Professor_Piddles@sh.itjust.works 9 months ago
Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.
I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.
Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.
Use a local password manager. KeePass is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.
Thanks, great point. Lots of suggestions for KeePass here, so I’ll definitely look into it. I appreciate the command line tool recommendation as well, as that’s my preference. Cheers!
Why not use KeePass then? It’s entirely local and you don’t have to risk running your own encryption solution.
All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.
If something happens to your SSD, you lose all access to everything. And SSDs can die without warning, and be un-recoverable.
Would cloudless self hosting count? keepassxc.org
If we’re talking crypto keys like in the article, that would be an improvement over storing them in the cloud, but it’s still vulnerable to malware/keyloggers. Ideally you should use a dedicated hardware wallet or write it down physically and have some form of offline signing setup.
Rootiest@lemm.ee 9 months ago
Use KeePass.
My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.
lazynooblet@lazysoci.al 9 months ago
Absolutely, Keepass is a great alternative to cloud managed password managers.
Keepass (and most password managers) are vulnerable to this as well.
Rootiest@lemm.ee 9 months ago
Not if you use the browser extension
Plus it does automatically clear the clipboard after a short time which isn’t perfect but it’s still an improvement over using a text file
jarfil@lemmy.world 9 months ago
True, but KeePass has some countermeasures, like wiping the clipboard after some time, sending the password directly to a browser extension, or entering the master password on a “secure desktop” (technically not all that secure, but more secure than the lack of it).
charles@lemmy.world 9 months ago
Is there a recovery process if your yubikey breaks?
Rootiest@lemm.ee 9 months ago
Having a recovery process for the YubiKey world really just be a potential security hole.
Ideally you have a backup clone of the key in case yours is lost/broken.
Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.
A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.
Professor_Piddles@sh.itjust.works 9 months ago
Thank you for your detailed responses - I’m going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn’t considered a Yubikey before mostly because I’m prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.
PlexSheep@feddit.de 9 months ago
There is no recovery if you have a single hardware token in use only. But that’s a structional issue with your concept.
Instead, it is recommended to have two (or more) identical Hardware Tokens to replace one that dies.
It is also smart to keep the seeds for things like 2fa in some secure backup with schizophrenic paranoia proof Security measures.