Infotropism Kirrily Robert’s blog

The Password Solution

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

For many years now I’ve been using STRIP, the Secure Tool for Recalling Important Passwords, on my Palm Pilot to store passwords for websites and other important information like bank account numbers.

The time has come for a change, mostly because I want to minimise the number of devices I carry around. This is particularly important while I’m travelling, but in general, it’s just getting silly that I have a phone, a palm pilot, an iPod, and a camera — all in addition to my laptop. I’m thinking of ditching the Palm, and this is part of my trial run.

Since I’ve been talking to a number of people about this, and asking for suggestions, I thought I’d post what I came up with. Thanks to the folks on #perlnet who helped me figure out what I wanted on IRC the other day.

What I wanted

• Store passwords and other private information (account numbers, etc)
• Categorise entries into groups
• Generate line-noise style passwords
• Solid encryption algorithms
• A way to get at my password database even if my laptop implodes or is stolen

What I came up with: Wallet + Crypt

Wallet is the first part of my solution. It’s demoware, $14.95 US to register, and the featurelist includes:

• Blowfish encryption
• Categories of passwords
• Different layouts for web logins, credit cards, serial numbers, etc
• Locks itself and clears your clipboard when not in use
• Password generation (alas, doesn’t include punctuation, but better than nothing)
• Auto-form-fill for some browsers
• Dashboard widget to search for a password
• .Mac integration
• Export to tab-delimited text file

Now, it’s OSX only, so I needed to deal with the prospect of an emergency where I can’t get at a Mac to open up the password database. I need something that, in a worst case scenario, I can use in any readily available computer. The answer to this looks like it’s Crypt.

• Export a backup of my Wallet database in tab-delimited text format
• Drag that file to Crypt, choosing “Shred original”
• Save the resulting encrypted file on a USB stick, email it to myself, or generally just make sure it’s available

Crypt uses 256 bit AES encryption, and you can decrypt using any platform that has OpenSSL, tar, and zip. I see two uses cases for this.

First of all, Windows with Cygwin. I’ll be keeping a copy of Cygwin on my USB stick as part of my emergency kit. If I have access to a Windows machine and can install cygwin, then I’m set.

Second option, I have access to Linux servers, so if I can upload them there and get into a shell via PuTTY, it’s a simple matter of openssl enc -d -aes-256-cbc -salt -k mykey -in file.crypt3 | gunzip | tar -x -C outputdir (say that three times fast).

And yes, I just included the above command so that when I need it, I can come to my blog and find it.

I use Password Safe (originally by Bruce Schneier, now maintained by a group of people at SourceForge).

I think it your criteria 1-4, but not 5. Unless you upload the database somewhere else yourself.

Password Safe is Windows-only, but there are other programs which can read and write PWS files, at least one written in Java and hence nominally cross-platform.

Philip: Yeah, I looked at that one, but I really wanted something OSX-native and with a maclike interface, since I’d be primarily using it on this laptop. I figure if I’m going to have a shiny toy, I may as well enjoy the shininess, yknow?

Doesn’t OS X have the SSL command line tools already? I suspect that Crypt is just acting as a nice gui for them. I’m not an OS X expert, but wouldn’t it be relatively trivial to make some script you can drag and drop stuff to?

Jay: Sure, but see my comment to Philip above. If I’m gonna use a Mac, I want the shiny!

How about KeePassX (http://keepassx.sourceforge.net/)?