Encrypted password repository with a master password

Advertisement

petr.pavel
Donor
petr.pavel avatar
Joined:
Posts:
21
Location:
Praha, Czech Republic

Encrypted password repository with a master password

Hello Martin,
here's an idea for future development.

I like Mozilla's approach to saving passwords - if I set a master password to the password storage, saved passwords are encrypted and cannot be decrypted without the master password.

What bugs me though, is that I have to enter the master password each time my Firefox starts.

My list of saved connections in WinSCP (FAR plugin) is pretty long and contains all sorts of sites where I don't want to store my public ssh key, or where I'm forced to use plain FTP connections (yuck).

I don't feel good about saving passwords when they can be decrypted but hell, I'm lazy and I'm not going to copy/paste the passwords from my Secret! Desktop (http://linkesoft.com/secret/desktop.html).

It would be great if you could implement a password storage much like Mozilla has. But that wouldn't be enough for me :-)

Since you already work with PuTTY Pageant very well, you could use it's ssh key as the master password. I would then only need to enter the passphrase into Pageant and it would unlock my saved passwords in WinSCP. Nifty, huh?

Now I know this is a lot of work so I'm willing to put some money into this. Could you please contact me at petr.pavel zavinac/at pepa.info if you're interested? I'm not a company so please don't expect much.

Thanks
Petr

P.S.: And of course, thanks very much for all your hard work. It is appreciated every day.
_________________
Life is what you make it.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Encrypted password repository with a master password

This request has been added to tracker.

But I do not give it high priority atm... :-)
_________________
Martin Prikryl

Reply with quote

aaron_w
Joined:
Posts:
3
Location:
Albuquerque, NM USA

Another possible approach to securing stored passwords ...

Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file as opposed to the registry -
If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

Certainly this is not as comprehensive as what's being proposed, but it seems like an easy-to-implement feature that could allow for better security.

Now protecting disk encryption against cold boot attacks, that's another story. :) I'm not sure if the proposed system below would protect against that either ...

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Another possible approach to securing stored passwords ...

aaron_w wrote:

If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)
You can specify a path to an INI file using /ini command line parameter.
_________________
Martin Prikryl

Reply with quote

aaron_w
Joined:
Posts:
3
Location:
Albuquerque, NM USA

Re: Another possible approach to securing stored passwords ...

martin wrote:

aaron_w wrote:

If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)
You can specify a path to an INI file using /ini command line parameter.

Oops. Ok. Cool. Well, thank you for pointing that out to me. :)

Aaron

Reply with quote

petr.pavel
Donor
petr.pavel avatar
Joined:
Posts:
21
Location:
Praha, Czech Republic

Re: Another possible approach to securing stored passwords ...

martin wrote:


You can specify a path to an INI file using /ini command line parameter.

I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?

aaron_w wrote:

Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file ... it could easily be stored on an encrypted filesystem, such as TrueCrypt.

Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Petr
_________________
Life is what you make it.

Reply with quote

aaron_w
Joined:
Posts:
3
Location:
Albuquerque, NM USA

Re: Another possible approach to securing stored passwords ...

petr.pavel wrote:



Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Petr

Ah. Good point, of course.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Another possible approach to securing stored passwords ...

petr.pavel wrote:

martin wrote:


You can specify a path to an INI file using /ini command line parameter.

I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?
Correct.
_________________
Martin Prikryl

Reply with quote

Martin Heidegger
Guest

Using Passwords with command line

I am using KeePass and with that a included master password to ensure that the passwords i use are safe. I wanted to call WinSCP by using the cmd:// pattern in KeePass urls: The idea: if you double click a "location" it opens WinSCP with the password. Unfortunatly I didn't found a way to pass the password with the current Command line options of WinSCP. It would be a great leap if you could add a support for that.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: Using Passwords with command line

Martin Heidegger wrote:

I am using KeePass and with that a included master password to ensure that the passwords i use are safe. I wanted to call WinSCP by using the cmd:// pattern in KeePass urls: The idea: if you double click a "location" it opens WinSCP with the password. Unfortunatly I didn't found a way to pass the password with the current Command line options of WinSCP. It would be a great leap if you could add a support for that.
Password can be specified as part of session URL.
_________________
Martin Prikryl

Reply with quote

Martin Heidegger
Guest

True

But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: True

Martin Heidegger wrote:

But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".
OK. So how do you want to work with sessions of WinSCP from KeePass?
_________________
Martin Prikryl

Reply with quote

Martin Heidegger
Guest

Re: True

martin wrote:

Martin Heidegger wrote:

But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".
OK. So how do you want to work with sessions of WinSCP from KeePass?

It would be nice if there were optional parameter for "winscp.exe [session] -p=[password]". this would allow to have keepass(or any other application) to start a session why having all passwords stored at one point. In a way this would solve the initial issue of having one masterkey for winscp.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,253
Location:
Prague, Czechia

Re: True

Martin Heidegger wrote:

It would be nice if there were optional parameter for "winscp.exe [session] -p=[password]". this would allow to have keepass(or any other application) to start a session why having all passwords stored at one point. In a way this would solve the initial issue of having one masterkey for winscp.
This request has been added to tracker.
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum