Any explanation of Why to not store passwords in plaintext and encrypt folder in zip archive (I guess U cant break pass?) Pls don’t be agressive!!
Because it’s bad, prone to errors, user interface is poor and relies on you following your process perfectly every time.
Bitwarden.
Or KeePass.
KeepassXC if you’re on Linux and KeepassDX on android, preferably on Fdroid.
If you do this, you’ll start writing small scripts to help you with repeating tasks, to simplify somethings, then you’ll start looking for help trying to improve those scripts, then you’ll find better written and tested ones and start replacing yours with those, one by one. Then you’ll probably find pass or other terminal password manager. It can be a fun learning experience but sooner or later you’ll end up using a password manager.
Ah, the programmers pilgrimage. The first hill that they must climb is the one where they spend 12 days automating something that would have taken 10 seconds every time + half hour setup time.
Pass is pretty cool, used it for many years
Now switched to vaultwarden so it’s more user friendly for my girlfriend
There’s two avenues for opening an encrypted file, attacking the password/access method or attacking the encryption itself.
Generally using a basic zip-lock is not going to have a second factor, a rate limiting mechanism, anything really other than the password to stop a random brute force effort if they got a hold of the file for local processing.
Using something with some front end protection like bit warden with 2FA or keepass with the key file option added in makes it more a task of going after the crypto itself which is a much much harder approach.
Depends against whom you are protecting yourself. If it’s against
- your younger sibling then it’s probably sufficient
- some script kiddie or scammer running scripts against the most typical setups, might be just obscure enough
- a proper targeted attack, then it will depend on which zip software you are using. Most likely the stock one that might (I didn’t bother checking) relying on something that is far from the state of the art in terms of encryption. In that case it will most likely not be secure.
- a proper attack but you use something like 7z with encryption that is relatively resilient, then most like if you are not facing state actors with huge amount of resources to try to crack it, most likely secure
Note I’m NOT a security expert so… don’t believe me.
In many unzip utilities, they use temp files that you wouldn’t be paying attention to. These temp files will contain your credentials and you won’t know where they are or if they got deleted.
And even if they’re deleted by the archive program, it’s likely a normal deletion, and not a secure delete where the original data is overwritten with random data before deleting the entry in the file system, which could be potentially recovered.
Also an excellent point
I use KeePassXC
It stores your passwords in an encrypted file, then i use the random password generator, the browser extension and free phone apps to autofill everything.
(It is up to you to sync the file between devices)
If your goal is to “self-host” a password manager, you might as well use Keepass + SyncThing.
- free software
- master password protected
- has organization and auto-fill features
- can sync across multiple devices
Usually the downfall of rolling your own password manager is it’s easier to make mistakes and accidentally lock yourself out. Or if you don’t keep backups/replicas then you could easily lose your passwords.
Or self host Bitwarden and you don’t have to bother with syncing the file around.
Vaultwarden (server) + bitwarden (application, extensions), and save money while getting most enterprise features.
Bad UX and lack of any integration like autofill or autotype, thats it.
Zip uses very bad encryption that is vulnerable to a known plaintext attack. Do not ever use PKZIP encryption for any purpose https://github.com/kimci86/bkcrack
Very bad, because the usability of such a scheme would be a nightmare. If you have to unzip the files every time you need a password, that’d be a huge burden. Not to mention that unzipping it all would leave the files there, unprotected, until you delete them again (if you remember deleting them in the first place). If you do leave the plaintext files around, and only encrypt & zip for backing up, that’s worse than just using the plaintext files in the backup too, because it gives you a false sense of security. You want to minimize the amount of time passwords are in the clear.
Just use a password manager like Bitwarden. Simpler, more practical, more secure.
I dont see the “manager” part in your zip archive…
More like a bunch of text files… and you are doing the job of the managerRemoved by mod
This depends on how the decompressor is implemented. It’s certainly possible to do it all in memory.
Removed by mod