

Using ccrypt as a password manager - jon_black
http://jonblack.org/posts/using-ccrypt-as-a-password-manager/

======
calpaterson
A lot of these tools on the front page today. I think a lot of them only
contain 40-60% of what is required to be useful. Any password safe needs to:

\- somehow work on my phone, not just because I sign into things when I'm away
from my desk but also because I'm not going to manually copy all the passwords
into my phone

\- generate secure passwords for me when I need to enter one

\- record passwords I use to help me migrate if I'm not using a safe already

\- import passwords from other password safes

\- support filling the passwords into the page, so that I don't have to open a
terminal, decrypt, copy, paste and possibly re-encrypt

\- support two factor authentication systems

This isn't a complete list, it's a minimum. It's also nice to support multiple
forms of two factor auth, in case my phone gets stolen and it's nice to have a
form filler too.

It's ok to be a "unix-style tool" that does one thing and one thing only, but
you need to have other tools for doing every other feature that is required.

~~~
zimbatm
What's the point of having a second factor auth if both are stored on the same
device ? If the phone is compromised electronically or physically then
everything is lost.

~~~
calpaterson
Well, you don't store them on the same device :)

------
StavrosK
Use pass[1] if you want to use the command line, it uses GPG to encrypt each
password and git to version them. It's pretty nifty.

[1]: [http://www.zx2c4.com/projects/password-
store/](http://www.zx2c4.com/projects/password-store/)

------
agwa
ccrypt uses a single iteration of a hash function to derive the encryption key
from your passphrase, which provides very weak protection against exhaustive
searches for your passphrase.

For encrypting a single file with a passphrase, I just use GPG: `gpg -c` to
encrypt, and `gpg -d` to decrypt.

