[Nottingham] gpgpwd - keeping a commandline passwords list
Paul Tew
binarybod at gmail.com
Mon Jun 18 19:16:56 UTC 2012
On 17/06/12 22:20, Mike Cardwell wrote:
> On 17/06/12 21:47, Martin wrote:
>
>> This looks to be an interesting one for those of us living on the
>> commandline:
>>
>> Announcing gpgpwd
>> http://blog.zerodogg.org//2012/06/15/announcing-gpgpwd/
>>
>> Just wondering if that is secure enough or not?
>
> This is actually very similar to something I wrote for myself and have
> been using for a little over a year. Before that, I used LastPass.com,
> but then I discovered a vulnerability in it:
>
> https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details
>
> After that incident I decided that I didn't want to rely on the
> security of a third party service for my password management any more
> and so started using GNUPG and a local text file.
>
> There's a plugin for VIM called "gnupg.vim" that allows you to
> transparently work with GNUPG encrypted files. So I started using this
> to add password information to a text file, and then wrote a simple
> command line utility which basically decrypts the file, greps out the
> password and then copies it into the clipboard for 10 seconds. The
> encrypted password file is stored in Dropbox for sync and backup purposes.
>
> I've just been looking at the code for gpgpwd. It's Perl, and it's
> well written. I would be happy to use this if I didn't already have my
> own solution. I definitely would recommend using a password manager
> based on GNUPG.
Here's my take on this from a forensic analysts point of view...
* stored on clipboard = stored on disk (probability high)
* clipboard entry stored for 10 seconds and then deleted = recoverable
The safest option is to make sure your underlying filesystem is
encrypted - I use the LUKS extensions to cryptsetup
Paul Tew
More information about the Nottingham
mailing list