synchronizing), offers clients for Linux, Win and Android and has some amenities like filling in passwords in browsers?

My family needs to learn password safety, and I want to make it easy for them.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 2 years ago (1 children)

You still need synchronization, and any deterministic password manager that doesn't provide it will break eventually. Any time a site experiences a breach you'll be forced to change your password, so you need to synchronize a counter for that for each account. Also, different sites have different (and often mutually incompatible) composition and length rules (in blatant violation of NIST SP 800-63b recommendations), which need to be synchronized to ensure generated passwords actually work for the account.

[–] [email protected] 1 points 2 years ago (1 children)

True. However the need for synchronization is rather infrequent and can easily be done via sneakernet.

There is something else I would like to highlight, about the problem if a single password gets leaked: At least with PasswordMaker Pro I wouldn't only increase the counter for that one site, but rather change it (ideally to a new random number) globally, and change passwords everywhere. The way PasswordMaker Pro uses the counter is that it just gets appended to the input url before hashing. For the hash algorithms that aren't using HMAC this is equivalent to just prepending that counter to the master password, so, a bad actor could just brute-force the combination of increment and master password, and get access to all sites that used the same master password and increment.

So, yeah, that's another big downside. If one password gets leaked, you can either rely on the attacker never finding out that it's a deterministic one, or you can do the same "change every password" dance that you have to perform if your password manager's cloud service data gets leaked.

[–] [email protected] 1 points 2 years ago (1 children)

If your KeePassXC databate gets leaked and you had a secure master password (10+ Diceware words or similar), you can do nothing (it's encrypted).

[–] [email protected] 1 points 2 years ago

Yeah, PasswordMaker Pro isn't built with protection against brute-forcing, sadly. That risk could be mitigated though, by choosing an algorithm that takes a few moments to compute a single password, instead of doing so in mere nanoseconds...

I'm half tempted to write such an app myself (would be a nice upgrade after doing the PasswordMaker Pro port for Sailfish OS), but I'm also in the middle of another spare time project, so, probably not anytime soon...