81 lines
3.3 KiB
Markdown
81 lines
3.3 KiB
Markdown
# Password Manager
|
|
|
|
This document describes my current password manager along with past managers.
|
|
|
|
## Proton Pass
|
|
|
|
My current password manager of choice is Proton Pass, this is where all
|
|
passwords have been migrated to starting late 2024.
|
|
|
|
Proton pass also stores 2Fa secrets and recovery codes for services that I use
|
|
2Fa with, however I do _NOT_ use Proton Pass for TOTP codes, that is done with
|
|
the Yubikey Authenticator app.
|
|
|
|
### Positives of Proton Pass
|
|
|
|
- Email aliases
|
|
- Uses PGP encryption (however they hold the private keys).
|
|
- Includes apps for macOS and iOS (my primary operating systems).
|
|
|
|
### Downsides of Proton Pass
|
|
|
|
- Keyboard shortcuts (it has none).
|
|
- To work around this, I install as a PWA (progressive web app), and use the
|
|
Vimium extension to navigate with keyboard.
|
|
- Vendor lock in
|
|
- Requires a subscription, but I use their mail client / services anyway.
|
|
|
|
## Yubikey Authenticator
|
|
|
|
Yuibikey Authenticator is used with my yubikey's. It stores passkeys, my `pgp`
|
|
keys, signing certificates, etc. It is used to require a hardware bound device
|
|
to important services that I use, such as banks, iCloud, etc.
|
|
|
|
All TOTP (time based one time passwords, the 6 digit codes they ask for when
|
|
using two factor authentication [2fa]) should be managed by Yubikey
|
|
Authenticator. They were previously managed in Proton Pass, however using a
|
|
yubikey requires the hardware key to be in my possession and activated with a
|
|
security pin in order to use the TOTP values.
|
|
|
|
The 2Fa secrets are stored in Proton Pass, so that they can be setup on my
|
|
backup yubikey and / or setup on other password managers in the future, if
|
|
desired.
|
|
|
|
> Note: As of the time of this writing, I'm very new to using yubikey's so I
|
|
> don't have good pros / cons of this solution yet.
|
|
|
|
## Gopass
|
|
|
|
Gopass is terminal based password manager that uses `pgp` encryption.
|
|
|
|
Gopass stores passwords in `git` repositories, all passwords are encrypted with
|
|
my `pgp` keys. This stores passwords that I want / need to get to quickly and
|
|
easily when working in my terminal. It is not a complete list of passwords as
|
|
there's not great integrations with browsers.
|
|
|
|
Most passwords I store in Gopass are duplicated to Proton Pass as that is a more
|
|
user friendly interface in the event that something happens to me and someone
|
|
else needs to access my passwords.
|
|
|
|
`Gopass` is where most passwords are stored for internal services that run on
|
|
the company servers. It does require that `pgp` keys are setup to use it, which
|
|
may be more useful now that the `pgp` keys are stored on my yubikey's, however I
|
|
could not completely rely on this password manager (especially when setting up a
|
|
new computer) because I don't initially have access to `gitea` (my internal git
|
|
server) until some setup is done on a new machine.
|
|
|
|
### Cons of Gopass
|
|
|
|
- If you lose access to your `pgp` keys you will loose access.
|
|
- Migrating to new `pgp` keys is a bit of a PITA.
|
|
|
|
## Previous Password Managers
|
|
|
|
- pwSafe (still has some company passwords stored in it from when the company
|
|
was started)
|
|
- Not all passwords have been migrated, so this needs to stay around.
|
|
- macOS/iOS Passwords (all passwords have been deleted from this manager, except
|
|
Proton's password)
|
|
- All passwords deleted 03/2025, except proton (kept proton password, encase
|
|
it's needed when setting up a new machine).
|