Voici une série de White Papers sur la gestion de mot de passe. http://www.securitydocs.com/Authentication/Passwords

Je pense que la "bonne" approche serait d'utiliser les utilitaires pouvant gérer les fichiers compatibles avec "password safe". C'est le standard de facto qui me semble le plus sécuritaire et le plus actif. Le problème est qu'il n'y a pas d'utilitaire command-line pour *nix qui supporte la dernière version (v3). Autrement, Password Gorilla (GUI) et pwsafe (CLI, mais ne supporte pas la v3 et n'a pas d'interface interactive) sont tous deux excellents. -- TheAnarcat 2008-03-17 17:24:28

LE critère pour mettre une nouvelle option dans la liste:

• licence GPL

Voir aussi 57612 pour le remplacement du password manager actuel, où on ajoute les critères:

• multi-user - multiple users can access it easily
• ACLs - users can have access only to parts of it

Une bonne pratique des mots de passe personnelle est décrite dans la page GestionDesMotDePasse.

Cette liste n'est pas triée, les entrées sont ajoutées à la fin au fur et à mesure, généralement.

CLI + GUI

Those tools operate both on the commandline and a Graphical User Interface (GUI).

impass

https://salsa.debian.org/debian/impass

• python
• gpg-encrypted
• datastore is a single encrypted json file, relies on the user's OpenPGP key for crypto
• minimalist X11 integration (should work with keybindings for any window manager or desktop environment) to automatically type passwords into windows without displaying them or placing them in the clipboard
• latest release 0.12 (2018-02-23)
• in debian sid as of 2013-05-16
• in buster as of 0.12

used to be called "assword" but the name was changed. previous project page was http://finestructure.net/assword

passbolt

https://www.passbolt.com/

• AGPLv3
• runs a web interface by default, but has a CLI too
• has an API that can be used for automating operations
• upstream maintains a docker image
• uses GnuPG for encryption
• built with cachephp

kedpm

kepm, replacement for the Figaro Password Manager, which is Gnome-only. Koumbit now hosts the git repositories for this project, see the redmine project.

• one master password
• commandline and gtk2 interfaces
• python-based
• modular: easy to add backends and frontends
• tree based password cataloging
• as with Figaro, passwords are blowfish-encrypted
• file format mostly compatible with Figaro
• last release: 2011.07.20
• status: currently in use (and maintained!) at Koumbit

SFL Vault

https://projects.savoirfairelinux.com/projects/sflvault/wiki

• commandline
• network and public key-based
• automates logging into servers and mysql
• no debian package for server, outdated debian package for client
• ubuntu-specific install docs
• sqlite database backend
• multi-user, multi-customer/group support
• last release 2011-3-7

See SflVault for our own docs on this.

Counterpane's password safe

Password safe, originally written by Bruce Schneier, windows-only. Open sourced in 2013, and a Linux beta is now available.

• last release: 2013-05-11

CLI

Only through the commandline.

password-store

http://zx2c4.com/projects/password-store/

• commandline-only
• text files in a directory hierarchy
• content is the secret, gpg-encrypted
• supports git push/pull models

• supports groups of gpg keys through gpg's --group option

• supports multiple stores through environment variables

• simple
• last release: 1.4.2, 2012-10-18
• Debian package

keyringer

https://git.sarava.org/?p=keyringer.git;a=summary https://support.mayfirst.org/wiki/faq/admin/keyringer

• commandline
• text files in a directory hierarchy
• gpg-encrypted
• supports git
• supports groups easily
• simple
• no official release, but release tags visible, last commit april 2014
• debian package in jessie/sid

gpg

Good old GPG can be used, and is a very common password manager. Use gpg to encrypt a file, share the file, done. Can be opened with Emacs' EPA mode and gnupg-symmetric.vim.

pwd.sh

https://github.com/stef/pwd.sh

simple shell script to store passwords in a GPG file. also generates passwords based on browser's window titles...

Standford's Wallet

http://www.eyrie.org/~eagle/software/wallet/

The wallet is a system for managing secure data, authorization rules to retrieve or change that data, and audit rules for documenting actions taken on that data. Objects of various types may be stored in the wallet or generated on request and retrieved by authorized users. The wallet tracks ACLs, metadata, and trace information. It is built on top of the remctl protocol and uses Kerberos GSS-API authentication. One of the object types it supports is Kerberos keytabs, making it suitable as a user-accessible front-end to Kerberos kadmind with richer ACL and metadata operations.

