Tuesday, September 9, 2008

Linux Password Managers.

What happens when there are too many accounts with different passwords? Well, recently I heard a number of people losing their access to their email passwords. This prompted me to write on Password Managers. Here are some points on using password managers.

1. Passwords must be strong. Example is passwords not using the same as the username and using easily recognised words like "password". Password managers can advice if a password is strong.

2. Since all passwords are now centralised, the manager itself must be secured. The master password to launch the application should be well encrypted and strong.

3. The code to the password manager must be clean. This means that various parties have access to audit the source code for compromising functions.

4. Password Managers should be run on own computer to avoid others from accessing a data that is open.

5. Know the Password Manager database filename and back it up. When you need to change computers or reinstall, all the old data can be retrieved.


Below are examples of GNOME applications released under the GNU GPL licence to manage a collection of passwords. To retrieve the password select the key and press c or c to copy to clipboard. This means that you can paste the password into the password field. However, problem is that the clipboard must be cleared else others can dig the password.
Note: I have tested these on a Ubuntu 7.10 Linux.

(A) GPass. Uses Blowfish encryption.
Homepage http://projects.netlab.jp/gpass/

i. How to install? At the prompt;
$ sudo apt-get install gpass

Download size 113K, install version 0.5.0-2

ii. After installation menu, select
Application ->Accessories ->G Password Manager
First time, enter a master password (if you forget this, all is lost).
This saves all password in ~/.gpass/paswords.gps (perm 600)


(B) Revelation. Uses AES encryption.
Homepage http://oss.codepoet.no/revelation/development/

i. How to install? At the prompt;
$ sudo apt-get install revelation
Download size 1565k, install ver 0.4.11-2ubuntu2 . Dependency is pycrypto and crack-lib2 (2.7-19)

ii. After installation menu, select
Application ->Accessories ->Revelation Password Manager
First time, save and enter a master password (if you forget this, all is lost).
User is requested for a filename to saves all password. I used nicholas.revelation (perm 600)

Contains a password generator and checker for weak passwords.

(C) KeePass 1.x is also available on MS Windows. Uses AES and Twofish encryption.
Download http://keepass.info/download.html or for the linux version

i. How to install? At the prompt;
$ sudo apt-get install keepassx
Download size 1036k, installs ver 0.2.2-2.

ii. After installation menu, select
Application ->Accessories ->KeePassX

The database is saved as .kbd

(D) Password Gorilla
A multi platform Tcl/tk tool. The gui is rather poor but you can use this program without worry of people looking over the shoulder as all passwords are hidden.

In 1.4-3, it uses the Blowfish encryption.

i. Installation
sudo apt-get install password-gorilla

ii. Create a password store.


No comments: