I'm starting to have a big list of passwords I need safely stored. I was looking at password managers like LastPass, but these always seem to be targetted by hackers and have been compromised before.
Would I lose anything from storing my passwords in a text document that I encrypt myself using AES 256? Then just decrypt when I want the password?
Considering those compromises you mention, do you think that encrypting files yourself will be easy? How do you know you won't get into those same pitfalls that resulted in compromises of password managers?
AES 256 is believed to be computationally secure. Every computer ever made working simultaneously to brute force the key, working since the beginning of time, would have a probabilistically negligible chance of ever finding the key to an encryption.
However: a secure algorithm doesn't guarantee a secure implementation. Just to give you an example, here are a few questions you should ask yourself:
Password managers are designed with those (and perhaps many others) concerns in mind. It's almost impossible to get everything right when doing it yourself the first time, especially if you're not a security expert.
You'd lose the ability to generate random passwords at the click of a button, which might mean you tend towards weaker passwords from the lack of convenience - one of the benefits of password manager apps, whether online or offline, is the generation of long random strings.
However, you would keep the security of the passwords being safe if you lost a copy of the file, assuming you use the encryption method correctly.
Depending on how you did it, you might introduce a new issue for shoulder-surfing - with most password managers, only the password you want to use is displayed. If your text file includes multiple passwords, you might expose them all when viewing a specific one. You could avoid that by having multiple files, or a single file with really big gaps in between passwords, I suppose.
You probably also don't get as much assurance that the decrypted data isn't written to disk - password manager apps tend to be very careful to keep decrypted passwords in memory, but you'd have to ensure your decryption handling does the same yourself.
Would I lose anything from storing my passwords in a text document that I encrypt myself using AES 256?
Security wise, no. Convenience wise, yes. It depends of how you keep your password stored and on the length of the key. But yes, you could definitely do it yourself.
In your point, it is a good idea to store passwords locally in your own application without going for a commercial product. Because you do not know what are the vulnerabilities exist in those products and how many hackers are targeting those applications.
If you are going to build your own tool , following are the things you need to concern.
If we take the Java as an example (I do not know how much you are familiar with it), following are the things you need to consider.
Would I lose anything from storing my passwords in a text document
No. You would not if you are using the correct algorithm.
AES 256?
If you are using Java, this is not possible because of key size restrictions are implemented in the Cipher class of Java. Either you need to depend on the Bouncycastle Cryto library or use unlimited strength JCE files. But then again you need to check your Jurisdiction laws before using this if you are planing to export your encrypted data.
My suggestion is go ahead with AES 128 because its kinda like defacto standard in the industry now.
The beast way to secure your encrypted data in your context is, using Java's object encryption using SealedObjects because I think it is an extra burden to use a DB to store your encrypted data.
Store your keys in a Javakey store becuase it is one of the best ways to store and distribute your encryption keys.
You can create a Java application which excepts the password for your Keystore and doing the encryption and decryption. You can simply create a class like follows and manage your passwords. Do a key search after you decrypt the array/list of objects.
public class PasswordStore {
private String Key;
private char[] passwd;
private Date Updated;
public String getKey() {
return Key;
}
public void setKey(String Key) {
this.Key = Key;
}
public char[] getPasswd() {
return passwd;
}
public void setPasswd(char[] passwd) {
this.passwd = passwd;
}
public Date getUpdated() {
return Updated;
}
public void setUpdated(Date Updated) {
this.Updated = Updated;
}
You can finally encrypt an object something like as follows.
private List<PasswordStore> passwords;
Keep in mind to use other secure programming techniques such as not to store your password in string variables because strings are immutable and vulnerable to memory hijacking attack.
You might be interested in pass.
With
pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
passmakes managing these individual password files extremely easy. All passwords live in~/.password-store, andpassprovides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes usinggit.
Although I agree with the general sentiment that a password manager designed for the task is best, I'll go out on a limb and propose that for some use cases an encrypted text file works fine. You'll need to be sure that unencrypted data is never written to disk, the best way that I've found is to have the text editor transparently encrypt and decrypt the file.
I use VIM for the purpose. In VIM 7.4 add the following to your ~/.vimrc file:
if !has("nvim")
:set cryptmethod=blowfish
endif
Now open a new file as such:
$ vim -x secrets.txt
VIM will ask twice for a password.
Now you can open the file without the -x flag and VIM will ask for a password on each open. Saving and editing works normally (well, normal for VIM).
I'm not aware of anything on Android or iOs that will be able to decrypt the file, mind you. I personally use LastPass for my normal passwords, and use VIM encryption for some specialty work that needs to be compartmentalized.
I would not write your own because that has its own risks and takes a lot of time. Unless you are just wanting a project.
What I did was search for a password manager that stays out of the spotlight. The one I found creates a encrypted database file that you can store locally or in a cloud service like Dropbox, etc (This is nice because you pick a cloud and it isn't just one company's cloud hackers have to focus on). It has a basic app that allows you to tag passwords and generate strong passwords. It may not have some of the cool features like lastpass or dashlane, but it also doesn't have a cloud that is continually getting attacked.
Sorry I am not going to share the name of the one I use (keeping it out of the spotlight and all), but do your research and you will find a good one that isn't a big name one and that you don't have to program yourself.
