No password manager, by itself, suits everyone’s needs exactly. A benefit of a command line tool is that it is easily scripted to suit the needs of those who are almost, but not quite, perfectly happy with it.

The importance of strong, unique passwords is dismissed all too often. Judging by recent experience, it is being dismissed more and more often by people who think it does computer users no good because it encourages them to write passwords on pieces of paper and store them in unencrypted files where they can be harvested by others. Of course, this means that these people are Doing It Wrong, and not that using short, easily remembered (and cracked) passwords, and reusing them everywhere, is Doing It Right. The answer, of course, is not to give up on password security; it is to use a password manager. The fact some people prefer to think of themselves as incompetent to use password managers should not dissuade the rest of us from doing the right thing for our own security.

Five features of a good password manager should, in theory, be easy to satisfy. In practice, some password managers fall short — especially if they are commercial software or heavily integrated with a given graphical user interface framework.

One of the most well-regarded password manager options is Bruce Schneier’s Password Safe, distributed under the terms of the Artistic License. Unfortunately, it is only for MS Windows systems.

That problem has been solved by a number of work-alikes whose password database storage mechanisms are compatible with Password Safe’s, effectively offering several versions of the same program for several platforms, with several different interfaces for people who want the program’s interface to suit their specific needs more closely. Among these are Password Gorilla (GPL program written in Tcl/Tk), MyPasswordSafe (copyfree program using a BSD-like license, for KDE users), and my favorite, pwsafe.

The pwsafe program is a command line interface password manager that does pretty much everything I need from a password manager, including the five features of a good password manager:

  • peer reviewed, heavily tested, strong encryption for password storage
  • secure resource usage
  • self-contained functionality
  • relative ease of use
  • verifiable design (GPL software)

It is not quite perfect for my purposes, however. Its usability leaves out something that is quite important for my own workflow — X Window System keyboard shortcut integration — and its license choice is not perfectly ideal (I would prefer a copyfree license, such as the Open Works License, rather than pwsafe‘s copyleft license). I might eventually write a complete password manager toolset that suits my preferences more exactly, as I mentioned when I asked: What defaults should random password generators use?

Thanks to urging from Sterling Camden, the TechRepublic IT Consultant host, I finally ended up giving pwsafe a fair shake and have been using it since. It did not take me long to get around to writing an extremely simple wrapper script and using that to provide the X Window System keyboard shortcut integration I wanted from it. Now that I have that functionality in the software that I am currently using for password management, I do not feel much urgency to work on a password manager of my own. I expect pwsafe, with my pwprompt script providing better X integration, to be what I use for quite a while.

On any Unix-like system with the X Window System running on it and the Ruby interpreter installed, the following script (which I have named pwprompt) should work:

  #!/usr/bin/env ruby

if ARGV[0]

ARGV.shift && u = '' if ARGV[0].match(/-n/)


u = 'u'


print 'retrieve: '

passname = gets.chomp

system "clear"

exec "pwsafe -q#{u}p #{passname}"

Many window managers and “desktop environments” offer built-in options for configuring keyboard shortcuts (also known as “hotkeys”), and setting up a simple shortcut for running this script in a terminal emulator that disappears when no longer needed should be a simple task. That was all I needed to get the sort of X integration I craved. In the window manager I have been using lately, AHWM, the line in the configuration file that provides what I need is:

  BindKey "Control | p" Launch("uxterm -r -geometry 80x3+0+0 -e pwprompt");

In this example:

  • uxterm launches XTerm with Unicode support
  • -r “reverses” colors, providing white text on a black background
  • -geometry 80x3+0+0 makes the XTerm 80 characters wide by 3 lines high in the upper left corner of the screen
  • -e pwprompt executes the pwprompt script within the XTerm

Obviously, different window managers will use different means of configuring keyboard shortcuts, and it would be surprising if someone reading this article also used AHWM. Most window managers do support keyboard shortcut bindings, though. If your window manager lacks support for keyboard shortcuts that can be used to offer this sort of functionality, there are some separate tools that can be installed on most Unix-like systems to fill that gap, such as KeyLaunch.

Once you have your keyboard shortcut set up — presumably to use something like Ctrl+P to execute a command like xterm -geometry 80x30+0+0 -e pwprompt, where the pwprompt script has been placed somewhere in your execution path — the process for retrieving usernames and passwords from pwsafe in X is quite simple, and should be friendly for people who like GUI tools.

First, just use your keyboard shortcut. A terminal emulator window should appear with this prompt:


For extra security, you can at this point enable the Secure Keyboard option for XTerm to help protect against the possibility of outside applications spying on your keyboard input. Because the Secure Keyboard options works best before the password prompt appears, doing so at this retrieve: prompt is a good idea. Activate the Secure Keyboard option by holding down the Ctrl key, then pressing and holding the left mouse button within the XTerm window. A menu should appear. Move the mouse cursor to the Secure Keyboard option and release the left mouse button. If the colors in the XTerm window reverse — so that a normally white-on-black window becomes black-on-white, or vice-versa — it should be working properly. If not, you should be suspicious. Other terminal emulators may not have similar functionality.

Whether you use XTerm’s Secure Keyboard option or not, to continue you should then enter the label you use with pwsafe to identify a given set of authentication credentials. The terminal emulator window should then show a new prompt:

  Enter passphrase for /home/username/.pwsafe.dat:

Enter the password you use for pwsafe. After hitting the Enter key, turn off the Secure Keyboard option the same way you turned it on so that other keyboard shortcuts and any typing you want to do in another window will work again, if you used it. The username for your authentication credentials will be loaded into the X clipboard, and you can paste it with a middle-click. Upon doing so, the password will be loaded into the X clipboard, and you can then paste that with a middle-click. Finally, the clipboard will be wiped so that your password no longer resides on the clipboard, and the terminal emulator window that opened to prompt you for your retrieval label and pwsafe password will close.

If you change the keyboard shortcut configuration to use pwprompt -n instead of just pwprompt, only the password will be loaded into the clipboard, instead of the username. Two shortcuts can then be set up, one for when you need both the username and the password, and another for when you only need the password.

Many features of pwsafe are not handled through the pwprompt script, including basics like actually adding username and password pairs to it in the first place. These can be dealt with by using pwsafe directly in a terminal emulator. Vincent Danen’s article, Store passwords with pwsafe, covers basic usage of the program from the shell.