[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Add Password manager by default


#16

Sweet.

What does it take to get the new KPX on debian? Someone to maintain it? Who would be interested?

Patrick, could you:
Ask on the Tails list why they went with KPX over the competitors, even though it’s an unmaintained, pre-rewrite version?


#17

[quote=“JasonJAyalaP, post:16, topic:189”]Patrick, could you:
Ask on the Tails list why they went with KPX over the competitors, even though it’s an unmaintained, pre-rewrite version?[/quote]

Someone recently asked on the tails-dev mailing list. I can’t share the link to the public mailing list at the moment, because their mailing list archive is down at the moment. The thread subject was “Password manager”.

Anyway. It wasn’t a big answer anyway. Answer essentially was, see:
https://tails.boum.org/todo/install_password_manager/

Bits about “password manager” can also be searched in their design:
https://tails.boum.org/contribute/design/


#18

Looks like Tails (still based on Squeeze) didn’t have the “chance*” to take KeePass, since neither the package nor the dependency (mono) is in Squeeze.

*They had the chance, but it would have cost a lot more effort.

Since their limitations (being based on Squeeze at time of decision) don’t apply to Whonix, I am not sure if their choice will help us deciding this for Whonix.

Maybe they also decided for KeePassX, because it is more popular (according to popcon).


#19

I’m guessing Tails choose KPX over FPM2 because it’s more popular.

Suggestion - for now let’s include FMP2, when (or if) KeePassX (stable) gets in Debian, we’ll reevaluate the situation.


#20

Looks quite bad for KeePassX. It’s maintenance in Debian seems suboptimal. See this bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693399
A new version had been packaged in November 2012, but the Debian maintainer hasn’t answered since then.

Looks like fpm2 then.


#21

fpm2 has been removed from Debian stretch. ( https://packages.debian.org/search?searchon=names&keywords=fpm2 )

Reason… Quote https://ftp-master.debian.org/removals.txt

[Date: Thu, 30 Apr 2015 12:15:11 +0000] [ftpmaster: Scott Kitterman]
Removed the following packages from unstable:

  fpm2 |     0.79-3 | source, amd64, arm64, armel, armhf, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, ppc64el, s390x, sparc
  fpm2 |  0.79-3+b1 | hurd-i386

Closed bugs: 783762

------------------- Reason -------------------
ROM; obsolete, low popcon, dead upstream, better alternatives

Also closing bug(s): 542174 609686 647440
Also closing WNPP bug(s): 752392

It won’t come back. Looks like.

So it’s either no password manager installed by default for Debian stretch based Whonix or another one. Suggestions welcome.


#22

A good replacement s Schneier’s passwordsafe but its only available in Stretch and Sid.

https://packages.debian.org/sid/utils/passwordsafe

https://www.schneier.com/blog/archives/2014/09/security_of_pas.html


#23

We can wait quite some time for it to enter stretch.


#24

What is command line to install KeePass?
Tried
sudo apt-get install keepass2 it doesnt work.


#25

"same as in Debian"
https://www.whonix.org/wiki/Support#Free_Support_Principle


#26

KeePass’ reaction to a MITM bug report against its Update Check:

http://seclists.org/fulldisclosure/2016/Jun/2

8.2.2016 @ 15:45: Received response from Dominik Reichl: The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.

I don’t feel comfortable using software whose developers’ priorities are so twisted.


#27

Good day,

That doesn’t even make sense considering the fact that, aside from apparently having their priorities quite wrong, they seemingly never considered the abundance of solutions, like hosting the downloads on different, secure servers like Putty does or simply waiting a few months until every advertiser uses HTTPS as it is starting to become more and more affordable, as well as enforced by Google…

This reaction really makes them seem both untrustworthy, as well as (at least seemingly) not willing to provide the product they claim to provide.

Have a nice day,

Ego


#28

I just wanted to add that the current version (2.0.2) of KeePassX is available in jessie-backports since March (2016) and the bug report Patrick mentioned has been closed last year (2015).


#29

@Occq are you still with us, still interested in this?

Can you add this please to the wiki page? ( https://www.whonix.org/wiki/Dev/Password_Manager )

Can you also please make a mention / stub about passwordsafe?


#30

Done.


#31

My experience:

KeePass 2 - Bloated with mono dependencies and poor UI under Linux

KeePassX 0.43 - Works decently, tried and tested, but barebones, imports have issues, headed toward deprecation

KeePassX 2.0.2 - Works, less bloated than KeePass 2, but has issues interacting with virtual machines (when used on host) that were not present in 0.43, forced one-way import of KeePassX 0.43 databases, some small UI issues

KeePassX 2 seemed like the only way forward but the issues with VM interaction (auto-type) sent me back to 0.43.

Saw PasswordSafe in sid but didn’t give it a chance.


#32

I don’t use auto-type, but the awful UI sent me back to 0.43. In a non-networked vm, 0.43 seems “good enough”. Will give Passwordsafe a go - Schneier’s brand should give it some activity.


#33

Passwordsafe 0.98.1BETA (2016-04) is available in jessie-backports:
https://packages.debian.org/jessie-backports/passwordsafe

Fully featured, extensive options. Tree View UI is somewhat lacking IMO.


#34

Agreed. There are sufficient options, but tree view displays information very poorly and with no icons, clearly inferior to KeepassX. Double-click is unreliable depending on the action you have it set to (probably a bug).

The dragbar is a nice feature, but I haven’t put the auto-type or copy paste features through their paces to know if they’re reliable (for my own needs). Apart from deprecation this (functional auto-type) would be the only incentive I have to use (rather, move to) passwordsafe.


#35

The dragbar is quite useful within a guest VM for quick copying fields without keyboard. But it can’t copy from host to guest (N/A for Whonix itself).

The Auto-Type only works from host to guest (N/A for Whonix itself) if you select the “Use alternate auto-type” in the options. With it enabled, it does not appear to choke the way KeePassX2 does (but only tried it only now; was running it in a guest only before).