Password management in 2014

[Elias4444]

I couldn't find any"recent" information for password management on Debian. I've been using Keepass2 which works well enough for me, without the browser plugins though (can't get either of the Firefox plugins to work). My wife on the other hand needs something easier (more automatic I think, that works in the browser). Any happy Lastpass users out there in Debian land? Is there a better alternative?

I'm not keen on storing my passwords with a big company, but may have to get over that.

[dasein]

Googling password manager linux, two of the hits I see on the very first page claim to be a comparison of different password managers (including one that claims to be a Linux-specific version of KeyPass). For the benefit of folks who don't know your wife well enough to suss out what she might consider "easy," can you maybe clarify what information is missing from those comparisons? (Or critical-to-you features missing in those applications?)

[Elias4444]

Thank you for your speedy reply.

Yeah, I saw those. Unfortunately none of them seem any better than Keepass2 for me.

My wife needs something cross platform (Windows and Linux, with Android preferably), and that works in Chrome and Firefox. The big feature missing is browser integration, which is why I'm curious if anyone has some experience with Lastpass (as it's the only one I know of that meets that criteria) or if there's something else I haven't been able to find yet on my own. So many of the reviews I've found are dated 2011 or earlier, and it seems like a lot has improved in the last year on this front (at least on Windows anyway).

[587jmj]

I am also a KeePass user.
I use mine with Dropbox.
It syncs to my android phone,
so when I add a entry on KeePass,
I open Dropbox and it syncs it instantly.
It had been a while since I set
it up, but it is the only thing I
have on Dropbox and I like it.
You have to have Dropbox installed
on your computer and on your phone,
along with Keepass on your computer
and your phone.
I haven't used any browser plug-ins,
just Dropbox.

Hope this helps

[michapma]

I personally don’t see how using KeePassX or KeePass is hard. It’s easier than using an email client.

On browser integration

In GNU/LInux KeePassX uses AutoType to “select which application or browser window to enter password/user name information.” This might fall into the domain of Not Easy Enough for your wife, but you could set it up. If that’s acceptable, the link below might be the solution you’re looking for using (mostly) FLOSS, depending on the Not Easy Enough factor. Again, the auto-type apparently does not work on Windows.
http://www.tomaz.me/2013/10/24/my-passw ... eroak.html

Whereas KeePassX has good OS integration and lacks browser integration, KeePass2 lacks good OS integration, but has browser integration (Chrome and Firefox). It’s available in the Debian repositories.
http://www.maketecheasier.com/integrate ... in-ubuntu/
Keefox works with KeePass, I assume it would also work with KeePass2 on Debian.
https://addons.mozilla.org/en-US/firefox/addon/keefox/
There is also chromeIPass for KeePass integration; probably the same deal as Keefox. See the Chrome webstore.

A recent roundup focusing on browser integration.
http://dustycloud.org/blog/password-managers-roundup/


More generally

An interesting discussion here:
http://security.stackexchange.com/quest ... e-lastpass
and here, a comment on browser-integrated PMs that I hadn’t thought of before (foiling phishing attacks):
http://security.stackexchange.com/quest ... rd-manager

LastPass themselves on the NSA controversy:
http://blog.lastpass.com/2013/09/lastpa ... versy.html
Interesting, that they use local encryption. Includes a word from the LastPass CEO in the discussion on whether LP could go open source (their word selection).

So far I use KeePassX only locally. A few months ago I spent a lot of time entering data, but didn’t make a backup, and within a couple of weeks the hard-drive crashed and I couldn’t recover it. If I do ever go to a separate syncing service, I’d go with SpiderOak rather than Dropbox, but for the PM, if you have a good password that extra security should be superfluous, unless you are hiding from someone with the resources needed to crack the considerable encryption. Like you, I distrust putting sensitive information on someone else’s server, even with local-only encryption, so I haven’t take that step (leaving me with the problem of how to make the info available on different computers), but if you can trust SpiderOak (not to mention DropBox), you should be able to trust LastPass, as both use local-only encryption and decryption.

