User avatar
ab1jx
Posts: 867
Joined: Thu Sep 26, 2013 1:54 pm
Location: Heath, MA USA
Contact: Website

Password storage idea

Sun Dec 30, 2018 1:31 am

I'm just passing this along because it seems to work for me, I've been doing it a year and a half or so and don't see any drawbacks. No, I'm not going to tell you how to arrange your socks too.

In a secure place, I use /root/pwd, I have lots of files with names like 2017-07.txt, 2018-11.txt. Each file is filled with entries like:

Code: Select all

somesite username password date
notes, (if any)

another site
When I want to find something I go into /root/pwd and do something like
grep -i walmart *.txt
and it generally pops up. I haven't been perfectly consistent over the years, some of these passwords date back to 2006. Sometimes I have to dig a little. When I have to reset a password it goes in there too, either edited into the original file or in a new file with the current month. When I clone the SD card that's a backup of course, and I tar them up and FTP to other machines sometimes.

I have hundreds of these silly passwords, sometimes to sites I've never even bought anything from. They started out in one file, then another for some reason, but they all have a .txt extension so grep finds them. No special software at all.

User avatar
scruss
Posts: 2360
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: Password storage idea

Sun Dec 30, 2018 2:43 am

So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.

I'm not at a Raspberry Pi right now (in a rather nice hotel in Boonville, MO) but you can install KeepassX from the repos. It uses a properly encrypted password store that's also portable across all major operating systems. It's secure enough that you can keep the store on Dropbox or similar and access from any computer or smartphone.
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.

klricks
Posts: 6505
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: Password storage idea

Sun Dec 30, 2018 4:31 am

scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.

I'm not at a Raspberry Pi right now (in a rather nice hotel in Boonville, MO) but you can install KeepassX from the repos. It uses a properly encrypted password store that's also portable across all major operating systems. It's secure enough that you can keep the store on Dropbox or similar and access from any computer or smartphone.
+1
I use keepass2 as well on Win10, Android phone and on RPi. I don't do cloud so I just copy the same password database file to each device.

Code: Select all

sudo apt update
sudo apt install keepass2
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

code_exec
Posts: 271
Joined: Sun Sep 30, 2018 12:25 pm

Re: Password storage idea

Sun Dec 30, 2018 5:21 am

scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords. Please don't do this.
Couldn't agree more.
Ubuntu 18.04 LTS desktop images for the Raspberry Pi 3.

https://github.com/CodeExecution/Ubuntu-ARM64-RPi

User avatar
Burngate
Posts: 5938
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Password storage idea

Sun Dec 30, 2018 11:46 am

That, and always make sure you have clean underwear, in case you have an accident.*

Or just make sure no-one can steal your computer or SD card.

*I was standing in the kitchen, then I woke up in the ambulance.
My daughter was panicking, the neighbours were panicking, the paramedics were most concerned about my condition, but I felt fine.
What most worried me was I hadn't changed my knickers - what would they think at the hospital if they had to strip me?

andrum99
Posts: 708
Joined: Fri Jul 20, 2012 2:41 pm

Re: Password storage idea

Sun Dec 30, 2018 12:14 pm

It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.

ElEscalador
Posts: 671
Joined: Tue Dec 15, 2015 4:55 pm
Location: Detroit, MI USA
Contact: Website

Re: Password storage idea

Sun Dec 30, 2018 3:17 pm

Keepass fo sho
My Autonomous Robot Project and a few of my other projects below.

https://lloydbrombach.wordpress.com/

code_exec
Posts: 271
Joined: Sun Sep 30, 2018 12:25 pm

Re: Password storage idea

Sun Dec 30, 2018 3:48 pm

andrum99 wrote:
Sun Dec 30, 2018 12:14 pm
It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.
Isn't LastPass a Chrome/Chromium extension?

https://chrome.google.com/webstore/deta ... egeplioahd
Ubuntu 18.04 LTS desktop images for the Raspberry Pi 3.

https://github.com/CodeExecution/Ubuntu-ARM64-RPi

User avatar
Burngate
Posts: 5938
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Password storage idea

Mon Dec 31, 2018 10:01 am

scruss wrote:
Sun Dec 30, 2018 2:43 am
So you're keeping your passwords in plain text somewhere in your computer? That's a bad idea. Someone with physical access to you computer has your passwords. Someone takes the SD card and they have the passwords.
So who has physical access to my computer? No-one.
Who's going to be able to take my SD card? No-one.

So why is it a bad idea?

And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: Password storage idea

Mon Dec 31, 2018 12:55 pm

There is a large gap between things that are actually good ideas - that work just fine in practice, as long as you're discreet about it - and things that you can publicly recommend to newbies.

This forum deals exclusively in the later.

