evan_tech -- password management

05:09 pm, 10 Jul 06

password management

I was talking to

dan_erat about password management, and it occurred to me to ask about it here.

I'd like to store password for websites and for other apps (my canonical example is that I have multiple programs that want to log into LJ, each managing a separate copy of my password) in the same place. There are a few nice programs that facilitate a database protected by a passphrase and make it easy to copy and paste (one cool thing about stuff like pwsafe is that it can clear the clipboard after you paste once), but what I really want is some sort of backend daemon these apps could request passwords from.

OS X has Keychain. (Here's a thread on WinXP's equivalent.) Two questions:

Is there something similar for Linux?
Should these sorts of programs make me pretty worried about security? Like, if my web browser can query Keychain, I'm depending on Keychain to properly return only the proper passwords. Would adding something like "process [foo] is requesting a password" make it more secure, or is that just a false sense of security?

premshree Probably of interest: http://www.alastairs-place.net/archives/000079.html

reply to this

jwz

There are two kinds of passwords: ones you care about and ones you don't. If you think you have so many things that need to be protected by the first category that you need to write them down somewhere, you're wrong. You've got maybe 3. Probably 2.

So just use the name of your cat or something for everything in category B. Nobody will ever go to the effort to crack it, and if they do, you won't really care.

reply to this

snej	I'll agree with that, if you replace the word "you" with "I". Me, I've got a couple of dozen things in category A, and the Keychain's a fine and private place for them.
reply to this

snej

The OS X Keychain has a pretty complex architecture, which I don't fully understand; but I think a partial answer to question 2 is that every item in the keychain has an ACL, and by default an app only has access to items that it added; if it asks for an item added by another app, the Keychain asks the user's permission (which can be granted once-only or always.)

I think the Keychain's pretty great. It's also well integrated into the higher-level networking APIs, so if you use, say, NSURLRequest to fetch an http: URL that's protected by HTTP auth, the password will be transparently fetched from the keychain for you by default.

reply to this

evan	Yeah, Keychain's totally one of those applications where you see it and immediately think "duh, why didn't computers do this before?" I suppose it's a mature-web sort of thing to have a lot of passwords, though...
reply to this

nbarkas	There's a Gnome keyring. Debian and Ubuntu packages are gnome-keyring and gnome-keyring-manager. I'm not sure how many programs it's integrated with, but I know it at least works with Nautilus, and I think with Evolution as well.
reply to this

evan Wow, thanks!

reply to this

fedork
in KDE...
... there is kdewallet. Pretty much the same thing.

reply to this
Anonymous

reply to this
- Anonymous nobody cares what you are not going to work on.
  
  reply to this

premshree	Probably of interest: http://www.alastairs-place.net/archives/000079.html
reply to this

fedork	in KDE... ... there is kdewallet. Pretty much the same thing.
reply to this

Anonymous	nobody cares what you are not going to work on.
reply to this

evan_tech

password management

in KDE...