Ask HN: Password Gorilla last commit 3 years – give up on open source pwd mgr?

20 points by banku_brougham ↗ HN
I've read everything I can find on HN and other sources about password managers. I was influenced by this paper "On the Security of Password Manager Database Formats" (http://www.cs.ox.ac.uk/files/6487/pwvault.pdf), it indicates PasswordSafeV3 is the only DB secure vs. Read/Write attacks (safe to store the DB in the cloud). Eventually I decided on Password Gorilla (https://github.com/zdia/gorilla) based on criteria I'll list below.

Now I realize that the github repo hasn't had a commit in 3 years, 3 years of new vulnerabilities. There is an updated (2014-10-27) version linked to their site, but this is obviously not part of the open source code in repo, so I may as well just trust the fancy new closed source products.

I'm in a quandry:

- 2nd choice: pwdsafe.org is a secure DB and source code is available on sourceforge, so theoretically I can trust that malicious/crap code in there would discovered by security researchers. But it is only available for OSX from unknowns that are not open source. (https://pwsafe.org/downloads.shtml) - 3rd choice: [KeePassX](https://github.com/keepassx/keepassx), active development, fails the standard of RW attacks researched in the paper. Open source yet inferior database is unsafe to store on G-drive, dropbox.

It looks like I have no choice but go ahead and trust an unknown software developer and hidden source code, even for the 'open source' product, might as well go with LastPass or Dashlane, which are closed source but which at least have resources and very active development and responsiveness to reported vulnerabilities. Oh and LastPass was acquired by LogMeIn so trust is even shakier.

My criteria for choosing: - OSX and Linux - Open Source, because I believe that it meets a higher standard of security - Must time-out or reauthenticate after inactivity - Support 2 Factor Authentication - iOS client would be nice - I'm only storing tier-two passwords.

13 comments

[ 2.3 ms ] story [ 53.2 ms ] thread
Interesting. I am not really into PWGorilla, but some friends are. They are constantly recommending it to me, although we are kind-of forced from the company to use a closed source pw manager (1pass).

Is there anything particularly security related that is concerning you regarding pw-gorilla vulnerabilities?

So far I can recommend 1pass, though its not for free. If you have any particular concerns with 1pass security wise I would be interested too (except its closed source).

Thx.

my concern with PW Gorilla is only the point I mentioned: lack of active development, and recent update is not part of open source repo.

I'm in no way capable of evaluating the security of open source password mgr implementations, but I'm willing to gamble on the lower tier passwords that a lot of expert research is validating the strength of the popular ones.

For closed source, I think I have to assume they are screwing something up.

How many passwords are you storing currently? And are you using password managers for the convenience of not having to commit secure passwords to memory, or for the ease of automatic password entry?

Sticky notes are a hallmark of bad security, but that doesn't mean a pen-and-paper approach has to be ruled out entirely. Depending on how you answered the last two questions, a small notebook containing the passwords written out in some format other than plain text could be a surprisingly viable contender for any software password manager.

My passwords, appx: 100 passwords for low priority accounts.

20 that would be bad if hacked (tertiary email, twitter, coursera, etc)

6 critical that I won't commit to electronic storage.

I would love to not have to lookup and type in passwords for the first two groups.

Yes! Passwordstore is nothing more than a BASH script you can easily browse yourself to see what it does. Encryption is done by GnuPG, so if you already have a GPG-key, getting started is even easier.

The command-line interface is very intuitive, and there are a couple of GUI front-ends as well if you want one. Also, passwordstore's database is nothing more than a directory structure containing GPG-encrypted text files. You can access these files without passwordstore as well, as long as you have your GPG private key.

For distributing your password database to multiple machines, passwordstore integrates with git. Another option is the excellent syncthing (https://syncthing.net/) which syncs chosen directories with trusted machines (verified using TLS) on the local network.

Passwordstore stores secrets in a directory tree. A really nice feature of passwordstore is that you can have it encrypt secrets under specified directories for multiple GPG-keys.

