Ask HN: Password Gorilla last commit 3 years – give up on open source pwd mgr?
I've read everything I can find on HN and other sources about password managers. I was influenced by this paper "On the Security of Password Manager Database Formats" (http://www.cs.ox.ac.uk/files/6487/pwvault.pdf), it indicates PasswordSafeV3 is the only DB secure vs. Read/Write attacks (safe to store the DB in the cloud). Eventually I decided on Password Gorilla (https://github.com/zdia/gorilla) based on criteria I'll list below.
Now I realize that the github repo hasn't had a commit in 3 years, 3 years of new vulnerabilities. There is an updated (2014-10-27) version linked to their site, but this is obviously not part of the open source code in repo, so I may as well just trust the fancy new closed source products.
I'm in a quandry:
- 2nd choice: pwdsafe.org is a secure DB and source code is available on sourceforge, so theoretically I can trust that malicious/crap code in there would discovered by security researchers. But it is only available for OSX from unknowns that are not open source. (https://pwsafe.org/downloads.shtml) - 3rd choice: [KeePassX](https://github.com/keepassx/keepassx), active development, fails the standard of RW attacks researched in the paper. Open source yet inferior database is unsafe to store on G-drive, dropbox.
It looks like I have no choice but go ahead and trust an unknown software developer and hidden source code, even for the 'open source' product, might as well go with LastPass or Dashlane, which are closed source but which at least have resources and very active development and responsiveness to reported vulnerabilities. Oh and LastPass was acquired by LogMeIn so trust is even shakier.
My criteria for choosing: - OSX and Linux - Open Source, because I believe that it meets a higher standard of security - Must time-out or reauthenticate after inactivity - Support 2 Factor Authentication - iOS client would be nice - I'm only storing tier-two passwords.
Did you see that Keepass introduced fixes to the issues raised in that paper before it was released, thanks to the responsible disclosure by the authors? http://keepass.info/help/kb/db_headerauth_upg.html
I actually wrote a JS-based encryption container which passes these requirements (and does not even have PasswordSafeV3's key-reuse problem!) for these very reasons about 2 years ago, and one of its example applications in the repository, 'tagaloop', can function as a password storage container:
https://github.com/drostie/nermal
Tagaloop does not time-out or re-authenticate for you, and since I'm not selling the service I can't offer 2FA, but of course if you wanted to build a company out of this stuff it's open-source. In addition nermal makes the deliberate decision to not support "seek" operations, so it does not e.g. store a header field which could then be scanned in advance to index a bunch of concatenated binary strings -- this is not bad for password storage where the metadata outnumbers the data by a factor of 2 or 3 so there's no point, but other applications like storing an encrypted archive of files might suffer.
It uses GPG.
I used password gorilla for years until 2015, when I switched to keepassx.
I had similar concerns about how it felt that password gorilla remained unchanged for periods of time, regardless of whether I would know if there was a vulnerability or not. It was more...it felt stable (which was fine) but not "this will be here forever!" to me. I recognize I could've forked it (or something similar) but I don't (yet) know tcl/tk and don't feel comfortable "owning" my own password manager for security-related stuff.
I can recommend keepassx/family (I had, long ago, chosen password gorilla for Windows & Linux support) but, at this point if you are moving, find something you are comfortable with (that's updated!).
How many passwords are you storing currently? And are you using password managers for the convenience of not having to commit secure passwords to memory, or for the ease of automatic password entry?
Sticky notes are a hallmark of bad security, but that doesn't mean a pen-and-paper approach has to be ruled out entirely. Depending on how you answered the last two questions, a small notebook containing the passwords written out in some format other than plain text could be a surprisingly viable contender for any software password manager.
Interesting. I am not really into PWGorilla, but some friends are. They are constantly recommending it to me, although we are kind-of forced from the company to use a closed source pw manager (1pass).
Is there anything particularly security related that is concerning you regarding pw-gorilla vulnerabilities?
So far I can recommend 1pass, though its not for free. If you have any particular concerns with 1pass security wise I would be interested too (except its closed source).
Thx.
You can compile pwsafe QT GUI for OS X very easily. However, the GUI feels out of place because of QT.