this post was submitted on 21 Jan 2024
57 points (82.0% liked)

Privacy

32051 readers
1201 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Any explanation of Why to not store passwords in plaintext and encrypt folder in zip archive (I guess U cant break pass?) Pls don't be agressive!!

all 33 comments
sorted by: hot top controversial new old
[–] beta_tester@lemmy.ml 76 points 10 months ago (1 children)

You can develop apps in a text editor. We don't do it because we've got better tools. Text editor work but developer focused IDE's work much better and are very convenient.

it may encrypt your password but using kdbx files are much more convenient, efficient, etc.

[–] ebits21@lemmy.ca 10 points 10 months ago

develops most things in notepad 😬

[–] tatterdemalion@programming.dev 49 points 10 months ago* (last edited 10 months ago) (1 children)

If your goal is to "self-host" a password manager, you might as well use Keepass + SyncThing.

  • free software
  • master password protected
  • has organization and auto-fill features
  • can sync across multiple devices

Usually the downfall of rolling your own password manager is it's easier to make mistakes and accidentally lock yourself out. Or if you don't keep backups/replicas then you could easily lose your passwords.

[–] gray@pawb.social 8 points 10 months ago (1 children)

Or self host Bitwarden and you don’t have to bother with syncing the file around.

[–] wreckedcarzz@lemmy.world 2 points 10 months ago

Vaultwarden (server) + bitwarden (application, extensions), and save money while getting most enterprise features.

[–] ArbiterXero@lemmy.world 45 points 10 months ago (1 children)

In many unzip utilities, they use temp files that you wouldn’t be paying attention to. These temp files will contain your credentials and you won’t know where they are or if they got deleted.

[–] mp3@lemmy.ca 24 points 10 months ago* (last edited 10 months ago) (1 children)

And even if they're deleted by the archive program, it's likely a normal deletion, and not a secure delete where the original data is overwritten with random data before deleting the entry in the file system, which could be potentially recovered.

[–] ArbiterXero@lemmy.world 8 points 10 months ago

Also an excellent point

[–] algernon@lemmy.ml 43 points 10 months ago (1 children)

Very bad, because the usability of such a scheme would be a nightmare. If you have to unzip the files every time you need a password, that'd be a huge burden. Not to mention that unzipping it all would leave the files there, unprotected, until you delete them again (if you remember deleting them in the first place). If you do leave the plaintext files around, and only encrypt & zip for backing up, that's worse than just using the plaintext files in the backup too, because it gives you a false sense of security. You want to minimize the amount of time passwords are in the clear.

Just use a password manager like Bitwarden. Simpler, more practical, more secure.

[–] Supermariofan67@programming.dev 36 points 10 months ago* (last edited 10 months ago) (1 children)

Zip uses very bad encryption that is vulnerable to a known plaintext attack. Do not ever use PKZIP encryption for any purpose https://github.com/kimci86/bkcrack

[–] loutr@sh.itjust.works 5 points 10 months ago

They added AES encryption to the spec 20 years ago. It's pretty-well supported AFAIK.

[–] kureta@lemmy.ml 32 points 10 months ago (2 children)

If you do this, you'll start writing small scripts to help you with repeating tasks, to simplify somethings, then you'll start looking for help trying to improve those scripts, then you'll find better written and tested ones and start replacing yours with those, one by one. Then you'll probably find pass or other terminal password manager. It can be a fun learning experience but sooner or later you'll end up using a password manager.

[–] Gooey0210@sh.itjust.works 7 points 10 months ago

Pass is pretty cool, used it for many years

Now switched to vaultwarden so it's more user friendly for my girlfriend

[–] Tangent5280@lemmy.world 3 points 10 months ago

Ah, the programmers pilgrimage. The first hill that they must climb is the one where they spend 12 days automating something that would have taken 10 seconds every time + half hour setup time.

[–] cooopsspace@infosec.pub 22 points 10 months ago (1 children)

Because it's bad, prone to errors, user interface is poor and relies on you following your process perfectly every time.

Bitwarden.

Or KeePass.

[–] greywolf0x1@lemmy.ml 1 points 10 months ago

KeepassXC if you're on Linux and KeepassDX on android, preferably on Fdroid.

[–] utopiah@lemmy.ml 17 points 10 months ago (1 children)

Depends against whom you are protecting yourself. If it's against

  • your younger sibling then it's probably sufficient
  • some script kiddie or scammer running scripts against the most typical setups, might be just obscure enough
  • a proper targeted attack, then it will depend on which zip software you are using. Most likely the stock one that might (I didn't bother checking) relying on something that is far from the state of the art in terms of encryption. In that case it will most likely not be secure.
  • a proper attack but you use something like 7z with encryption that is relatively resilient, then most like if you are not facing state actors with huge amount of resources to try to crack it, most likely secure

Note I'm NOT a security expert so... don't believe me.

[–] bhamlin@lemmy.world 4 points 10 months ago* (last edited 10 months ago)

I don't know that I'd really add more. It all depends on who and what you're protecting against. The only thing that's secure is something that doesn't exist.

National level hackers have access to resources you might not be able to think of. And if they really want in, rubber hose cryptography is super effective. But most "hackers" on the Internet? And encrypted zip is often enough to deter them. Not impossible, but you might not be worth the time and effort.

In summary, there is better. Much better than an encrypted zip file. But only you can judge if you're a juicy enough target to pursue more esoteric protection.

[–] Imprint9816@lemmy.dbzer0.com 14 points 10 months ago

You can. You can also light your house with just candles. Its just not a very efficient or effective way of doing it and you lose out on modern features.

[–] xilliah@beehaw.org 13 points 10 months ago

To add to the rest: A manager also stores the history. And it has a pass generator. And lots of quality of life things.

[–] Pantherina@feddit.de 7 points 10 months ago

Bad UX and lack of any integration like autofill or autotype, thats it.

[–] ShellMonkey@lemmy.socdojo.com 7 points 10 months ago* (last edited 10 months ago)

There's two avenues for opening an encrypted file, attacking the password/access method or attacking the encryption itself.

Generally using a basic zip-lock is not going to have a second factor, a rate limiting mechanism, anything really other than the password to stop a random brute force effort if they got a hold of the file for local processing.

Using something with some front end protection like bit warden with 2FA or keepass with the key file option added in makes it more a task of going after the crypto itself which is a much much harder approach.

[–] topperharlie@lemmy.world 6 points 10 months ago

One thing to think about is the encryption quality of a zip file, which I ignore.

One danger that I see is that you have the risk of having the passwords on the clear all over the place many times. Not an expert so don't quote me on this, but password managers are careful avoiding passwords on the clear as much as possible.

I don't trust any online service for that, I am using keepass/syncthing for myself, with android as the only client decrypting (as I always have my phone with me). one example of advanced security measures is that while using the app I can't take screenshots, and I hope/expect that it uses images backed by secure memory to show them to me and is careful with things like RAM and temporary files (didn't check personally though, although being open source I could)

Having to be sure that your zip app handles that seems like a hustle honestly. On top of having random passwords without the biases I would add for each separate site.

[–] helpImTrappedOnline@lemmy.world 4 points 10 months ago* (last edited 10 months ago)

I use KeePassXC

It stores your passwords in an encrypted file, then i use the random password generator, the browser extension and free phone apps to autofill everything.

(It is up to you to sync the file between devices)

[–] potatopotato@sh.itjust.works 2 points 10 months ago

I suppose there's nothing wrong with it when the file is at rest, it looks like zip uses AES 128 or 256 which are adequate if you have a very strong password for the encryption. Ideally the encryption would feature a computationally intensive algorithm to slow guessing attempts when attempting to decrypt so you probably don't want to use a weak password.

Usability won't be great, you'll be copy pasting constantly and that presents an opportunity for malware to spy on the paste buffer and steal your passwords but it's a low to medium severity issue.

If you want to keep everything local I'd recommend KeePass, it's free, open source, and very strong. It's kinda the same thing but with the ability to insert passwords directly in some cases and can do more to keep everything organized.

If you want to use this in environments where you can't install anything on the systems but don't want anything online, this is probably acceptable though.

[–] Darorad@lemmy.world 2 points 10 months ago (1 children)

I guess it would work, as long as you're using an up to date zip implementation with AES-256 encryption. I guess my question would be why bother? Being compressed doesn't add any real additional benefit, since just using text shouldn't take up much space.

Is recommend just using an actual password manager for convenience, since you aren't really gaining any security by only storing your passwords in a file.

[–] itsaj26744@programming.dev 3 points 10 months ago (1 children)

I was just trying to learn, I use bitwarden+Keepass πŸ˜†

[–] lemmyreader@lemmy.ml 2 points 10 months ago

Good choice. I like KeePassXC and Bitwarden.

Your storing in password protected zip file is better than storing it plain text in a file on your computer but the password encryption of zip is probably not that strong. A friend of mine insists on using a disk encrypted pen drive with an office document having his passwords. I hope he has a backup drive :)