
Show HN: Passbox – Another password manager using Bash and GPG - RobBollons
https://github.com/RobBollons/passbox
======
sasvari
related:

 _pass - the standard unix password manager_

    
    
      Password management should be simple and follow Unix philosophy. With pass,
      each password lives inside of a gpg encrypted file whose filename is the
      title of the website or resource that requires the password. These encrypted
      files may be organized into meaningful folder hierarchies, copied from
      computer to computer, and, in general, manipulated using standard command
      line file management utilities.
    

[http://www.passwordstore.org/](http://www.passwordstore.org/)

~~~
drdaeman
Downside of pass is that the filenames are in the open. Thus, metadata (which
sites you have account on) is not secured. Linked one seems to store
everything in a single encrypted file.

Upside is that it has ton of implementations readily available - browser
integration, mobile apps, etc. Linked one (passbox) is just a bash script at
the moment, if one wants to use it across multiple devices and platforms, the
experience may be quite rough.

Another upside is that with a single file model you have to invent your own
conflict resolution scheme. For pass, git just does the trick. And this one
doesn't seem to have anything in this regard.

~~~
deathanatos
> Downside of pass is that the filenames are in the open.

The "entry" names (which I think would correspond to filenames in `pass`)
appear to be passed on the command line here; they'll likely get swept up in
your shell's history file, unless you're careful. (And thus, are essentially
in the open, just like pass.) That said, I think most shells make their
histfiles 600, so they're not directly readable. (And I think `pass`'s
directory is 700, similarly.) And you have to trust the machine you're running
on, of course; otherwise, I can just dump the memory as soon as your keyring
is decrypted.

I think it was when `pass` was on HN that I mentioned this; I have a terminal
keyring manager myself[1], but one of the design decisions I made in it (aside
from a single-file archive) was to not pass entry names on the command line,
specifically so they won't get swept up in histfiles. It's easy, though, it
make it optional, and let the user decide what they want to do. Of course,
your

[1] which is way not ready to be looked at… also seems like we as a crowd
enjoy this topic (keyrings) as a side project.

~~~
drdaeman
There is HISTIGNORE for a reason ;)

But, yeah, if one forgot to add pass there, the metadata will be leaked.

~~~
deathanatos
I did not know about HISTIGNORE! Very interesting. I knew about
HISTCONTROL=ignorespace, though I did not know it was a variable; I just
thought that was a hard-coded feature.

------
cornstalks
How do you work with these terminal-based password managers? Request the
password (à la `passbox get facebook`) and then copy 'n' paste it into the
website?

Are there any security concerns of the password being in the clipboard/memory
(beyond the obvious of accidentally pasting it)?

~~~
RobBollons
That's definitely a way of using it, another is to just manually type it in as
you see it and clear the terminal buffer afterwards. If you do use your
clipboard it does require a certain amount of due diligence in making sure you
empty it afterwards if you're concerned about that as a security risk. It
would be easy enough to create a simple script that could copy it to your
clipboard and then clear the clipboard after a time delay.

It would be possible to construct an attack using Flash to access a users
clipboard form a web browser.

I know a lot of people like to have browser plugins for password managers but
i always feel uncomfortable using them because i don't understand enough about
the technology to trust that it wont be vulnerable.

~~~
sasvari
_It would be easy enough to create a simple script that could copy it to your
clipboard and then clear the clipboard after a time delay._

pass [0] (see comment above [1]) claims to do that:

    
    
      show [ --clip, -c ] pass-name
           Decrypt and print a password named pass-name. If --clip or -c is specified,
           do not print the password but instead copy the first line to the clipboard
           using xclip(1) and then restore the clip‐board after 45 (or
           PASSWORD_STORE_CLIP_TIME) seconds.
    

[0] [http://www.passwordstore.org/](http://www.passwordstore.org/)

[1]
[https://news.ycombinator.com/item?id=10190719](https://news.ycombinator.com/item?id=10190719)

~~~
RobBollons
Clipboard integration probably isn't something i would look to add to passbox
myself, but if someone can find a way to get it to work nicely cross platform
and submit a PR then i would likely merge it.

------
adam_albrecht
This looks very nice, but I would need browser extensions and mobile apps to
go along with it.

1Password is honestly the one app that has kept me from switching to Linux
from OSX. Would love to see a decent open source alternative.

------
UK-AL
Has anyone build a hash style password manager.

hash(website name + global password + increment) = password to use?

or something like it

~~~
drdaeman
That's a _very_ popular scheme.

The major downside is that site saying "your password must [not] contain blah-
blah-blah"/"be N to M characters long"/"may contain only digits" when the
generated one just happens to not conform to such restriction. In my personal
experience, one out of dozen sites tries to be smartass about the passwords,
so the scheme is a PITA in the long run.

Without the increment you also can't rotate password, while with the increment
you need to store the increment value (and if you do keep the notes and the
master secret, why not just remember the password already?)

The password managers are more flexible than password generators, because they
don't have such limitations.

~~~
onionjake
I wrote my own hashing method [1] that given a correct spec for password
restrictions would always generate a valid password. It does it by taking the
hash in base64, then translating those a new set of base64 characters chosen
to increase the likelihood of getting a valid password. If one generated is
not valid, it then iterates until a valid one is found (by cycling the bits).

I have used this personally since I wrote it. Given the downsides, I agree
that password managers are probably better for most people.

[1]: [https://github.com/onionjake/doh](https://github.com/onionjake/doh)

