
Ask HN: Password Gorilla last commit 3 years – give up on open source pwd mgr? - banku_brougham
I&#x27;ve read everything I can find on HN and other sources about password managers. I was influenced by this paper &quot;On the Security of Password Manager Database Formats&quot; (http:&#x2F;&#x2F;www.cs.ox.ac.uk&#x2F;files&#x2F;6487&#x2F;pwvault.pdf), it indicates PasswordSafeV3 is the only DB secure vs. Read&#x2F;Write attacks (safe to store the DB in the cloud). Eventually I decided on Password Gorilla (https:&#x2F;&#x2F;github.com&#x2F;zdia&#x2F;gorilla) based on criteria I&#x27;ll list below.<p>Now I realize that the github repo hasn&#x27;t had a commit in 3 years, 3 years of new vulnerabilities. There is an updated (2014-10-27) version linked to their site, but this is obviously not part of the open source code in repo, so I may as well just trust the fancy new closed source products.<p>I&#x27;m in a quandry:<p>- 2nd choice: pwdsafe.org is a secure DB and source code is available on sourceforge, so theoretically I can trust that malicious&#x2F;crap code in there would discovered by security researchers. But it is only available for OSX from unknowns that are not open source. (https:&#x2F;&#x2F;pwsafe.org&#x2F;downloads.shtml)
- 3rd choice: [KeePassX](https:&#x2F;&#x2F;github.com&#x2F;keepassx&#x2F;keepassx), active development, fails the standard of RW attacks researched in the paper. Open source yet inferior database is unsafe to store on G-drive, dropbox.<p>It looks like I have no choice but go ahead and trust an unknown software developer and hidden source code, even for the &#x27;open source&#x27; product, might as well go with LastPass or Dashlane, which are closed source but which at least have resources and very active development and responsiveness to reported vulnerabilities. Oh and LastPass was acquired by LogMeIn so trust is even shakier.<p>My criteria for choosing:
- OSX and Linux
- Open Source, because I believe that it meets a higher standard of security
- Must time-out or reauthenticate after inactivity
- Support 2 Factor Authentication
- iOS client would be nice
- I&#x27;m only storing tier-two passwords.
======
mpettitt
Did you see that Keepass introduced fixes to the issues raised in that paper
before it was released, thanks to the responsible disclosure by the authors?
[http://keepass.info/help/kb/db_headerauth_upg.html](http://keepass.info/help/kb/db_headerauth_upg.html)

~~~
banku_brougham
No I didn't see that the authenticated header which was called out as the
source of the vulnerability in the paper has been fixed in the 2.20 version,
though I should have. Thanks for pointing that out.

I'm testing KeePassX now, and it seems ok. However usability is a bigger
criterion than I originally thought, because all the copy/paste of username
and login is more effort than just memorizing and typing by hand. In fact I've
memorized the credentials of the 5 accounts I'm testing it with.

KeePassX has a timed lockout function, which is excellent.

However unless I quit the browser I will remain logged in to the accounts even
after computer sleeps. I would prefer to require another master password
confirmation to access accounts after leaving my computer and returning and
authenticating the machine.

This is a new criteria I would like to add: re-authenticate master password
after inactivity/sleep. This would be ideal, in the unlikely event that my
employer fires me and takes my laptop away - I don't want IT admin to be able
to log in to the machine and access my Evernote, gmail, or other accounts.

It looks like KeePass/KeePassX cannot address this, probably would require a
browser extension.

Maybe I should consider the LastPass/Dashlane model, I think they offer this
functionality.

Also, I won't use rando Chrome extensions like Log Me Out, though it would
provide the needed functionality. I would consider opening the package and
rolling my own Log Me Out chrome extension. That + KeePassX would solve my
problems, except for the copy/paste usability issue.

~~~
mpettitt
The Windows version has an autotype feature - not sure if that has made it to
the ports though. It's also not as smooth a flow as Lastpass, since there is a
context switch between browser and password manager (although I seem to
remember that there used to be an extension offering Lastpass style access to
Keepass for Firefox, possibly called KeeFox, or FoxPass?).

I don't think any distinct software could automatically log out of sites - it
would presumably come down to deleting cookies on sleep (or relying on the
sites to have sensible session expiry times) - so I'm not sure that the
password manager is the right tool for that. A password manager would protect
the passwords for your accounts, but that's not the same as sessions for your
accounts.

