[sclug] Wanted: online password store

Philip Hands phil at hands.com
Tue Nov 10 11:48:40 UTC 2009

On Wed, Oct 07, 2009 at 03:57:52PM +0100, Jon Mann wrote:
> > I have about a bajillion username/password pairs for all sorts of
> > things. [...] Can anyone suggest a trustworthy online password
> > repository for storing this sort of stuff?
> Perhaps some of your usernames/passwords are for websites which
> support OpenID, which would be an opportunity to consolidate some
> login details:
>   http://openid.net/
>   http://openidexplained.com/

For OpenID, I use certifi.ca as my broker, who accept CaCert client certs,
which along with the fact that one can delegate OpenIDs with a couple of
META tags, means that I can use https://hands.com/~phil as the OpenID I
tell to sites, have that delegate to certifi.ca which in turn requests
my CaCert client certificate, and all I need to do to log in is approve
the request.  I seem to remember that I've not yet discovered how to get
certifi.ca to accept that I might have multiple client certificates for
the same person (so I don't need to copy the same cert to both my laptop
and desktop).

I notice that you can sign up at launchpad (which is a fair thing to do
if you have the slightest interest in ubuntu) and they'll automatically
offer you an OpenID along with your account (which, of course, you
can delegate from you home so that you don't get screwed if you decide
launchpad's not for you at some point).

For other passwords, I use the command-line pwsafe (which uses
a format that's also supported by Bruce Schneier's PasswordSafe
http://www.schneier.com/passsafe.html, which would seem a safe bet)

It allows the username and/or password to be copied automatically into
the X paste buffer, so once authenticated, you just paste the username,
then paste again for the password (it notices the first paste, and
replaces the paste-buffer, clearing it after the password is pasted).

I check the resulting crypted file into a git repository, and pull it
between the machines I trust with such things.  You need to make sure
you pull before adding new passwords of course.

As for putting such a file out there on the net, where I'd need to
trust some other party and it might be subject to brute force attacks
against my pass phrase?  I don't think so.
(and that's with a pretty decent passphrase).

Cheers, Phil.

More information about the Sclug mailing list