Edit: Realized I'd misspelled a word. Check out:

https://en.oxforddictionaries.com/usage ... r-discrete
Last edited by n67 on Mon Dec 31, 2018 2:36 pm, edited 1 time in total.
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

klricks
Posts: 6505
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: Password storage idea

Mon Dec 31, 2018 1:35 pm

Burngate wrote:
Mon Dec 31, 2018 10:01 am
....
And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?
The database is protected by a master password which must be typed into the app before the database can be accessed. So the database is secure.... (unless the user has saved the master password in some plain text form on the laptop).
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

User avatar
Burngate
Posts: 5938
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Password storage idea

Mon Dec 31, 2018 5:45 pm

So it's a bit like the guy who didn't want his house burgled - so he kept his house keys in a safe, the key to which he kept in his garage, with the key to that in the car. Someone stole his car.

Actually, I keep my passwords on a sheet of A4 paper - it's difficult to encrypt, but then my handwriting is all but illegible, so I'm quite safe. Ish.

User avatar
rpdom
Posts: 14765
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Password storage idea

Mon Dec 31, 2018 6:29 pm

Burngate wrote:
Mon Dec 31, 2018 5:45 pm
Actually, I keep my passwords on a sheet of A4 paper - it's difficult to encrypt, but then my handwriting is all but illegible, so I'm quite safe. Ish.
I keep some of mine in a notebook, but I don't write down the details in plain text, I use my own encryption scheme.

User avatar
scruss
Posts: 2360
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: Password storage idea

Mon Dec 31, 2018 9:20 pm

Burngate wrote:
Mon Dec 31, 2018 10:01 am
Who who has physical access to my computer? No-one.
Who's going to be able to take my SD card? No-one.

So why is it a bad idea?
No-one that you know of, in both cases. Unencrypted data have the habit of turning up in the darnedest places. Encrypted data do too, but since it just looks like noise, no search/indexing system will flag it as interesting.
And, let's say, you use one of these encrypted password databases, and someone steals your laptop - how is that safer?
If you feel confident that you can crack the Advanced Encryption Standard (AES) algorithm, along with the other raft of security features that KeePass includes, then it's not secure at all.
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.

andrum99
Posts: 708
Joined: Fri Jul 20, 2012 2:41 pm

Re: Password storage idea

Tue Jan 01, 2019 1:45 am

code_exec wrote:
Sun Dec 30, 2018 3:48 pm
andrum99 wrote:
Sun Dec 30, 2018 12:14 pm
It's really not a good idea to store all of your passwords in plain text in the same place. I use LastPass, but that's because my primary OS is Windows - not sure if it runs on Linux x86/x64. I also use the LastPass phone app on my Android phone. LastPass almost certainly wouldn't work on the Pi, so that's probably not much help to you.
Isn't LastPass a Chrome/Chromium extension?

https://chrome.google.com/webstore/deta ... egeplioahd
It is, but I assumed Chrome extensions were platform-specific. Do Chrome extensions work on any platform?

mikerr
Posts: 2770
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: Password storage idea

Tue Jan 01, 2019 9:17 am

Yes chrome extensions work on any Chrome browser, on any OS or platform, ARM or x86, same for Firefox.

I use lastpass and it works fine on the pi via chrome extension
Android app - Raspi Card Imager - download and image SD cards - No PC required !

User avatar
Burngate
Posts: 5938
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Password storage idea

Tue Jan 01, 2019 11:36 am

scruss wrote:
Mon Dec 31, 2018 9:20 pm
If you feel confident that you can crack the Advanced Encryption Standard (AES) algorithm, along with the other raft of security features that KeePass includes, then it's not secure at all.
From that page:
One master password decrypts the complete database.
Alternatively you can use key files. Key files provide better security than master passwords in most cases. You only have to carry the key file with you, for example on a floppy disk, USB stick, or you can burn it onto a CD. Of course, you shouldn't lose this disk then.
For even more security you can combine the above two methods: the database then requires the key file and the password in order to be unlocked. Even if you lose your key file, the database would remain secure.
Additionally, you can lock the database to the current Windows user account. The database can then only be opened by the same person who created it.
So the bad guy just needs your master password and/or key file.

We went on holiday, having double-locked all the doors, etc., as you do. We got back to find they'd got in by breaking a window. (actually they meant to burgle a different house, down the road - they just got the wrong address)

I was just about to put my card in the ATM when a big guy in kevlar stab-vest elbowed me out of the way. He then proceeded to carefully remove a remarkably well-made spy camera, attached to the top of the ATM and focussed on the key-pad. I consider myself lucky, that time.

I think my main point is that security is only as strong as the weakest link, and there's no point in making all the rest of it military grade - the bad guys aren't going to be looking at how well you've done with the bits you've thought about; they'll be looking for whatever you've missed.

Return to “General discussion”