Linux

Store passwords with pwsafe

If you have way too many passwords to keep track of -- and especially if you actually create individual, strong passwords for your many accounts -- then you probably need a little help managing them. Vincent Danen suggests pwsafe to securely store your passwords.

Secure password storage is a big thing these days, particularly with the (good!) advice of not re-using passwords in more than one place. The thinking behind that is that if someone figures out a password for one service or Web site, they will not be able to re-use that password on other sites and further obtain access to your credentials and services. This is good advice, but with all of the different Web services and social networks, not to mention online banking and other important online services, it is hard to keep track of multiple passwords. It is especially difficult if you follow best practices by not using common words, names, or phrases; instead, using a good combination of alphanumeric characters, numbers, and special characters.

There are a number of tools for various platforms, but the most "available" password manager on Linux is pwsafe. Yes, it is a command-line application, which is what makes it so versatile, especially if you are an individual who may want to obtain access to the password database remotely via SSH, or you otherwise work on the command-line. It can also interact with the X11 clipboard.

Some distributions, like Fedora, will provide pwsafe as a package. Other distributions may not, but downloading and compiling pwsafe is easy.

To start with pwsafe, you need to create the password database:

$ pwsafe --createdb
Enter passphrase for /home/user/.pwsafe.dat:
Reenter passphrase for /home/user/.pwsafe.dat:

You will have to enter your passphrase twice. Make it a good one; it should be one of the few you really need to remember.

Next, create a password item:

$ pwsafe --add bugzilla
Enter passphrase for /home/user/.pwsafe.dat:
group [<none>]: web
username: user@example.com
password [return for random]:
password again:
notes: bugzilla login

If you are just about to sign up for a site, you can take advantage of pwsafe's random password feature:

$ pwsafe --add randomsite
Enter passphrase for /home/user/.pwsafe.dat:
group [<none>]: web
username: user
password [return for random]:
Generate random password? [y] y
Use $Z0QN@tau6xTiiu%XyXN$=HJB2<7FYUMr9b>
type alpha/digit/symbol, length 36, 160 bits of entropy [y/N/ /+/-/q/?] ? ?
Commands:
  Y      Yes, accept this password
  N      No, generate another password of same type
  <space> Cycle through password types
  -      Lower the entropy & password length
  +      Raise the entropy & password length
  Q      Quit
  ?      Help
Use Y0bx_eLl&YrM=Gw>4&L01TUJPrtw1#>azv4o
type alpha/digit/symbol, length 36, 160 bits of entropy [y/N/ /+/-/q/?] ? -
Use JqOkNViyekVVPb@zT1YrlCZ3rSdfN
type alpha/digit/symbol, length 29, 128 bits of entropy [y/N/ /+/-/q/?] ? -
Use 3To&^>9J_AxfX?JRlvubfJy_id
type alpha/digit/symbol, length 26, 112 bits of entropy [y/N/ /+/-/q/?] ? -
Use M%N-8>B@zooAW_&LydxoJ/
type alpha/digit/symbol, length 22, 96 bits of entropy [y/N/ /+/-/q/?] ? -
Use e58c&vZ+~>=rLzFQ/m
type alpha/digit/symbol, length 18, 80 bits of entropy [y/N/ /+/-/q/?] ? y
notes: http://www.randomsite.com/

As you can see, using the minus key ( - ) will lower the password length and entropy, while plus ( + ) will increase it. Using the space key will also change the type of password; above it was a combination of alphanumeric characters, numbers, and symbols. Pressing space will change the type to others, including "easy-to-read" alphanumerics and digits, hex digits, numbers only, and so on. Once you have selected the type, you can adjust the length of the password to suit the password policy or requirements for the site you are signing up for.

To list the available passwords, use:

$ pwsafe --list
Enter passphrase for /home/user/.pwsafe.dat:
web.bugzilla
web.randomsite
web.randomsite2

Here, we have three logins in the Web group: bugzilla, randomsite, and randomsite2. To retrieve the password, use:

$ pwsafe -uE web.bugzilla
Going to print login to stdout
Enter passphrase for /home/user/.pwsafe.dat:
username for web.bugzilla: user@example.com
$ pwsafe -p web.bugzilla
Going to copy password in X selection
Enter passphrase for /home/user/.pwsafe.dat:
You are ready to paste the password for web.bugzilla from PRIMARY and CLIPBOARD
Press any key when done
Sending password for web.bugzilla to glipper@hostname.com via PRIMARY
Sending password for web.bugzilla to glipper@hostname.com via CLIPBOARD

By default, pwsafe will attempt to send the login and password to the clipboard. When using Glipper, at least, all you get is the username, which is less useful than the password. Using the "-E" option, you can echo the username to the terminal; in this case, we can see that it is user@example.com. The second call to pwsafe sends the password to the X clipboard, where it can be pasted into the login form for the bugzilla site.

If you wished to print everything to standard out (so as to not rely on clipboard history, perhaps), use:

$ pwsafe -upE web.randomsite2
Going to print login and password to stdout
Enter passphrase for /home/vdanen/.pwsafe.dat:
username for web.randomsite2: user
password for web.randomsite2: 697N9u2x

There are other options as well, such as sending the credentials to a file. Regardless, pwsafe is quite versatile and flexible. It will work regardless of desktop manager, distribution (it also works on OS X and FreeBSD among others), and whether you are locally on the machine or remote.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

24 comments
asraikhn
asraikhn

nice and thanks now i am using pwsafe to manage all my usernames/passwords. Looking for a place to put it as currently using my laptop but sometime i have to access these accounts from other machines. I have some remote servers and thinking to use it.

lrogers81
lrogers81

Password Safe is great, I love it and it's portable. Having a strong initial password is important in order for you to unlock the safe though, but nonetheless, I'm sure you will get someone to have a weak password which renders pwsafe useless. I use pwsafe with Wine for my Ubuntu Linux so much of the article above was foreign to me...I might have to check that out tonight!

LarryBoy2
LarryBoy2

I recently started using the Windows version of Password Safe, as others have mentioned, and I love it so far. At least originally the work of Bruce Schneier (as I recall), how could you go wrong? Also, StealthWiFi's comment seems to imply there's a cost for it. Don't know about the Linux version, but the Windows version is free on SourceForge.net. (http://passwordsafe.sourceforge.net/)

casternj
casternj

anyone have suggestion for storing passwords for an organization? I was looking for a small usb solution that would email me when a password file is used. I can do some window tricks to get alerted when an account is signed in but with other devices this appears impossible

mark.e.smith
mark.e.smith

The windows passwordsafe utility available on sourceforge is supposed to be compatible with pwsafe.dat file of pwsafe.

ajaxnii
ajaxnii

love pasword safe been using it for the past 3 years and love it!

StealthWiFi
StealthWiFi

Create a TrueCrypt container with a strong password. Store all of your logins in an Excel doc inside that TrueCrypt container and close out of the container when you are done.

allegrotechies
allegrotechies

I use a GnuPG encrypted Word, Excel, or text file that contains the passwords. See to work pretty well.

Photogenic Memory
Photogenic Memory

Caught exception: SOAP-ERROR: Encoding: object hasn't 'authTokenMaxAge' property I am unfamiliar with this web code. However is this an issue with Java or XML or both? I really don't know where the problem is occuring? It's interesting though. Is anyone else having this issue?

vdanen
vdanen

That would be just an alternative. A free alternative would imply pwsafe costs something. It doesn't.

MattDaemon
MattDaemon

Thoughts? I use KeePass on windows, haven't tried the Linux version yet.

Maarek Stele
Maarek Stele

load MySQL and use PHPmyadmin to create a AES encrypted 128bit-encryption for your passwords. You can list them and or create your own programs to recall them from anywhere.

casternj
casternj

im looking more for auditing of when a file that i encrypt is open by a third party

Neon Samurai
Neon Samurai

Is that file being kept in memory or does GPG open it to a file written on the drive? My old approach was the same; a self expanding PGP encrypted file. The problem is the same though, the unencrypted data is temporarily stored on the disk which makes it recoverable until sufficiently overwritten. I've also considered password protected .doc or .xls but that would only take me an extra day to work through so someone more dedicated would pop those weak permissions in no time. With Keepass, your credentials open into ram, get pulled out of ram with things like screensavers kick in and don't get written to storage in an unencrypted format.

Neon Samurai
Neon Samurai

But, in this case it doesn't do that either since pwsafe is available under an OSS license.

Neon Samurai
Neon Samurai

I started with pwsafe because it ran on my Linux based platforms, PDA and Windows. The versions got out of sync by changing the database format and the PDA build was not updated at that time. This lead me to discover Keepass/KeepassX. So far, it supports the longest list of platforms (osX, Linux based OS, Windows, PalmOS.. likely winCE/Mobile, BSD and the list goes on). I'd recommend the portable Keepass for your flashdrive. You can also include the KeepassX general Linux build in it's own folder on your flashdrive and it'll run clean from there. Not sure if osX has a portable version also but the native install works as expected. Same database is read across all platforms. With a quick scp or rsync over ssh, I can keep the same database updated on my PDA with it's native KeepassX install. With random generated 20 char passwords, Keepass is a requirement for me. I actually use it's generator to get 8 char random usernames for alongside my passwords in the case of more important accounts. It works great for program serial number storage and sensitive files since you can include them into the account entry also.

goss-baker
goss-baker

I have been using Keepass(X) on both Windows and MAC for some time. Have not tried Linux version yet.

markm
markm

I store a coupla copies "in the cloud." I only access 'em via SSH or SFTP. Indeed, I've been burned by wonky USB sticks in the past, and this is my workaround. Any obvious vulnerabilities?

Neon Samurai
Neon Samurai

if it's availible in your prefered distributions repositories then it should be like any other package install. I went with the tarball (tar.gz) binary directly from the KeepassX website. Uncompress it too a folder (eg. ~/lib/keepassx) and run keepassx.sh (or similar), the rest is the same interface graphic interface. The one anomoly I've found is that I can configure the autotype function in the Windows front end; enter uname, enter passwd, don't press [enter]. With the Linux based KeepassX, it seems to be hard coded to enter uname, enter passwd, press [Enter] so you don't have a chance to confirm that it pasted to the correct fields before the browser tries to post.

Neon Samurai
Neon Samurai

The question is a little off topic since Truecrypt is providing the encryption of your data. It's something I've been trying to figure out though; is your or any other cloud storage provider using a setup which encrypts the client's data into a blob only accessible by them? Or does, Jungle disk and such remain wide open to anyone at the respective company (or appears to be from..) to browse through client data? For a similar setup, I'm looking at mounting Trucrypt blob files off a Samba/CIFS share since Windows does not encrypt the traffic from what I understand. (if they do, it doesn't matter since the account validation is in the clear). So far I've not noticed a slowdown with a 2 gig test file but I'd be curious to hear other's experiences if doing the same.