- what if some site has weird password requirements and the derived password doesn’t work
- what if a site gets hacked and you need to rotate one password.
If you have to store data per-site anyway because of those cases, may as well just store passwords. You can (and should) still generate extremely high entropy passwords.
- if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about
- there's no way to know what you've entered before, since it's stateless. With data stored in a manager, I know what username I used and can associate other data. If your uniqueifying input is the domain, and let's say HN would become hn.yc or whatever and you visit it again in ten years, you'd have to remember that hn.yc accepts the password of what you entered as news.ycombinator.com
I have to admit though, hash(name+secret)=password is so simple and beautiful that it draws IT people like a fine artwork draws visitors. But for me, that doesn't outweigh the practical issues
Edit: looks like there’s a community fork now! https://github.com/agrahn/Android-Password-Store
Each password file is AES-encrypted with my master password.
I copy the whole vault around between machines with rsync.
When I run 'password bank' a shell script searches ~/private/Passwords for files that contain ‘bank’ and offers a menu, then gpg-decrypts the file I selected.
I also use this for scans of my passport, recording my bank account numbers, and anything else I want to keep around.
I thought I was the only one, and now I've found out there are thousands of us!
1. https://apps.apple.com/us/app/pass-password-store/id12058205...
Granted on the desktop I find using a (qt especially) GUI more invasive than a terminal but at least on the Android side the app is quite good.
Depending on which genre, managing key-rings has element of physical security to encrypt signatures in terminal and bash shell.
For full disk encryption, genfstab and /boot/grub/grub.cfg should contain sigs for partitions.
I had attempted to use GNU `pass' first, but sadly, it requires me to manage gnupg, which is a well known minefield of poor default options, and assumes it should be integrated into your shell by storing things in your user profile directory (instead of using the directory relative to where you call it.) This jeopardized my copy-one-file workflow, so despite its ubiquity I had to abandon it.
Or if someone newly needs access, there's no standard way of re-encrypting the files you're guessing they need. You need to hack something together yourself
It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client
There is no way to ever erase anything you've accidentally pushed, short of rewriting the git history and breaking it for everyone (or for personal use: other client devices)
It looks nice and simple, and I like that I can interface with it with manual tools (e.g. write my own commit messages to have some idea of wtf is going on, e.g. when mass-reencrypting to not have 300 commits), but the simplicity is also the pitfall. Feels a bit similar to using hash(site_name+main_password) as a per-site password: beautiful in simplicity but various practical issues
Does anyone have good experiences with a password manager for a corporate environment? Ideally not having yet-another service to maintain, but also not have a server compromise equal business compromise (so end-to-end encryption between the users; verifying fingerprints or some such). From what I found so far, Bitwarden seems to meet that bill but I don't know if there are also others
There is also a drop-in replacement with has some extra features and a bit better UX in some parts, personally I only really use it for the better support for handling multiple GPG keys, as I got some physical backup keys and it can be also nice teams for a shared vault.
https://github.com/tadfisher/pass-otp
The pass android app is really nice too
https://play.google.com/store/apps/details?id=dev.msfjarvis....
It also works in termux
ragnot•1h ago