qlyoung's wiki
Page Tools
User Tools
    Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
password_management [2024/03/01 16:56] – [porcelain] qlyoungpassword_management [2025/10/06 03:07] (current) – [password management] password -> credential qlyoung
Line 1: Line 1:
 ===== password management ===== ===== password management =====
  
-Password management is a critical part of any personal infrastructure. I've had a few people ask me how I manage my passwords.+Credential management is a critical part of any personal infrastructure.
  
-==== tldr ====+==== Current setup ====
  
-{{ :untitled_diagram.drawio_1_.svg |}}+I used to use [[https://www.passwordstore.org/|pass]]. However, with the advent of [[wp>WebAuthn|passkeys]] this approach was becoming increasingly difficult. 
 + 
 +For the record, I absolutely believe in PKC authentication but am highly skeptical of passkeys, to put it mildly. Perhaps another wiki page about that at some point. 
 + 
 +Anyhow, in 2025 I switched to [[https://keepassxc.org/|KeepassXC]] for credential management. In tandem with a [[https://syncthing.net/|sync solution]] to sync the credential database to all devices it works well enough. It supports passkeys, although not all websites (relying parties) will "allow" the particular "flavor" of passkeys (synced credentials) it "supports" (this is all security theater). 
 + 
 +KeepassXC works on every computer I own and I use [[https://keepassium.com/|Keepassium]] on my phone. 
 + 
 +I do wish it had the ability to use a GPG key as a primary key; instead the database is encrypted with a passphrase. Security keys and PGP challenge-response can be used, but only as secondary or tertiary factors to the passphrase. 
 + 
 +==== Old setup ==== 
 + 
 +{{ :untitled_diagram.drawio_1_.svg?500| }}
  
 I use [[https://www.passwordstore.org/|pass]]. This is a shell script that provides porcelain over a directory of plain text files encrypted with a gpg keypair. I use [[https://www.passwordstore.org/|pass]]. This is a shell script that provides porcelain over a directory of plain text files encrypted with a gpg keypair.
Line 34: Line 46:
 </code> </code>
  
-The "unlock gpg keypair" bit is some UX that asks for the key to unlock my GPG keypair. I use a yubikey so this is a prompt to insert my yubikey and enter its pin.+The "unlock gpg keypair" bit is some UX that asks for the key to unlock my GPG keypair. I use a [[wp>OpenPGP card]] so this is a prompt to insert that and unlock it.
  
-This directory is version controlled and synchronized to all my devices using git.+This directory is version controlled with git. Cross-device sync is accomplished with git push/pull.
  
 It is a very simple and secure setup. It is a very simple and secure setup.
Line 42: Line 54:
 ==== key management ==== ==== key management ====
  
-This setup requires my personal GPG keypair to unlock the store. This means that the keypair has to be accessible to every device that needs access to passwords.+{{ :img_1295.jpg?400|}} 
 + 
 +This setup requires my GPG keypair to unlock the store. This means that the keypair has to be accessible to every device that needs access to passwords.
  
-A GPG keypair is for practical purposes two files, one containing the public key and the other containing the private key. It's very important to the security of any system involving GPG that they private key file not be exposed to anyone. For this reason it's usually encrypted with a symmetric password. If you use the conventional setup, this symmetric password effectively becomes the "master" password for the password store.+A GPG keypair is for practical purposes two files, one containing the public key and the other containing the private key. It's very important to the security of any system involving GPG that the private key file not be made public. For this reason it's usually encrypted with a symmetric password. If you use the conventional setup, this symmetric password effectively becomes the "master" password for the password store.
  
-However, even though the keypair is itself encrypted, having it stored on disk isn't ideal from a security perspective - particularly on mobile, which are very exposed and historically very insecure. It's better if we don't store the key on disk at all. To accomplish this I store my keypair on a [[https://en.wikipedia.org/wiki/OpenPGP_card|OpenPGP smart card]] (a [[https://www.yubico.com/product/yubikey-5c-nfc/|yubikey]]). This small, unobtrusive device lives on my keychain along with my car keys.+However, even though the keypair is itself encrypted, having it stored on disk isn't ideal from a security perspective - particularly on mobile devices, which are very exposed and historically very insecure. It's better if we don't store the key on disk at all. To accomplish this I store my keypair on a [[https://www.yubico.com/product/yubikey-5c-nfc/|yubikey]], which implements the [[wp>OpenPGP card]] standard. This small, unobtrusive device lives on my keychain along with my car keys.
  
 On my desktop and laptop, whenever I need a password, I'm prompted to plug in and unlock my yubikey with a 6 digit pin. The encrypted file containing the password is then sent, over USB, to the embedded processor on the yubikey. The yubikey decrypts it using the GPG private key and sends back the cleartext contents. The flow is the same on my phone, except that communication occurs over NFC so I am prompted to tap my yubikey on the device. On my desktop and laptop, whenever I need a password, I'm prompted to plug in and unlock my yubikey with a 6 digit pin. The encrypted file containing the password is then sent, over USB, to the embedded processor on the yubikey. The yubikey decrypts it using the GPG private key and sends back the cleartext contents. The flow is the same on my phone, except that communication occurs over NFC so I am prompted to tap my yubikey on the device.
Line 60: Line 74:
 There are plugins that provide browser autofill which I used to use. There are plugins that provide browser autofill which I used to use.
  
-Currently I have a global system shortcut (''^-alt-p'') which launches [[https://github.com/carnager/rofi-pass|rofi-pass]]. This is a floating launcher prompt, similar to Spotlight on a Mac. It allows me to type a few characters of the name of the password I want until it matches the correct one. Then I unlock the password as previously described. Instead of copying it to the clipboard, it then types it out using a virtual keyboard device. This is nice because it works everywhere - in the browser, in the terminal, and so on.+Currently I have a global system shortcut (''^-alt-p'') which launches [[https://github.com/carnager/rofi-pass|rofi-pass]]. This is a floating launcher prompt, similar to Spotlight on a Mac. It allows me to type a few characters of the name of the password I want until it matches the correct one. Then I unlock the password store as previously described. Instead of copying the password to the clipboard, it then types it out using a virtual keyboard device. This is nice because it works everywhere - in the browser, in the terminal, and so on.
  
 For git synchronization, pass automatically creates a new git commit whenever a password file is changed, and wraps git operations so that ''pass git push'' and ''pass git pull'' do the obvious things. For git synchronization, pass automatically creates a new git commit whenever a password file is changed, and wraps git operations so that ''pass git push'' and ''pass git pull'' do the obvious things.
Panorama theme by desbest
password_management.1709312178.txt.gz · Last modified: by qlyoung
CC Attribution-Noncommercial-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International