From 743f2c0bd3cd360157d09159d7594ff72ae6d507 Mon Sep 17 00:00:00 2001 From: Michael Housh Date: Mon, 31 Mar 2025 15:18:29 -0400 Subject: [PATCH] feat: Adds Security notes. --- .prettierrc.yaml | 2 + Security/PasswordManager.md | 80 +++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 .prettierrc.yaml create mode 100644 Security/PasswordManager.md diff --git a/.prettierrc.yaml b/.prettierrc.yaml new file mode 100644 index 0000000..3032bde --- /dev/null +++ b/.prettierrc.yaml @@ -0,0 +1,2 @@ +proseWrap: always +printWidth: 80 diff --git a/Security/PasswordManager.md b/Security/PasswordManager.md new file mode 100644 index 0000000..be78a48 --- /dev/null +++ b/Security/PasswordManager.md @@ -0,0 +1,80 @@ +# Password Manager + +This document describes my current password manager along with past managers. + +## Proton Pass + +My current password manager of choice is Proton Pass, this is where all +passwords have been migrated to starting late 2024. + +Proton pass also stores 2Fa secrets and recovery codes for services that I use +2Fa with, however I do _NOT_ use Proton Pass for TOTP codes, that is done with +the Yubikey Authenticator app. + +### Positives of Proton Pass + +- Email aliases +- Uses PGP encryption (however they hold the private keys). +- Includes apps for macOS and iOS (my primary operating systems). + +### Downsides of Proton Pass + +- Keyboard shortcuts (it has none). + - To work around this, I install as a PWA (progressive web app), and use the + Vimium extension to navigate with keyboard. +- Vendor lock in + - Requires a subscription, but I use their mail client / services anyway. + +## Yubikey Authenticator + +Yuibikey Authenticator is used with my yubikey's. It stores passkeys, my `pgp` +keys, signing certificates, etc. It is used to require a hardware bound device +to important services that I use, such as banks, iCloud, etc. + +All TOTP (time based one time passwords, the 6 digit codes they ask for when +using two factor authentication [2fa]) should be managed by Yubikey +Authenticator. They were previously managed in Proton Pass, however using a +yubikey requires the hardware key to be in my possession and activated with a +security pin in order to use the TOTP values. + +The 2Fa secrets are stored in Proton Pass, so that they can be setup on my +backup yubikey and / or setup on other password managers in the future, if +desired. + +> Note: As of the time of this writing, I'm very new to using yubikey's so I +> don't have good pros / cons of this solution yet. + +## Gopass + +Gopass is terminal based password manager that uses `pgp` encryption. + +Gopass stores passwords in `git` repositories, all passwords are encrypted with +my `pgp` keys. This stores passwords that I want / need to get to quickly and +easily when working in my terminal. It is not a complete list of passwords as +there's not great integrations with browsers. + +Most passwords I store in Gopass are duplicated to Proton Pass as that is a more +user friendly interface in the event that something happens to me and someone +else needs to access my passwords. + +`Gopass` is where most passwords are stored for internal services that run on +the company servers. It does require that `pgp` keys are setup to use it, which +may be more useful now that the `pgp` keys are stored on my yubikey's, however I +could not completely rely on this password manager (especially when setting up a +new computer) because I don't initially have access to `gitea` (my internal git +server) until some setup is done on a new machine. + +### Cons of Gopass + +- If you lose access to your `pgp` keys you will loose access. +- Migrating to new `pgp` keys is a bit of a PITA. + +## Previous Password Managers + +- pwSafe (still has some company passwords stored in it from when the company + was started) + - Not all passwords have been migrated, so this needs to stay around. +- macOS/iOS Passwords (all passwords have been deleted from this manager, except + Proton's password) + - All passwords deleted 03/2025, except proton (kept proton password, encase + it's needed when setting up a new machine).