2019

>FOSS password manager
>NSA

You should really consider pass as well. Passwords are encrypted with GPG so if you're like me and have a U2F device you can use that to get your passwords. Also you can set up the password store as a Git repository for syncing across devices. It has a CLI to interact with the passwords and you can use browserpass for auto-filling on webpages.

No more than having 2 fields in an encrypted database residing on your PC is a "botnet" . They simply have additional features to make organization easier and they're as offline and open source as you want them to be...the good ones anyway.

pass is another good one but is kind of a niche use case for those who are CLI focused on a *nix machine. One good thing about KeePass and BitWarden are they can be used nearly universally and are supported with GUI apps on all major OSes, while being easy to navigate and use for newbies.

That's a fair argument. If you don't have a GPG key or a way to sync it you're out of luck. I initially tried using KeePass but never could think of a reliable way to securely transfer my key database. I'm sure there are much better and easier ways to do it now but pass works for me well enough that I see no need to switch.

Forgot to mention that the pass client on Android works really well also. You can have it configured to ask OpenKeychain to decrypt the passwords. Again, since I have a U2F device I can use NFC and enter my PIN in order to get them.

>hey user can i use your laptop?
>sure
> history [code\]

Nice

>No bitwarden on the list
Yeah bois, feels good.

Attached: burglarsbtfo.jpg (641x480, 39K)

>Keepass not listed
really makes me think

>but never could think of a reliable way to securely transfer my key database
not sure what you're getting at here. the DB file is already encrypted, what else do you need?

Ahh well yeah if its working for you then stay with what works. Oh, so how do your sync your databases between your desktop and the Android app you mentioned? Or do you not do so and just use separate ones?

Regarding syncing for KeePass (BitWarden by nature syncs), there are a number of ways to do so. Some clients have built in or plug-in methods to directly interface with cloud storage or sync services.. You can also do this manually if you wish by just leaving your database somewhere (ie a NextCloud instance) and then connecting to it which doesn't necessitate a need to sync since you're essentially just writing to the same old database. Alternately, if you have multiple databases you can use something like SyncThing or SyncAny (maybe SparkleShare) to sync them. If I recall correctly all of these should be encrypted as required. But yeah, Pass is good if it works for you!

No one is going to be able to reverse any of those passwords after they have been hashed again by the service. Even if that service is compromised. A ton of characters, no words.
I have a secret root user with which I generate them.

good goy.

>history shows you accessing root user

Nice

I just use based KeepassX without any browser integration shit.

I like your method of pass gen, but I would use sha256 and some sort of cut

>HIST_IGNORE_SPACE=1
>now just add spacebar every time you need to get password

>using a dead fork
Consider KeePassXC

>forgets spacebar once exposing base password

Nice

can i import my db?

It's a fork of KeePassX that's actually maintained still, so yes.

>keepass nowhere to be seen
and my life goes on undisturbed.

Yes

systemd is foss too :^

Use a keyfile and move it separately from the DB, assuming your master password is so shit you're scared.

>Why yes I do store my passwords in a text file encrypted with gpg

Attached: 1548803367113.jpg (1080x1331, 216K)

>decrypted in ram
lmao

>-bash: syntax error near unexpected token `md5'
Powerful stuff OP!

Generating local passwords is all fine and well,
but what if you get hit by a car, or die in a plane crash?

The only reason why I use a password manager is because it has a feature that allows emergency access from specified emails in case I die or some shit.

How would you handle that scenario?
>inb4 im dead so i dont care

It's not a terminal command, it describes function transformations. Not that it's a very secure scheme, though.

>using a centralized password manager that allows email backdoors

What would be a secure scheme + usable as a terminal command?

Not the guy, but I use pass as well. I keep my main devices in sync with git. It's built right into pass and supported by all the implementations. A while ago, I also used syncthing like I do for the rest of my stuff, but I had some sync conflicts at some point and figuring out what files to keep when everything's encrypted is no fun. I'd recommend it for syncing keepass though, if you continue shilling for keepass here you might as well include syncthing for syncing it up

Answer my question faggot.

I gave a gpg key on a disk to my mom that she stores somewhere I don't know. It's not perfect opsec in case the cia niggers try to get me, but then again I'm don't plan on running a truck of peace and love into pedestrians. In case I have severe memory loss I'll probably figure out what to do with the key she can provide me in that case

>Thinking a password manager is better just because it’s FOSS.

Yikes. Never change, Jow Forums.

This
Encryption just werx

>putting all you secrets into a blackbox that pushes them to some faggots server you don't have any control over whatsoever
vs
>encrypting your stuff with a well known and checked encryption program and syncing it only between your own devices
Hmmmm I wonder what's saver

>people shitting on lastpass
if you knew how lastpass works then you wouldnt be doing this.

>write small C script which generates a string with 30 chars
>remember String and change password manually
>do this for every single one

everything else is bullshit.

it doesn't

>(((you)))

Passwords were a mistake. We should have had automatic pgp authentication in browsers a long time ago. Sites store your public key on sign up, and you sign a nonce to prove your identity for login. Normies would just use their browser's built-in key handler, but autists like us could use smartcards or whatever to store our private keys actually safely.
But instead we're in the fucking password ghetto still. What the fuck.

This
When making a password always assume your attacker can guess 100 trillion passwords per second.
Your password should be secure enough that if every year the speed is doubled, your password will still be secure for over 100 years

> have a dictionary know
Of 100 million English words
> write a C script that generates 10 random numbers from 0 to 100m+
> output is concatenation of 10 random words from the dictionary
More secure unless they're all something like "a"

sha256sum

Attached: 1523400657036.png (233x200, 88K)

>not using an encrypted text file with password hints only
the absolute state of this board

Just use keepassx desu.

see

Based.

Attached: 1548939515555.png (667x838, 49K)

SystemD is coded by redhat glowniggers.

>base64
holy shit this is stupid.

or just an encrypted text file with everything. even a fucking truecrypt container would be suffice. this board is fucked, m8.

But what if I want to log into a service on a computer that's not mine? Smart cards work but normal people aren't going to buy these just so they can log into reddit.

Not OP but why?

>using password managers

fucking serfs

Attached: real-wood-blank-notebook-80-page-journal-lined-diary-with-art-quotes-by-auguste-rodin-dream-journal- (1500x1125, 164K)

>having password short enough to be brute forced
>having to read long passwords every single time you are asked a password

There are lots of solutions. Generate keys from a key phrase and remember it, encrypt the key and use a private key hosting service, or use an app on your phone if you're clinically retarded.
But the true redpill here is that you can never let your private key be visible in an untrusted environment. So if the computer isn't yours and you're not using a smartcard, consider your key compromised. The same goes for opening your password manager on an untrusted machine.
The benefit of using a public crypto auth system is your secret is never revealed to anyone if you do it right, unlike password auth where your secret is revealed every time you log in and there's nothing you can do to stop this.

The absolute state of : trying not to get memed into comp'ing your OPSEC.

Your post makes no sense.

It does. You're just a brainletard.

It's okay user, I'm pretty sure whatever you've got could be treated with CBT.

pass + yubikey master race

>steals your yubikey
Wot nao?

history | grep su
Your secret user is secret no more

>Secrets stored in memory
It's no better than any other password management setup.

Nobody is getting in then since you can put a pin on a Yubikey.

Lastpass can't access your passwords since your master password is never sent to their servers and they keep it encrypted on their side, so I don't see how it's garbage.

I don't recall remembering if it was encrypted already or not aside from just the master password. I mostly just couldn't think of a way to keep the database synced across my devices, but I'm aware I can do it now that I have my own Nextcloud instance using that.

I'm the guy. Basically what said is how my setup works. The only downside is that you can't really set up pubkey authentication in the Android client when using a U2F device. That is, the private key needs to be stored on the device and the app needs to be told about it at the time of configuration, then you can delete it. I used to have this, where even if I wanted to sync with Git my SSH private key resided on my U2F device and I'd need that in order to sync as well, but I don't have my SSH private key anymore - it's only on my U2F device. Instead, I just created a different keypair only for using with the Pass Android client. I will probably submit a pull request for this.

You are a dumb nigger. Use Argon2 or bcrypt you fucking idiot

If I die why the fuck should I care about the living?

You have 3 chances to get the 6 digit pin correct. And i have a backup yubikey.

Yeah it doesn't help a lot as you access the most importent passwords often but feels good anyway.

It is hosted in the US and has a lot of proprietary software so you really can't confirm things; especially when it comes to security or privacy central software much less the thing guarding your passwords, its always best to choose an open source solution, especially since there are well made and vetted options in this case.

LastPass has had a number of issues in the past a couple of years back, with holes in their security and other issues causing some pretty significant vulnerabilities. While no software is bug free, I don't see any reason to pay for the proprietary US hosted big name offering that promises they're being good and fixing everything, not doing anything shifty and their code is solid. Not when there are alternatives that are equal or better that are open source.

Wow a bunch of compromised online password managers, what a shocking development

Which is why non-retards use bitwarden.

awk 'BEGIN{getline a

Attached: 1547477927936.jpg (500x500, 56K)

are people using centralized services and trusting them to keep their passwords safely? why not use keepass and store the file yourself? or if you need access outside your home you can keep it in a cloud server or something.

>but the nsa and fbi
the feds don't need your password to access your online accounts. they have backdoors to every online service and if you're being investigated for serious shit they'll just get a judge to rubber stamp a subpoena

Nothing. It's another point of failure you're introducing for no reason other than "but it's convenient". Never have anything related to your passwords on a computer that has networking.

Just gonna go ahead and shill Bitwarden some more: You can host your own storage server.

lmao, just write easy to remember phrases and get a SHA-256 or covert to BASE64.

Stop your kvetching and buy your password, goy!

>glowniggers
lmfao who comes up with these terms?

the late Terry A Davis

Who /address book in desk/ here?

>Start your command with a space and it won't be included in the history.

>Be aware that this does require the environment variable $HISTCONTROL to be set.

>Check that the following command returns ignorespace or ignoreboth

>#> echo $HISTCONTROL
>To add the environment variable if missing, the following line can be added to the bash profile. E.g. %HOME/.bashrc

>export HISTCONTROL=ignorespace
>After sourcing the profile again space prefixed commands will not be written to $HISTFILE