Topic "Encrypted password repository with a master password"

Author Message
petr.pavel
[View user's profile]
Donor
Joined: 2004-12-21
Posts: 21
Location: Praha, Czech Republic
Hello Martin,
here's an idea for future development.

I like Mozilla's approach to saving passwords - if I set a master password to the password storage, saved passwords are encrypted and cannot be decrypted without the master password.

What bugs me though, is that I have to enter the master password each time my Firefox starts.

My list of saved connections in WinSCP (FAR plugin) is pretty long and contains all sorts of sites where I don't want to store my public ssh key, or where I'm forced to use plain FTP connections (yuck).

I don't feel good about saving passwords when they can be decrypted but hell, I'm lazy and I'm not going to copy/paste the passwords from my Secret! Desktop (http://linkesoft.com/secret/desktop.html).

It would be great if you could implement a password storage much like Mozilla has. But that wouldn't be enough for me Smile

Since you already work with PuTTY Pageant very well, you could use it's ssh key as the master password. I would then only need to enter the passphrase into Pageant and it would unlock my saved passwords in WinSCP. Nifty, huh?

Now I know this is a lot of work so I'm willing to put some money into this. Could you please contact me at petr.pavel zavinac/at pepa.info if you're interested? I'm not a company so please don't expect much.

Thanks
Petr

P.S.: And of course, thanks very much for all your hard work. It is appreciated every day.
_________________
Life is what you make it.
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
This request has been added to tracker.

But I do not give it high priority atm... Smile
_________________
Martin Prikryl
aaron_w
[View user's profile]

Joined: 2008-08-19
Posts: 3
Location: Albuquerque, NM USA
Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file as opposed to the registry -
If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

Certainly this is not as comprehensive as what's being proposed, but it seems like an easy-to-implement feature that could allow for better security.

Now protecting disk encryption against cold boot attacks, that's another story. :) I'm not sure if the proposed system below would protect against that either ...
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
aaron_w wrote:
If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

You can specify a path to an INI file using /ini command line parameter.
_________________
Martin Prikryl
aaron_w
[View user's profile]

Joined: 2008-08-19
Posts: 3
Location: Albuquerque, NM USA
prikryl wrote:
aaron_w wrote:
If you were to make the location of the ini configurable, it could easily be stored on an encrypted filesystem, such as TrueCrypt. (truecrypt.org)

You can specify a path to an INI file using /ini command line parameter.


Oops. Ok. Cool. Well, thank you for pointing that out to me. :)

Aaron
petr.pavel
[View user's profile]
Donor
Joined: 2004-12-21
Posts: 21
Location: Praha, Czech Republic
prikryl wrote:

You can specify a path to an INI file using /ini command line parameter.


I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?

aaron_w wrote:
Here's an idea that might be easier to implement --- I notice that WinSCP allows storage of its configuration in an ini file ... it could easily be stored on an encrypted filesystem, such as TrueCrypt.


Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Petr
_________________
Life is what you make it.
aaron_w
[View user's profile]

Joined: 2008-08-19
Posts: 3
Location: Albuquerque, NM USA
petr.pavel wrote:


Sorry for crushing the party but my concern is malware, not theft. I don't want malicious software to have access to my password storage and TrueCrypt wouldn't help me here. If I can access the encrypted filesystem then so can the malware.

Petr


Ah. Good point, of course.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
petr.pavel wrote:
prikryl wrote:

You can specify a path to an INI file using /ini command line parameter.


I assume this is only true for the stand-alone WinSCP, not for FAR Manager plug-in. I mean there's no way to tell the plug-in to save into ini, instead of to to registry, right?

Correct.
_________________
Martin Prikryl
Martin Heidegger

Guest


I am using KeePass and with that a included master password to ensure that the passwords i use are safe. I wanted to call WinSCP by using the cmd:// pattern in KeePass urls: The idea: if you double click a "location" it opens WinSCP with the password. Unfortunatly I didn't found a way to pass the password with the current Command line options of WinSCP. It would be a great leap if you could add a support for that.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
Martin Heidegger wrote:
I am using KeePass and with that a included master password to ensure that the passwords i use are safe. I wanted to call WinSCP by using the cmd:// pattern in KeePass urls: The idea: if you double click a "location" it opens WinSCP with the password. Unfortunatly I didn't found a way to pass the password with the current Command line options of WinSCP. It would be a great leap if you could add a support for that.

Password can be specified as part of session URL.
_________________
Martin Prikryl
Martin Heidegger

Guest


But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
Martin Heidegger wrote:
But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".

OK. So how do you want to work with sessions of WinSCP from KeePass?
_________________
Martin Prikryl
Martin Heidegger

Guest


prikryl wrote:
Martin Heidegger wrote:
But if i use the session url then it won't store the rest of the customized settings of the session: in other words: I can not store things like "favorite paths" or "custom home directory".

OK. So how do you want to work with sessions of WinSCP from KeePass?


It would be nice if there were optional parameter for "winscp.exe [session] -p=[password]". this would allow to have keepass(or any other application) to start a session why having all passwords stored at one point. In a way this would solve the initial issue of having one masterkey for winscp.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24991
Location: Prague, Czechia
Martin Heidegger wrote:
It would be nice if there were optional parameter for "winscp.exe [session] -p=[password]". this would allow to have keepass(or any other application) to start a session why having all passwords stored at one point. In a way this would solve the initial issue of having one masterkey for winscp.

This request has been added to tracker.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License