Add Password manager by default

The way I see it we have 3 choices.

Figaro’s Password Manager 2.

Tails is using KeePassX, Liberte Linux is using Figaro’s Password Manager 2.

For me it’s between X and FPM2.

Cerberus suggested KeyPass or KeyPassX (I don’t remember). I generally agree to have one installed by default. And willing to hear which one is best choice and why.

See also, criteria for installing applications by default in Whonix (not written in stone):

Cerberus suggested KeyPass or KeyPassX (I don't remember)
I suggested KeePassX [1]. KeePass [2] is Windows software.


Any special reason you prefer KeePassX over FPM2, Cerberus?

Prior you mentioning it, I actually never heard about FPM2 before. With my real identity, I use KeePassX daily. I chose it as it’s cross-platform (the various KeePass derivatives) - works on Linux, Windows, Mac, Android + iOS (not sure about the latter one) and actually is the only PW Manager solution for that matter that I have completely under my own control (vs hosted solutions). Also Tails (which I use daily) is shipping it.

FPM2 is definitely my choice for feather-light flavor. Give it a go if time allows.

Support for others systems is irrelavent IMO for Whonix. Separate identities, separate machines.

I believe feather-light and vanilla Whonix should have some different applications so we can test both and in the future decide if we need to change one or the other so my suggestion here is KeePassX (and FPM2 for light).

Will give it a go! But, I’m not planning to ship packages with feather that are redundant to packages already shipping with Whonix Base. Just replacing KDE (tools). Whonix package selection is courtesy of Patrick. That is, if we decide on KeePassX for Whonix Base, it’s KeePassX for feather as well.

As a sidenote: feather is a major pita anyway atm. Some packages either not at all or horribly outdated in Wheezy. Also, having other issues - mostly cosmetic (needs research). Low on time the last days/weeks. I have feather desktop running on LiveUSB and I try to further improve it step by step.

Support for others systems is irrelavent IMO for Whonix. Separate identities, separate machines.
Second this!

Scratch that.

Whonix feather-light and Whonix vanilla should both have the same password manager so if one wants to change the flavor, they can migrate their passwords.

Back to the FPM2 vs. KeePassX test battle then.

Anyone know how why they chose keepassx over figaro? The tails tracker doesn’t say why or link to any discussion.

Figaro seems minimal (which is good). KeepassX is QT (doesn’t that make it fit in with KDE better than figaro’s Gnome 2.x code?) and seems more full featured (which is a good thing assuming they keep it user friendly)

Great question.
Might be a good place to ask.

Should not be a problem. Whonix already ships with oxygen-gtk.

I would be careful praising feature abundance. My opinion is that application of high value (password managers, encryption software and so on) should not be an octopussy of functions. The smaller attack surface, the better.

Is there any specific feature that you miss in FPM2?

FPM2 seems to be more up-to-date in Debian repos then KeePassX.

Current release: 2.0 Alpha 5 (December 2013 )
Debian package: 0.4.3 (March 2010)

2.0 is a complete rewrite of the software and 0.4.3 is not longer being maintaned.

Figaro’s Password Manager 2
Current release: 0.79 (January 2011)
Debian package: 0.79 (January 2011)

In case of application that only locally stores passwords, that doesn’t store any passwords… I wouldn’t know how that application could be attacked, what attacker capabilities could lead to easier compromise of the system. Since I don’t believe the argument of “more features = always automatically more attack surface”, especially not for applications that don’t parse untrusted data or connect to networks… Please open a new thread and show how a very feature rich calculator with scientific functions causes a bigger attack surface than one with only basic functions.

Whonix already ships with oxygen-gtk.
Small note, Whonix will ship this in future versions for only for the kde flavor by default. We might get other flavors in future (featherweight, lxde, xfce, etc.) that won't ship it by default.

Features certainly have a cost. If not security, then bugs and UI complexity. But not having a feature that a user needs renders the whole program useless. I’ve used the-minimal-alternative before – and enjoyed its simplicity – only to be faced with a dilemma: Do I stay minimal and go without a feature I’m dying to have, or do abandon the cleaner app and embrace the bloat/ugly one?

Wait… Debian repos have a 4 year old, unmaintained, pre-rewrite version of KeepassX?

Other flavors should play nice with GTK2 apps.

Having an outdated version in Debian repos is a pretty good reason against it.

Can someone make a wiki page Dev/Password Manager - Kicksecure please and list pros/cons reasons for/against the three candidates please to make choosing one simpler?

Good work, Occq!


What does it take to get the new KPX on debian? Someone to maintain it? Who would be interested?

Patrick, could you:
Ask on the Tails list why they went with KPX over the competitors, even though it’s an unmaintained, pre-rewrite version?

[quote=“JasonJAyalaP, post:16, topic:189”]Patrick, could you:
Ask on the Tails list why they went with KPX over the competitors, even though it’s an unmaintained, pre-rewrite version?[/quote]

Someone recently asked on the tails-dev mailing list. I can’t share the link to the public mailing list at the moment, because their mailing list archive is down at the moment. The thread subject was “Password manager”.

Anyway. It wasn’t a big answer anyway. Answer essentially was, see:

Bits about “password manager” can also be searched in their design:

Looks like Tails (still based on Squeeze) didn’t have the “chance*” to take KeePass, since neither the package nor the dependency (mono) is in Squeeze.

*They had the chance, but it would have cost a lot more effort.

Since their limitations (being based on Squeeze at time of decision) don’t apply to Whonix, I am not sure if their choice will help us deciding this for Whonix.

Maybe they also decided for KeePassX, because it is more popular (according to popcon).

I’m guessing Tails choose KPX over FPM2 because it’s more popular.

Suggestion - for now let’s include FMP2, when (or if) KeePassX (stable) gets in Debian, we’ll reevaluate the situation.

Looks quite bad for KeePassX. It’s maintenance in Debian seems suboptimal. See this bug report:
A new version had been packaged in November 2012, but the Debian maintainer hasn’t answered since then.

Looks like fpm2 then.