Some comment that the LastPass interface is lacking. Popular solutions also include Roboform/Roboform Everywhere (not exactly in the repositories) and 1Password (no GNU/Linux joy). If I were to go with a web-based PM, I’d compare LastPass with Roboform. Both are proprietary, however, so I don’t see myself going that way.

For the security conscious, here are some interesting articles, including a spate of lifehacker articles relating to passwords and password management in 2012:
http://lifehacker.com/5879117/how-to-bu ... humb-drive
https://pthree.org/2012/10/30/the-yubikey/
http://lifehacker.com/5785420/the-only- ... t-remember
http://lifehacker.com/5937303/your-clev ... ys-hackers
http://lifehacker.com/5944969/which-pas ... ost-secure
http://lifehacker.com/5930935/enable-th ... e-lastpass

Historical LastPass security issue:
http://lifehacker.com/5798874/lastpass- ... -ever-need

KeePassX (edit: version 2) has been in alpha since 2012, with the fifth release in December ’13. I think I’ll donate a little something.
KeePassX on a Debian derivative:
http://www.omgubuntu.co.uk/2013/10/mana ... y-keepassx


A word to the wise

The best advice is one you already know: make a strong password for the password manager and do not recycle it. Fixate on this. Make your wife do this. She’ll hate you for it, never knowing that you saved your family from financial ruin and public embarassment.

Remember, repetitio mater studiorum est. All you have to do to memorize a strong password is to type it thirty to forty times into a text file, obviously while noone is looking and without saving the file. I’ve learned many passwords this way, and couldn’t even dictate them type them on a different keyboard without effort, because they’re in my muscle memory. Wouldn’t that give your wife a sense of accomplishment?

[sgosnell]

I've been using LastPass on Linux, ChromeOS, and Android for some time. I'm somewhat leery of giving it my really important passwords, but I do use it for most online sites. It's convenient, and it works pretty well. It's configurable, to allow you to set the timeout before it requires a new login, and whether each site should use auto login, just fill in the blanks, or do nothing. I'm happy enough with it, and my only caveat is that I can't completely guarantee that LastPass doesn't have access to my database. For passwords I really care about, such as my bank accounts, etc, I use KeePassX and KeePass2. There is an Android port of both, and I use Dropbox to keep my databases in sync. I know they are encrypted locally before they are uploaded to Dropbox, and I have a strong password, so I'm not worried about having the encrypted databases stored online. I think LastPass keeps its database encrypted, and only decrypts it locally on my machines, but I'm not completely certain, so I won't guarantee anything, so take it for what it's worth. But LastPass is hard to beat for convenience and cross-platform availability.

[Elias4444]

Thank you all for the wonderful responses. @michapma, thank you for all your research!

As for the Chrome and Firefox plugins for Keepass2, I still can't get KeeFox to work on Debian - something to do with the incorrect version of Mono installed (apparently Wheezy has version 3.x, but the plugin was written with 4.x). ChromeIPass may work with the precompiled plugin download, but these days I've been using Firefox more (maybe it's time to make a switch?). PassIFox hasn't worked for me yet, as I haven't been able to figure out how to connect it to the KeePass2 system even with KeePassHTTP correctly installed and working; there's no icon on the dash and I can't find any options to establish the initial connection. I'll keep hunting for it.

I really like KeePassX's interface more than KeePass2's, but my rather extensive DB was started in version 2 and I'm worried I'd lose something important on an export. There's also, as I understand it, no plugin support. I keep waiting for KeePassX 2's alpha to go at least beta.

There's a lot of other good information in those posts though, so I'll start sifting through it. My wife also just informed me last night that she's willing to put the time into learning the ins and outs of KeePass2; she just has a very hectic schedule these days and I didn't want to burden her with it if there's something "easier" to use with her web browsing (where she mostly needs it).