Password-Store Digest, Vol 81, Issue 9

Jean-Stéphane BAGOEE jsbagoee at intelligentemails.com
Mon Feb 10 07:56:29 CET 2020


Unsubscribe my email address from this list please.

Le 9 février 2020 23:52:22 GMT+01:00, password-store-request at lists.zx2c4.com a écrit :
>Send Password-Store mailing list submissions to
>	password-store at lists.zx2c4.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.zx2c4.com/mailman/listinfo/password-store
>or, via email, send a message with subject or body 'help' to
>	password-store-request at lists.zx2c4.com
>
>You can reach the person managing the list at
>	password-store-owner at lists.zx2c4.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Password-Store digest..."
>
>
>Today's Topics:
>
>   1. Re: Supplying GPG key password into Pass command (Emil Lundberg)
>   2. Re: Supplying GPG key password into Pass command
>      (password-store at storiepvtride.it)
>   3. Re: Supplying GPG key password into Pass command
>      (Louis ProtonMail)
>   4. Re: Supplying GPG key password into Pass command
>      (password-store at storiepvtride.it)
>   5. Windows implementation of passwordstore in pure batch
>      (Miquel Lionel)
>   6. Re: Windows implementation of passwordstore in pure batch
>      (Kenny Evitt)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Sun, 9 Feb 2020 12:24:17 +0100
>From: Emil Lundberg <lundberg.emil at gmail.com>
>To: Louis ProtonMail <louiscb at protonmail.com>
>Cc: Password-Store <password-store at lists.zx2c4.com>
>Subject: Re: Supplying GPG key password into Pass command
>Message-ID:
>	<CAJgCmPx3PvU-sFCEE_FevFczq5jWo=Amgvgu8RFZp=2xwx8BjQ at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On Sat, 8 Feb 2020, 12:52 Louis ProtonMail, <louiscb at protonmail.com>
>wrote:
>
>> My ultimate objective is to set up a web server that contains a
>front-end
>> application for my Pass store so that I can access my passwords on
>the fly.
>
>
>My solution to this problem is to use Syncthing [1] to replicate my
>password store to all my machines, including my phone. Then I can
>always
>access the local copy on whichever machine I'm using, and I can use the
>(unofficial) Android app when I need my passwords on a machine where I
>don't have the store replicated. Any reason something like that
>wouldn't
>work for you?
>
>[1]: https://github.com/syncthing/syncthing
>
>/Emil
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.zx2c4.com/pipermail/password-store/attachments/20200209/8fc43513/attachment-0001.html>
>
>------------------------------
>
>Message: 2
>Date: Sun, 9 Feb 2020 18:04:47 +0100
>From: password-store at storiepvtride.it
>To: password-store at lists.zx2c4.com
>Subject: Re: Supplying GPG key password into Pass command
>Message-ID: <ba64de2e-40ee-dc49-ba6a-55bfaccb5675 at storiepvtride.it>
>Content-Type: text/plain; charset=utf-8
>
>Am 09.02.20 um 12:24 schrieb Emil Lundberg:
>> My solution to this problem is to use Syncthing [1] to replicate my
>> password store to all my machines, including my phone
>
>Does that require to store sensitive data (e.g. your GPG private key)
>on
>your mobile device in order to decrypt passwords? If yes, I would argue
>whether I would trust or not my mobile device for that task.
>
>If I understood correctly, OP is trying to accomplish a homemade
>version
>of 1Password. I don't have clear the details, but having private GPG
>key
>and encrypted passwords on the same location or sending the passphrase
>through the network wouldn't make me feel comfortable.
>
>
>------------------------------
>
>Message: 3
>Date: Sun, 09 Feb 2020 17:52:52 +0000
>From: Louis ProtonMail <louiscb at protonmail.com>
>To: password-store at lists.zx2c4.com
>Subject: Re: Supplying GPG key password into Pass command
>Message-ID: <12F64E35-A9EC-40CC-B80C-FDF7D420EF15 at protonmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>>  I don't have clear the details, but having private GPG key
>> and encrypted passwords on the same location or sending the
>passphrase
>> through the network wouldn't make me feel comfortable.
>
>I might not be understanding things well, but how is one supposed to
>access the plaintext saved passwords without having the keys used to
>encrypt them and the password to those keys? Where do you keep your GPG
>keys so that you can decrypt the pass entries?
>
>> If I understood correctly, OP is trying to accomplish a homemade
>version
>> of 1Password.
>
>Essentially this is correct, mainly as an educational exercise on
>understanding encryption and security principles better.
>
>Louis
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.zx2c4.com/pipermail/password-store/attachments/20200209/dd79992d/attachment-0001.html>
>
>------------------------------
>
>Message: 4
>Date: Sun, 9 Feb 2020 19:14:30 +0100
>From: password-store at storiepvtride.it
>To: password-store at lists.zx2c4.com
>Subject: Re: Supplying GPG key password into Pass command
>Message-ID: <312283f4-f598-1e7b-7b79-79a86512b6d6 at storiepvtride.it>
>Content-Type: text/plain; charset=utf-8
>
>Am 09.02.20 um 18:52 schrieb Louis ProtonMail:
>> I might not be understanding things well, but how is one supposed to
>> access the plaintext saved passwords without having the keys used to
>> encrypt them and the password to those keys? Where do you keep your
>GPG
>> keys so that you can decrypt the pass entries?
>
>I think this is exactly the issue here: you can't, unless you give up
>some security. If a malicious actor gets into the remote server, he has
