I'll use this as an opportunity to give a shout out for my new favorite password manager: pass [0]
It uses gpg to encrypt passwords that are then stored locally, but can be synced using Dropbox, rsync, unison, etc. It is a command line program, so it doesn't have things like browser integration, but on a mac, a little Automator magic alleviates most of that pain. Besides, after trying 1password, lastpass, and a few others, the browser integration was usually a source of frustration instead of convenience.
For my setup, I have a keyboard combo mapped to an Automator action that gets the current URL from Safari, passes it to a shell script that strips out the hostname, then uses pass to copy the password to the clipboard for 45 seconds. Then, I use another script to have a notification pop up with my username in case I've forgotten it. So I press "cmd+\", then a second later I have my password in the clipboard and my username showing on a temporary desktop notification.
I'm also using pass to store bank credentials, software keys, and other things. I also have it set up to use a different gpg key to keep a journal. It has turned out to be a very versatile and reliable piece of software.
1) one of the reasons I use a password store is to share passwords with my wife. I can't imagine her using this
2) iPhone? Android?
3) 1password's integration with the browser is very helpful: since I've been using a linux box as my day-to-day machine (where 1password doesn't have a native version), I've been using it significantly less, because it adds friction. On Mac OS, I would just auto-gen a horrific 12-16 character random password for any website, and have it automatically saved to my 1password.
As you might guess, I have high hopes for Mitro, especially if they (well, I guess it's now we) can create a compelling don't-use-their-host story (either hosted, or file-based (eg. dropbox)) and pass at least a cursory security smoke test. :-)
I'd love to find a way to securely share passwords with mobile devices. But from what I understand, there's no very secure way to do it on Android. If you store a private key on the device then other applications may have access to it. And with iOS, each app is its own silo, so I'm not sure how you'd get password autocomplete working. An ideal solution would allow selective sharing because there are some secrets you wouldn't want stored on your mobile device.
Applications are separated by Linux permissions on android. Attempting to read or write to other application directories simply won't work. Your fear is not correct for the average case user
It depends on how you do it. If you use the local app storage, it's protected via the OS. Only the App itself can read/write from it.
If you use "USB Storage" then the data is stored on the sd card or equivalent. Any other app with the USB Storage permission can read or write to that directory and it's very much not secured.
As for interfacing with other apps to "autocomplete" your password, there are permissions and ways to do that too, although I can't speak for them since I've never done it.
You're absolutely right -- my setup comes with a lot of limitations. They are ones that I'm happy living with, but when family and friends ask for advice on passwords I point them to 1Password. Hopefully Mitro will become my new recommendation!
That is limitations I could live with, I'm interested to give it a go. Could you post the scripts on pastie/github by any chance to spare me some dev time? or my mail is in my profile
I'll use this as an opportunity to give a shout out for my own unix password manager that I started writing because I did not like some design choices of pass: pw [1].
From the homepage:
> pw is an alternative to pass, keepassx and other similar programs.
> The main points of pw are:
> * The passwords are stored using a simple line-based text format.
> * Passwords can be protected using public-key encryption or symmetric encryption. Or both.
> * No information about the accounts is stored in clear-text.
> * All the work is done using only GPG and Unix tools.
> * The output is easy to use in pipeline with other tools.
> * Follows the XDG Base Directory specification: no clutter in your home directory.
That looks neat -- I've been using a somewhat similar little home-baked thing of my own (simple shell script wrapping gpg), largely because I wanted a simple command-line password manager and this 'pass' thing I've been seeing linked in various places strikes me as (a) pretty poorly designed and (b) quite over-sold -- e.g. its author declaring it "standard" when it's clearly nothing of the sort is rather off-putting. There've been patches posted on the xmonad development mailing list recently adding support for it, but I'm really hoping they don't get integrated because I don't view encouraging increased use of it as a good thing.
It uses gpg to encrypt passwords that are then stored locally, but can be synced using Dropbox, rsync, unison, etc. It is a command line program, so it doesn't have things like browser integration, but on a mac, a little Automator magic alleviates most of that pain. Besides, after trying 1password, lastpass, and a few others, the browser integration was usually a source of frustration instead of convenience.
For my setup, I have a keyboard combo mapped to an Automator action that gets the current URL from Safari, passes it to a shell script that strips out the hostname, then uses pass to copy the password to the clipboard for 45 seconds. Then, I use another script to have a notification pop up with my username in case I've forgotten it. So I press "cmd+\", then a second later I have my password in the clipboard and my username showing on a temporary desktop notification.
I'm also using pass to store bank credentials, software keys, and other things. I also have it set up to use a different gpg key to keep a journal. It has turned out to be a very versatile and reliable piece of software.
[0] http://www.passwordstore.org