Hi all,

Yet another hackers attack on the infrastructure of companies that offer to store our passwords begs the question:

That is an application that stores passwords in a **personal** server (that is publicly accessible), but which is can be connected in a variety of browsers and across many computers.

In essence, a sort of "lastpass" service but with the lastpass server running on a personal server, not on the cloud.

The key here is, of course, the decentralization of password storage, which would make it less interesting for hackers to try and breach the security and get access to someone's personal data.

I am using this post as a guide, but it is not clear if even the enterprise solutions are run on personal servers.

Preferably the application should

- be free software and / or open source
- run on a linux / unix server
- have extentions for browsers (especially firefox) across many archs

thank you

hi,
well, I use a free application that is pretty much up to date...

• - free
• - portable (multiple platforms)
• - OS independent
• - hacker proof
• - not connected to the internet
• - expandable
• - replicates easily...

The little black book...I never save passwords anywhere anyway...
Thor

Hmm. Interesting concept.

I'm not sure of anything that would let you log in from any computer anywhere (like last pass) but if you had a multitude of computers you wanted to access it from you could do the following:
1. install keepassx (or other various offline password managers)
2. store the database on spideroak (encrypted storage)
3. repeat on all computers while referencing the database downloading from spideroak.

That way you can access your passwords from any device securely and it would be updated once changed.

I also use a file key in combination with a password off the spideroak storage to ensure no one could brute force it.

####

A potential (read - untested) idea would be to have a server at home accessible via ssh key-based auth with a password manager installed there. Then ssh -X to it (X forwarding) and load the password manager from there
edit: using pass would prevent the need for X forwarding since it's cli based.

Hi there,
last pass offers browser integration. And this is its unsurpassed asset.
It "senses" the website you are currently viewing and fills in the username and password edit boxes automatically.
This is key asset and I would strongly prefer to keep it.

does'nt that kinda defy the use/need for passwords?
...okay, but I still shudder at the notion of "something" filling up the blanks for me...be carefull...

hm,
well I use password managers for less important logins. Logins that I would preferably do without passwords.
That is mostly for forums and other similar websites where I do not store important personal information.
I do not trust password managers or anyone really with my linux server passwords or any other important credentials.

So I do not mind that a service reads the html page to find username & password editboxes and fills them up.

Good, let's try and not propagate bad habits here LOL
Still, your question seems pretty much unanswered...
Unless of course, by the good advice Sefyr gave...that seems pretty solid
I dont even store passwords for fora...but, I am...hehe...paranoid in some cases

it is unanswered indeed..
probably there is no such open source solution...

Well, yes and no...you want a central place to keep all passwords...Firefox does keep these...though locally...passwords are...as the purpose implies...measures of security. Like a houde key, kept safe...
There lies the problem...why store passwords elsewhere? That is like giving your house keys to strangers for "safe keeping"...
One possibility would be a text file, encpyted and stored on a server, downloaded for decrypt-n-use, uploaded for changes...
Personally, I fail to see the use, but, I only see what little I can via this thread
Thor

My example covers "many computers" but not browsers. It would actually be significantly more secure then lastpass as a password "server" accessed through public key is very secure.

Perhaps this?
https://prism-break.org/en/projects/protectedtext/

It's nothing but a text file that is encrypted / decrypted in browser and stored on server X.
The source code is available. In theory you could take said source code and run it on your computer creating a personal server.

You could even do this with a apache server that makes https only connections with a password. While a security concern, it would be equal with lastpass in security.

2 members found this post helpful.

@Thor, well my work flow would benefit from storing passwords at a central location.
I work across different computers and operating systems and lastpass has offered a convenient tool. I can of course ssh to my server from anywhere; open my encrypted passwords text file and get the username and password I need. But this would indeed takes time - especially if I need to access a variety of websites that need signing in. The good thing about this method is that I usually grep the username-password I seek. No need to check that no one is looking over your shoulder.

@Sefyir The secure notepad as a webservice is a nice idea. Quicker for sure than ssh and perhaps not much less secure. I could give it a try. The problem here is those who look over your shoulder of course... I can't have this tab open where all passwords are visible.

I'm telling you lastpass have scored ace with their application. If they gave away source code it would be awesome.