passwordstore an open source password manager

[albert0bsd]

Note for the moderator, since there is no one cyber-security Board i put this topic here because i believe that this tool can be used to backup seeds, passwords, passphrases, privatekeys and other secrets


Hello everyone, I want to share with you one simple tool to store passwords securely.

https://www.passwordstore.org/

If you don’t know it, password store is an open source project written in bash that uses GPG to store passwords encrypted with your GPG private key, that means that only you will be able to decrypt them.

I like this tool because it is a command line tool, i can use it on Linux, Windows (WSL) and Android (Termux) . It can be synchronized between devices with a git, so that means you can have a unique password repository in all your devices. You only need to have the same GPG private key between them.

You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names and commands, as well as completion for zsh and fish available in the completion folder. The very active community has produced many impressive clients and GUIs for other platforms as well as extensions for pass itself.

So it’s a simple a bash tool  to organize password stored in individual files encrypted with GPG

Password store already have some years:
Initial release: September 4, 2012; 11 years ago
GnuPG also have more years:
Initial release: 7 September 1999; 24 years ago

With those years in the market most common bugs should be already fixed and almost all security flags also were already catched

I am using this tools to manage my passwords and other secrets like seeds and private keys, maybe some of you will point to keepass or some other private solution like 1Password, but i like this because its originally a command line tool  and I can use it on all my devices, Linux, windows and android.

Obviously it needs to have its precautions, like backing up the GPG private key securely and other things all depending on how paranoid you are with all those things.

[1715142521]

1715142521

[1715142521]

1715142521

[1715142521]

1715142521

[1715142521]

1715142521

[1715142521]

1715142521

[digaran]

Is there any script allowing us to generate GPG private/public key pair offline? What are the curve parameters for GPG etc?
Would this tool also store the GPG key as well? Isn't this a bit risky to keep all the keys/passwords you have in a single place? What if GPG has a backdoor?

[Charles-Tim]

My password manager has been books.

Note for the moderator, since there is no one cyber-security Board i put this topic here because i believe that this tool can be used to backup seeds, passwords, passphrases, privatekeys and other secrets

It is better in beginners and help. Move it to beginners and help.

Is there any script allowing us to generate GPG private/public key pair offline? What are the curve parameters for GPG etc?
Would this tool also store the GPG key as well? Isn't this a bit risky to keep all the keys/passwords you have in a single place? What if GPG has a backdoor?

PGP tools are to be used offline.

There has been a guide about it on this forum, but the image not displaying again: [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint

I can use PGP tool to generate private key and public key, use the public key to encrypt the a message (which are the passwords). Using the private key and its passphrase to decrypt the encrypted message/password anytime I want to have access to the passwords.

[albert0bsd]

It is better in beginners and help. Move it to beginners and help.

Yeah, you are right it fits better here in  Beginners & Help.

Is there any script allowing us to generate GPG private/public key pair offline? What are the curve parameters for GPG etc?
Would this tool also store the GPG key as well? Isn't this a bit risky to keep all the keys/passwords you have in a single place? What if GPG has a backdoor?

GnuPG is a cryptographic suite that allows you to work with different cryptographic schemes.

Code:

Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

It can use some different Asymetric cryptographic suites like RSA, ECDSA and EDDSA and other...
It can use some different Symetric suites likes AES256, BLOWFISH and others

It is actually very secure, common more than 20 years in the Open Source comunity.

[Zaguru12]

Would this tool also store the GPG key as well? Isn't this a bit risky to keep all the keys/passwords you have in a single place? What if GPG has a backdoor?

if you're talking about it been compromised then i will say it carries same risky as the regular password managers if it gets done, that is all your password will be exposed. But the encryption of your key in GPG is better than regular mangers of password. but without proper encryption of your key with strong passphrase, then just any one can have access to the stored passwords.

also the best place to store your key is offline, which is the best form of any storage

[bitmover]

Note for the moderator, since there is no one cyber-security Board i put this topic here because i believe that this tool can be used to backup seeds, passwords, passphrases, privatekeys and other secrets

If it is a small amount of money, you can put your seed in a password manager or in an encrypted file.

However,  I don't think you should put the seed with your life savings in a password manager
There are just too many specifics about bitcoin seed to put it there.

For example:
If you die, will your heirs have access to it?
Do you have a second back up in case your computer burns? Or if your house is on fire?

As a bitcoin wallet may contain a lot of money, so nothing can go wrong. If you lose some passwords,  you can recover most of them in some way.

[albert0bsd]

If you die, will your heirs have access to it?

Yes, they already had instructions to do it.

Do you have a second back up I'm case your computer burns? Or if your house is on fire?