So what I do to share some passwords with my partner, is set up a certain directory in passwordstore's tree to encrypt for both our GPG-keys, and sync only that directory with her computer with syncthing. She has the same setup, but with the default for her passwordstore's database being her own GPG-key. So we both have our private passwords, and a shared set of passwords and other secrets that is synced whenever both our computers are on the same local network.

Also, the security of passwordstore depends on how you handle your GPG-key, so if you use something like a Yubikey NEO to store your GPG-key on, you effectively have two-factor authentication, as mentioned in OP's question.
Did you see that Keepass introduced fixes to the issues raised in that paper before it was released, thanks to the responsible disclosure by the authors? http://keepass.info/help/kb/db_headerauth_upg.html
No I didn't see that the authenticated header which was called out as the source of the vulnerability in the paper has been fixed in the 2.20 version, though I should have. Thanks for pointing that out.

I'm testing KeePassX now, and it seems ok. However usability is a bigger criterion than I originally thought, because all the copy/paste of username and login is more effort than just memorizing and typing by hand. In fact I've memorized the credentials of the 5 accounts I'm testing it with.

KeePassX has a timed lockout function, which is excellent.

However unless I quit the browser I will remain logged in to the accounts even after computer sleeps. I would prefer to require another master password confirmation to access accounts after leaving my computer and returning and authenticating the machine.

This is a new criteria I would like to add: re-authenticate master password after inactivity/sleep. This would be ideal, in the unlikely event that my employer fires me and takes my laptop away - I don't want IT admin to be able to log in to the machine and access my Evernote, gmail, or other accounts.

It looks like KeePass/KeePassX cannot address this, probably would require a browser extension.

Maybe I should consider the LastPass/Dashlane model, I think they offer this functionality.

Also, I won't use rando Chrome extensions like Log Me Out, though it would provide the needed functionality. I would consider opening the package and rolling my own Log Me Out chrome extension. That + KeePassX would solve my problems, except for the copy/paste usability issue.

The Windows version has an autotype feature - not sure if that has made it to the ports though. It's also not as smooth a flow as Lastpass, since there is a context switch between browser and password manager (although I seem to remember that there used to be an extension offering Lastpass style access to Keepass for Firefox, possibly called KeeFox, or FoxPass?).

I don't think any distinct software could automatically log out of sites - it would presumably come down to deleting cookies on sleep (or relying on the sites to have sensible session expiry times) - so I'm not sure that the password manager is the right tool for that. A password manager would protect the passwords for your accounts, but that's not the same as sessions for your accounts.

You can compile pwsafe QT GUI for OS X very easily. However, the GUI feels out of place because of QT.
I used password gorilla for years until 2015, when I switched to keepassx.

I had similar concerns about how it felt that password gorilla remained unchanged for periods of time, regardless of whether I would know if there was a vulnerability or not. It was more...it felt stable (which was fine) but not "this will be here forever!" to me. I recognize I could've forked it (or something similar) but I don't (yet) know tcl/tk and don't feel comfortable "owning" my own password manager for security-related stuff.

I can recommend keepassx/family (I had, long ago, chosen password gorilla for Windows & Linux support) but, at this point if you are moving, find something you are comfortable with (that's updated!).

I actually wrote a JS-based encryption container which passes these requirements (and does not even have PasswordSafeV3's key-reuse problem!) for these very reasons about 2 years ago, and one of its example applications in the repository, 'tagaloop', can function as a password storage container:

https://github.com/drostie/nermal

Tagaloop does not time-out or re-authenticate for you, and since I'm not selling the service I can't offer 2FA, but of course if you wanted to build a company out of this stuff it's open-source. In addition nermal makes the deliberate decision to not support "seek" operations, so it does not e.g. store a header field which could then be scanned in advance to index a bunch of concatenated binary strings -- this is not bad for password storage where the metadata outnumbers the data by a factor of 2 or 3 so there's no point, but other applications like storing an encrypted archive of files might suffer.