Topic: passwordstore an open source password manager (Read 175 times)

That makes sense. Although protect and backup GPG key is still additional task or burden for some people.


It's just that typing on virtual keyboard is rather slow compared with typing on physical keyboard.

No, I use offline password managers; one is password safe, other is keypass, you can check on playstore. Used to use lastpass but after recent breaches and corrupted export process, moved on.

I don't trust either browser extensions, or browser's in-built password save feature.


I feel stupid with CLI applications, it's just that.

Yeah it is not for all, most users will only use the built-in password manager that the web browser have.


No!, if you do it correctly and take your precautions to backup the data and keys, you will never lost your passwords unless all you lose all your backups


You can create an exclusive GPG key for this, no need to public or share it


Yes, why not? on the road i always use termux, sometimes just to use python and make a fast calculation or just to check suspicious file headers, or also check internet conectivity, scan some wireless network etc...


It is not an offense for me, actually it is an offense for "most people" who can't get their face off of Shittok and other social networks, they usually don't care about using a different password for every site/service that they use. Most of them use the same password for every site.

I agree that this tools is not for everyone, if someone dislike CLI tools they can use another GUI solutions that is OK.
I just like this tools because i can sync between devices with git command and since the data is encrypted i just need to be careful to backup tha data and protect my GPG KEY

I'm better off with password managers having interfaces rather than CLI one, if I were to use this I'd probably lose my passwords 

Yes, I somehow may have gone off topic. By Murphy's law, did you mean "what is supposed to happen will always happen"?

To be honest, I don't trust third-party apps to store my seed phrases. I just don't want to rely on them too much. I do know it's open source, secure, and tested by many users, but still, I get a strange feeling about using it. That's why I prefer offline backups the most. No technology, no internet connection, only raw sees phrases. Of course, my offline backup won't be lying on any office desk. I can ensure that it will be in the safest place in my house. Even if my house burns down or is destroyed by a natural calamity, it will hold.

Yes, it would be great if you made a video guide of how to use these kind of password manager.

We never know who many its enought (Murphys law is always present), other may tell you that having a lot of backups is also worriedsome because you have multiple points where something can fail.


I know that is why its not my only method.


My wife had the seed, and I instructud to two of my friends (trusted ones) to help her in case that something happended to me, since she doesn't know much about technology


I know this, i read the post of loyce about time lock transactions. And actually i alreay tested for me its good, but its a little complicated for my friends i teach them how to use a wallet like electrum and sparrow but i don't want to confuse them.

I think the topic is getting a bit off track, Somebody had used password store? I think that i can made some video of how to use it. Also i thing that i can open a bounty for this tools to anyone who found some vulnerability to it. I don't have much but I can allow some sats for it.

What do you think?

Memorizing seedphrase can be seen as a bad idea. What if you get into an accident, or what if you get memory loss as you age? As for me, I have multiple backups of my seeds, both online and offline. Two of them are stored on my airgapped device, and two are on my personal note. I don't know if that's enough. I have seen many cases where people faced hardware failures, software bugs, and other issues that caused them to lose their funds. 

I had one question, though, how are your heirs instructed? You can do one thing. You can lock your assets for a fixed amount of time. It can only be accessed after the lock period has ended. You may want to try this. Even if your heirs get their hands on private keys, they'll have to wait.

Yes, they already had instructions to do it.


I have 2 backup, one in my house, and other in my parents house, also i memorize my 24 seed with some funny phrases

I know that it is a difficult topic, a lot of opinions and ideas about this. And the debate is really good

If it is a small amount of money, you can put your seed in a password manager or in an encrypted file.

However,  I don't think you should put the seed with your life savings in a password manager
There are just too many specifics about bitcoin seed to put it there.

For example:
If you die, will your heirs have access to it?
Do you have a second back up in case your computer burns? Or if your house is on fire?

As a bitcoin wallet may contain a lot of money, so nothing can go wrong. If you lose some passwords,  you can recover most of them in some way.

if you're talking about it been compromised then i will say it carries same risky as the regular password managers if it gets done, that is all your password will be exposed. But the encryption of your key in GPG is better than regular mangers of password. but without proper encryption of your key with strong passphrase, then just any one can have access to the stored passwords.

also the best place to store your key is offline, which is the best form of any storage

Yeah, you are right it fits better here in  Beginners & Help.


GnuPG is a cryptographic suite that allows you to work with different cryptographic schemes.



It can use some different Asymetric cryptographic suites like RSA, ECDSA and EDDSA and other...
It can use some different Symetric suites likes AES256, BLOWFISH and others

It is actually very secure, common more than 20 years in the Open Source comunity.

My password manager has been books.

It is better in beginners and help. Move it to beginners and help.

PGP tools are to be used offline.

There has been a guide about it on this forum, but the image not displaying again: [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint

I can use PGP tool to generate private key and public key, use the public key to encrypt the a message (which are the passwords). Using the private key and its passphrase to decrypt the encrypted message/password anytime I want to have access to the passwords.

Is there any script allowing us to generate GPG private/public key pair offline? What are the curve parameters for GPG etc?
Would this tool also store the GPG key as well? Isn't this a bit risky to keep all the keys/passwords you have in a single place? What if GPG has a backdoor?

Note for the moderator, since there is no one cyber-security Board i put this topic here because i believe that this tool can be used to backup seeds, passwords, passphrases, privatekeys and other secrets

---

Hello everyone, I want to share with you one simple tool to store passwords securely.

https://www.passwordstore.org/

If you don’t know it, password store is an open source project written in bash that uses GPG to store passwords encrypted with your GPG private key, that means that only you will be able to decrypt them.

I like this tool because it is a command line tool, i can use it on Linux, Windows (WSL) and Android (Termux) . It can be synchronized between devices with a git, so that means you can have a unique password repository in all your devices. You only need to have the same GPG private key between them.


So it’s a simple a bash tool  to organize password stored in individual files encrypted with GPG

Password store already have some years:
Initial release: September 4, 2012; 11 years ago
GnuPG also have more years:
Initial release: 7 September 1999; 24 years ago

With those years in the market most common bugs should be already fixed and almost all security flags also were already catched

I am using this tools to manage my passwords and other secrets like seeds and private keys, maybe some of you will point to keepass or some other private solution like 1Password, but i like this because its originally a command line tool  and I can use it on all my devices, Linux, windows and android.

Obviously it needs to have its precautions, like backing up the GPG private key securely and other things all depending on how paranoid you are with all those things.