I have 2 backup, one in my house, and other in my parents house, also i memorize my 24 seed with some funny phrases

I know that it is a difficult topic, a lot of opinions and ideas about this. And the debate is really good

[goxcraft]

Yes, they already had instructions to do it.
I have 2 backup, one in my house, and other in my parents house, also i memorize my 24 seed with some funny phrases
I know that it is a difficult topic, a lot of opinions and ideas about this. And the debate is really good

Memorizing seedphrase can be seen as a bad idea. What if you get into an accident, or what if you get memory loss as you age? As for me, I have multiple backups of my seeds, both online and offline. Two of them are stored on my airgapped device, and two are on my personal note. I don't know if that's enough. I have seen many cases where people faced hardware failures, software bugs, and other issues that caused them to lose their funds. 

I had one question, though, how are your heirs instructed? You can do one thing. You can lock your assets for a fixed amount of time. It can only be accessed after the lock period has ended. You may want to try this. Even if your heirs get their hands on private keys, they'll have to wait.

[albert0bsd]

I don't know if that's enough. I have seen many cases where people faced hardware failures, software bugs, and other issues that caused them to lose their funds. 

We never know who many its enought (Murphys law is always present), other may tell you that having a lot of backups is also worriedsome because you have multiple points where something can fail.

Memorizing seedphrase can be seen as a bad idea. What if you get into an accident, or what if you get memory loss as you age?

I know that is why its not my only method.

I had one question, though, how are your heirs instructed?

My wife had the seed, and I instructud to two of my friends (trusted ones) to help her in case that something happended to me, since she doesn't know much about technology

You can lock your assets for a fixed amount of time. It can only be accessed after the lock period has ended.

I know this, i read the post of loyce about time lock transactions. And actually i alreay tested for me its good, but its a little complicated for my friends i teach them how to use a wallet like electrum and sparrow but i don't want to confuse them.

I think the topic is getting a bit off track, Somebody had used password store? I think that i can made some video of how to use it. Also i thing that i can open a bounty for this tools to anyone who found some vulnerability to it. I don't have much but I can allow some sats for it.

What do you think?

[goxcraft]

We never know who many its enought (Murphys law is always present), other may tell you that having a lot of backups is also worriedsome because you have multiple points where something can fail.

I think the topic is getting a bit off track, Somebody had used password store? I think that i can made some video of how to use it. Also i thing that i can open a bounty for this tools to anyone who found some vulnerability to it. I don't have much but I can allow some sats for it.

What do you think?

Yes, I somehow may have gone off topic. By Murphy's law, did you mean "what is supposed to happen will always happen"?

To be honest, I don't trust third-party apps to store my seed phrases. I just don't want to rely on them too much. I do know it's open source, secure, and tested by many users, but still, I get a strange feeling about using it. That's why I prefer offline backups the most. No technology, no internet connection, only raw sees phrases. Of course, my offline backup won't be lying on any office desk. I can ensure that it will be in the safest place in my house. Even if my house burns down or is destroyed by a natural calamity, it will hold.

Yes, it would be great if you made a video guide of how to use these kind of password manager.

[libert19]

I'm better off with password managers having interfaces rather than CLI one, if I were to use this I'd probably lose my passwords 

[albert0bsd]

I'm better off with password managers having interfaces rather than CLI one

Yeah it is not for all, most users will only use the built-in password manager that the web browser have.

if I were to use this I'd probably lose my passwords 

No!, if you do it correctly and take your precautions to backup the data and keys, you will never lost your passwords unless all you lose all your backups

require user to already have GPG key, it's not really interesting for me.

You can create an exclusive GPG key for this, no need to public or share it

Using pass on Android? Do you mean you use virtual keyboard to type the CLI command?

Yes, why not? on the road i always use termux, sometimes just to use python and make a fast calculation or just to check suspicious file headers, or also check internet conectivity, scan some wireless network etc...

No offense, but it sounds not convenient for most people.

It is not an offense for me, actually it is an offense for "most people" who can't get their face off of Shittok and other social networks, they usually don't care about using a different password for every site/service that they use. Most of them use the same password for every site.

I agree that this tools is not for everyone, if someone dislike CLI tools they can use another GUI solutions that is OK.
I just like this tools because i can sync between devices with git command and since the data is encrypted i just need to be careful to backup tha data and protect my GPG KEY

[libert19]

I'm better off with password managers having interfaces rather than CLI one

Yeah it is not for all, most users will only use the built-in password manager that the web browser have.

No, I use offline password managers; one is password safe, other is keypass, you can check on playstore. Used to use lastpass but after recent breaches and corrupted export process, moved on.

I don't trust either browser extensions, or browser's in-built password save feature.

if I were to use this I'd probably lose my passwords  

No!, if you do it correctly and take your precautions to backup the data and keys, you will never lost your passwords unless all you lose all your backups

I feel stupid with CLI applications, it's just that.