------
drostie
I actually wrote a JS-based encryption container which passes these
requirements (and does not even have PasswordSafeV3's key-reuse problem!) for
these very reasons about 2 years ago, and one of its example applications in
the repository, 'tagaloop', can function as a password storage container:

[https://github.com/drostie/nermal](https://github.com/drostie/nermal)

Tagaloop does not time-out or re-authenticate for you, and since I'm not
selling the service I can't offer 2FA, but of course if you wanted to build a
company out of this stuff it's open-source. In addition nermal makes the
deliberate decision to not support "seek" operations, so it does not e.g.
store a header field which could then be scanned in advance to index a bunch
of concatenated binary strings -- this is not bad for password storage where
the metadata outnumbers the data by a factor of 2 or 3 so there's no point,
but other applications like storing an encrypted archive of files might
suffer.

------
clishem
[https://www.passwordstore.org](https://www.passwordstore.org)

It uses GPG.

~~~
Freak_NL
Yes! Passwordstore is nothing more than a BASH script you can easily browse
yourself to see what it does. Encryption is done by GnuPG, so if you already
have a GPG-key, getting started is even easier.

The command-line interface is very intuitive, and there are a couple of GUI
front-ends as well if you want one. Also, passwordstore's database is nothing
more than a directory structure containing GPG-encrypted text files. You can
access these files without passwordstore as well, as long as you have your GPG
private key.

For distributing your password database to multiple machines, passwordstore
integrates with git. Another option is the excellent syncthing
([https://syncthing.net/](https://syncthing.net/)) which syncs chosen
directories with trusted machines (verified using TLS) on the local network.

Passwordstore stores secrets in a directory tree. A really nice feature of
passwordstore is that you can have it encrypt secrets under specified
directories for _multiple_ GPG-keys.

So what I do to share some passwords with my partner, is set up a certain
directory in passwordstore's tree to encrypt for both our GPG-keys, and sync
only that directory with her computer with syncthing. She has the same setup,
but with the default for her passwordstore's database being her own GPG-key.
So we both have our private passwords, and a shared set of passwords and other
secrets that is synced whenever both our computers are on the same local
network.

~~~
Freak_NL
Also, the security of passwordstore depends on how you handle your GPG-key, so
if you use something like a Yubikey NEO to store your GPG-key on, you
effectively have two-factor authentication, as mentioned in OP's question.

------
cakes
I used password gorilla for years until 2015, when I switched to keepassx.

I had similar concerns about how it felt that password gorilla remained
unchanged for periods of time, regardless of whether I would know if there was
a vulnerability or not. It was more...it felt stable (which was fine) but not
"this will be here forever!" to me. I recognize I could've forked it (or
something similar) but I don't (yet) know tcl/tk and don't feel comfortable
"owning" my own password manager for security-related stuff.

I can recommend keepassx/family (I had, long ago, chosen password gorilla for
Windows & Linux support) but, at this point if you are moving, find something
you are comfortable with (that's updated!).

------
carussell
How many passwords are you storing currently? And are you using password
managers for the convenience of not having to commit secure passwords to
memory, or for the ease of automatic password entry?

Sticky notes are a hallmark of bad security, but that doesn't mean a pen-and-
paper approach has to be ruled out entirely. Depending on how you answered the
last two questions, a small notebook containing the passwords written out in
some format other than plain text could be a surprisingly viable contender for
any software password manager.

~~~
banku_brougham
My passwords, appx: 100 passwords for low priority accounts.

20 that would be bad if hacked (tertiary email, twitter, coursera, etc)

6 critical that I won't commit to electronic storage.

I would love to not have to lookup and type in passwords for the first two
groups.

------
tomw1808
Interesting. I am not really into PWGorilla, but some friends are. They are
constantly recommending it to me, although we are kind-of forced from the
company to use a closed source pw manager (1pass).

Is there anything particularly security related that is concerning you
regarding pw-gorilla vulnerabilities?

So far I can recommend 1pass, though its not for free. If you have any
particular concerns with 1pass security wise I would be interested too (except
its closed source).

Thx.

~~~
banku_brougham
my concern with PW Gorilla is only the point I mentioned: lack of active
development, and recent update is not part of open source repo.

I'm in no way capable of evaluating the security of open source password mgr
implementations, but I'm willing to gamble on the lower tier passwords that a
lot of expert research is validating the strength of the popular ones.

For closed source, I think I have to assume they are screwing something up.

------
suraj
You can compile pwsafe QT GUI for OS X very easily. However, the GUI feels out
of place because of QT.