>access to both private key and GPG encrypted files. He would be only
>one
>passphrase away from your passwords.
>
>I keep my GPG private key into a smartcard. Without this smartcard
>attached to my device, I can't decrypt my passwords.
>
>> Essentially this is correct, mainly as an educational exercise on
>> understanding encryption and security principles better.
>
>Ok, understood, thanks for confirming :-)
>If I were to implement a remote service like that, I would download the
>single encrypted password file I need and only *locally* decrypt it.
>Which equals more or less to using pass offline or with syncthing.
>
>I believe the intended use-case for pass is to store encrypted
>passwords
>offline. Any other solution to use it "over the wire" would extend the
>attack surface (imo).
>
>
>------------------------------
>
>Message: 5
>Date: Sun, 9 Feb 2020 22:17:07 +0100
>From: Miquel Lionel <lionelmiquel at sfr.fr>
>To: password-store at lists.zx2c4.com
>Subject: Windows implementation of passwordstore in pure batch
>Message-ID: <20200209221707.86b12131481ef772af58a6d1 at sfr.fr>
>Content-Type: text/plain; charset=US-ASCII
>
>Hello to all the password-store mailing list,
>
>Seeing no satisfying command line alternatives for Windows on the
>passwordstore.org page, I decided to quickly put together a batch
>script that mirrors my uses of pass on unix systems.
>It behaves like pass on most of cases, my preferred thing being the
>clip switch.
>So, it supports :
>	* making dirs in the password store
>	* tree like display of directory and content of theses
>	* inserting,deleting passwords and password directory, with or without
>prompts
>	* clipping a specific line of the password file
>	* PASSWORD_STORE_DIR and PASSWORD_STORE_KEY environnement variable, as
>they're the most important ones.
>	* .gpgid file to indicate which key to use in case of
>PASSWORD_STORE_KEY not set
>	* viewing passwords
>
>And I think that's all for the moment.
>
>There's still things to fix : can't have spaced password names,
>absolutely no security against shouldersurfing, and many other things
>that I didn't put my finger on yet.
>But it does the job for me.
>
>https://notabug.org/lilim/pass.bat
>
>Kind regards,
>-- 
>Miquel Lionel <lionelmiquel at sfr.fr>
>
>
>------------------------------
>
>Message: 6
>Date: Sun, 9 Feb 2020 17:55:12 -0500
>From: Kenny Evitt <kenny.evitt at gmail.com>
>To: Miquel Lionel <lionelmiquel at sfr.fr>
>Cc: password-store at lists.zx2c4.com
>Subject: Re: Windows implementation of passwordstore in pure batch
>Message-ID:
>	<CA+px3x2ob4fSrYFvR_WttLjghdkb_GedOaHb6x3iiYgK+km_2A at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>Nice job! Windows batch is a tough language to 'use in anger'! Bash
>isn't
>easy either, but Windows Batch is a whole 'nother level of
>pain-in-the-ass:
>
> - windows - Batch character escaping - Stack Overflow
><https://stackoverflow.com/questions/6828751/batch-character-escaping/16018942#16018942>
>
>Pass DOES work in the Ubuntu app on Windows (formerly Bash on Ubuntu on
>Windows, and several other names before that) but I couldn't implement
>clipboard support *nicely*. Jason, the creator and maintainer of Pass,
>didn't like the changes I came up with ? they ARE ugly.
>
>But, in case you or anyone else is interested, I maintain a 'soft fork'
>with those changes on GitHub:
>
>- kenny-evitt/password-store-buw: Pass: The Standard Unix Password
>Manager
>for Bash on Ubuntu on Windows
><https://github.com/kenny-evitt/password-store-buw>
>
>On Sun, Feb 9, 2020 at 4:19 PM Miquel Lionel <lionelmiquel at sfr.fr>
>wrote:
>
>> Hello to all the password-store mailing list,
>>
>>   Seeing no satisfying command line alternatives for Windows on the
>> passwordstore.org page, I decided to quickly put together a batch
>script
>> that mirrors my uses of pass on unix systems.
>> It behaves like pass on most of cases, my preferred thing being the
>clip
>> switch.
>> So, it supports :
>>         * making dirs in the password store
>>         * tree like display of directory and content of theses
>>         * inserting,deleting passwords and password directory, with
>or
>> without prompts
>>         * clipping a specific line of the password file
>>         * PASSWORD_STORE_DIR and PASSWORD_STORE_KEY environnement
>> variable, as they're the most important ones.
>>         * .gpgid file to indicate which key to use in case of
>> PASSWORD_STORE_KEY not set
>>         * viewing passwords
>>
>> And I think that's all for the moment.
>>
>> There's still things to fix : can't have spaced password names,
>absolutely
>> no security against shouldersurfing, and many other things that I
>didn't
>> put my finger on yet.
>> But it does the job for me.
>>
>> https://notabug.org/lilim/pass.bat
>>
>> Kind regards,
>> --
>> Miquel Lionel <lionelmiquel at sfr.fr>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://lists.zx2c4.com/pipermail/password-store/attachments/20200209/46d8adde/attachment.html>
>
>------------------------------
>
>Subject: Digest Footer
>
>_______________________________________________
>Password-Store mailing list
>Password-Store at lists.zx2c4.com
>https://lists.zx2c4.com/mailman/listinfo/password-store
>
>
>------------------------------
>
>End of Password-Store Digest, Vol 81, Issue 9
>*********************************************

-- 
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20200210/3e7c5866/attachment.html>


More information about the Password-Store mailing list