Open Source

Store passwords with pwsafe

If you have way too many passwords to keep track of -- and especially if you actually create individual, strong passwords for your many accounts -- then you probably need a little help managing them. Vincent Danen suggests pwsafe to securely store your passwords.

Secure password storage is a big thing these days, particularly with the (good!) advice of not re-using passwords in more than one place. The thinking behind that is that if someone figures out a password for one service or Web site, they will not be able to re-use that password on other sites and further obtain access to your credentials and services. This is good advice, but with all of the different Web services and social networks, not to mention online banking and other important online services, it is hard to keep track of multiple passwords. It is especially difficult if you follow best practices by not using common words, names, or phrases; instead, using a good combination of alphanumeric characters, numbers, and special characters.

There are a number of tools for various platforms, but the most "available" password manager on Linux is pwsafe. Yes, it is a command-line application, which is what makes it so versatile, especially if you are an individual who may want to obtain access to the password database remotely via SSH, or you otherwise work on the command-line. It can also interact with the X11 clipboard.

Some distributions, like Fedora, will provide pwsafe as a package. Other distributions may not, but downloading and compiling pwsafe is easy.

To start with pwsafe, you need to create the password database:

$ pwsafe —createdb
Enter passphrase for /home/user/.pwsafe.dat:
Reenter passphrase for /home/user/.pwsafe.dat:

You will have to enter your passphrase twice. Make it a good one; it should be one of the few you really need to remember.

Next, create a password item:

$ pwsafe —add bugzilla
Enter passphrase for /home/user/.pwsafe.dat:
group [<none>]: web
username: user@example.com
password [return for random]:
password again:
notes: bugzilla login

If you are just about to sign up for a site, you can take advantage of pwsafe's random password feature:

$ pwsafe —add randomsite
Enter passphrase for /home/user/.pwsafe.dat:
group [<none>]: web
username: user
password [return for random]:
Generate random password? [y] y
Use $Z0QN@tau6xTiiu%XyXN$=HJB2<7FYUMr9b>
type alpha/digit/symbol, length 36, 160 bits of entropy [y/N/ /+/-/q/?] ? ?
Commands:
  Y      Yes, accept this password
  N      No, generate another password of same type
  <space> Cycle through password types
  -      Lower the entropy & password length
  +      Raise the entropy & password length
  Q      Quit
  ?      Help
Use Y0bx_eLl&YrM=Gw>4&L01TUJPrtw1#>azv4o
type alpha/digit/symbol, length 36, 160 bits of entropy [y/N/ /+/-/q/?] ? -
Use JqOkNViyekVVPb@zT1YrlCZ3rSdfN
type alpha/digit/symbol, length 29, 128 bits of entropy [y/N/ /+/-/q/?] ? -
Use 3To&^>9J_AxfX?JRlvubfJy_id
type alpha/digit/symbol, length 26, 112 bits of entropy [y/N/ /+/-/q/?] ? -
Use M%N-8>B@zooAW_&LydxoJ/
type alpha/digit/symbol, length 22, 96 bits of entropy [y/N/ /+/-/q/?] ? -
Use e58c&vZ+~>=rLzFQ/m
type alpha/digit/symbol, length 18, 80 bits of entropy [y/N/ /+/-/q/?] ? y
notes: http://www.randomsite.com/

As you can see, using the minus key ( - ) will lower the password length and entropy, while plus ( + ) will increase it. Using the space key will also change the type of password; above it was a combination of alphanumeric characters, numbers, and symbols. Pressing space will change the type to others, including "easy-to-read" alphanumerics and digits, hex digits, numbers only, and so on. Once you have selected the type, you can adjust the length of the password to suit the password policy or requirements for the site you are signing up for.

To list the available passwords, use:

$ pwsafe —list
Enter passphrase for /home/user/.pwsafe.dat:
web.bugzilla
web.randomsite
web.randomsite2

Here, we have three logins in the Web group: bugzilla, randomsite, and randomsite2. To retrieve the password, use:

$ pwsafe -uE web.bugzilla
Going to print login to stdout
Enter passphrase for /home/user/.pwsafe.dat:
username for web.bugzilla: user@example.com
$ pwsafe -p web.bugzilla
Going to copy password in X selection
Enter passphrase for /home/user/.pwsafe.dat:
You are ready to paste the password for web.bugzilla from PRIMARY and CLIPBOARD
Press any key when done
Sending password for web.bugzilla to glipper@hostname.com via PRIMARY
Sending password for web.bugzilla to glipper@hostname.com via CLIPBOARD

By default, pwsafe will attempt to send the login and password to the clipboard. When using Glipper, at least, all you get is the username, which is less useful than the password. Using the "-E" option, you can echo the username to the terminal; in this case, we can see that it is user@example.com. The second call to pwsafe sends the password to the X clipboard, where it can be pasted into the login form for the bugzilla site.

If you wished to print everything to standard out (so as to not rely on clipboard history, perhaps), use:

$ pwsafe -upE web.randomsite2
Going to print login and password to stdout
Enter passphrase for /home/vdanen/.pwsafe.dat:
username for web.randomsite2: user
password for web.randomsite2: 697N9u2x

There are other options as well, such as sending the credentials to a file. Regardless, pwsafe is quite versatile and flexible. It will work regardless of desktop manager, distribution (it also works on OS X and FreeBSD among others), and whether you are locally on the machine or remote.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks