pwsafe

October 4, 2013

So I’ve recently thought about password managers. There is quite a number of these programs available (e.g., KeePass, KeepPassX or the password manager built into Mozilla Firefox). I was curious and decided to take a look. My first attempt was KeePassX; until I realized it requires Qt. I actually wanted to have something with a CLI. I looked a bit further and found pwsafe. That looked much more like what I was looking for, so I gave it a try.

After installing config-ng and pwsafe, I followed the setup instructions. For securely storing your credentials, pwsafe makes use of GPG. For interacting with the X11 clipboard it uses xclip and for opening your web browser, it uses xdg-open. Random user names and passwords are generated using pwgen and for securely deleting temporary files, one should also install shred. I set up all that stuff and compiled pwsafe, which worked well. Running it however didn’t ;). It complained about being unable to create a semaphore, which turned out to be a problem specific to FreeBSD. So I fixed it in the pwsafe source.

Now that I got it running, I created some test password entries. All worked well, but I didn’t like the fact that pwsafe only wanted to use my default GPG key for the password database. So I added an option that enables you to pass additional parameters to GPG (like –default-key). After that change, everything worked as I would have expected it.

Just for the fun of it, I decided to figure out how well it would integrate with my web browser. This is basically a question of some shell scripts and key bindings for the window manager. I thought about how I could do it, until I realized that pwsafe lacked another feature I’d like to have: multiple accounts per service. For me, it’s a common situation to have multiple accounts registered on a web site (e.g., different accounts for work related and trolling^Wprivate stuff). OK, so I fired up my editor again and added that capability to pwsafe. In order to make it integrate well with other components, I also slightly modified some other functions (like the query function, which now returns all user names that pwsafe knows of for some specific service in case the user didn’t specify one).

So, back to the integration with the web browser. Long story short, I just wrote a tiny shell script, which does the following:

That’s it. For presenting the list of user names, I used zenity, which is generally much under-appreciated. And here comes my shell script:

If you look at that script, I think there’s no need to mention that you should not use it for production. It’s probably broken and just meant as a PoC.

And that’s it. It seems to work for me. If you’re interested in my changes, check out the fork that I’ve created on GitHub.

Credits go out to Simon Hengel, who originally wrote pwsafe. Thanks for sharing your work!