• Kerberos based

• client/server architecture
• auditable
• supports ACLs (or group access control, in other words)
• tracks ACLs too
• LDAP suppor
• Perl 5.6
• Sqlite or MySQL backends
• used by Standford Universitry
• last release 2010-08-26 (0.12)

SPD

http://spd.sourceforge.net/

Encrypts to multiple GPG keys and provides a sensible interface. Aims to support SVN server deployment. Interesting for "all workers" passwords...

However, the interface sucks: it's juste plainfile text edition, and the --add parameter (to add a password) doesn't really work. I also couldn't figure out the syntax of the password file so that my passwords show up properly.

• last release: Apr 24 2009

pwsafe

pwsafe: a unix utility, commandline (but can copy to X11 clipboard), compatible with password safe (and emacs )

• Pure command-line operation if desired (good for remote access over ssh)...

• ... or can interact with X11 selection & clipboard.

• Portable, endianess-clean, misaligned-access-free C++. Compiles cleanly on linux, *bsd, macos x, solaris.

• Compatible with CounterPane's PasswordSafe Win32 program versions 2.x and 1.x. ( not v3!)

• Funny comments included in source code.
• last release: Sep 30th 2005
• no interactive commandline interface

Introduction

cpm

cpm, a commandline password manager

• one master password
• commandline only (ncurses)
• GnuPG blowfish encryption (128bit)
• csv import/export
• last release: 2002.09.12

pwman

pwman, with a text interface

• commandline only (ncurses)
• written in C
• uses gnupg for encryption
• last release: 2007-08-28

pwman3

• commandline
• sqlite or SQL backend
• various backend support
• interactive interface similar to kedpm (ie. no clipboard)
• last release: jan 2007

Yapet

Ncurses-based, minimal dependencies.

http://www.guengel.ch/myapps/yapet/

• last release: 2009-07-10

Simsafe

• Simsafe is nothing else but a simple Perl script wrapped around the symmetric encryption functions of GPG.

• writes the GPG password on disk (temporarly).

• http://blog.philippheckel.com/2009/04/07/simsafe-simple-command-line-password-safe/

• first and last release: Simsafe v0.1, Apr. 2009

Trocla

https://github.com/duritong/trocla

• can provide the hashed version of the password, using many algorithms
• no GUI
• client/server architecture
• does *not* crypt the passwords on the central server
• last release: no official release

recutils

https://www.gnu.org/software/recutils/

• not really a password manager, but a flatfile database in which individual records (or the whole database) can be encrypted

Blackbox

https://github.com/StackExchange/blackbox

• gpg-encrypted files to a series of public keys
• encrypted files stored in git/hg
• commands make it easy to decrypt, modify, then re-encrypt
• can be integrated with puppet with a builtin hook

License: MIT

pysswords

https://github.com/marcwebbie/pysswords

• gpg-encrypted files database
  • one shared password (e.g. symmetric encryption)
• multiple databases supported
• clipboard support
• bulk import/export support
• random generation

KeepassC

A curses-based CLI implementation of KeepassX that is compatible with Keepass 1.x and KeepassX databases. This software was not tested by anyone from Koumbit yet.

https://raymontag.github.io/keepassc/

• AES encrypted storage
• Group and sub-group organisation of passwords
• Automatically lock workspace after a delay
• Copy username/password to clipboard
  • Automatically clear clipboard after delay following copy
• Includes password generator
• Search for entries throughout the database
• Passwords can have expiration dates to remind that they should be changed
• Unicode support
• Network functionality including multiuser support (how does it work? needs to be tested)

pwstore

"a tool to maintain a GnuPG encrypted password store". not tested at Koumbit yet

https://github.com/weaselp/pwstore/

• GnuPG based
• keyring stored (signed) along with the encrypted files
• multiple password per file
• used by debian and tor sysadmins

GUI

Those are GUI-based only.

KeePass

http://keepass.info/download.html

• Mono (so "cross platform")
• Rijndael/SHA-256/XML
• supports keyfiles or passwords or both
• multiple user support by using a shared database on a file share (NFS/WebDAV/etc)
• password generator
• copies to clipboard
• supports plugins
• imports and exports to various formats
• last release: 2014-10-08 (2.28)

KeePassX

http://www.keepassx.org/

• good words from MLUG and slashdot on it.

• Crossplatform: Linux/Windows/Os X (QT)
• no CLI
• popular project on Sourceforge

• most of KeePass's features

• compatible with KeePass 1.x file format (apart from the 2.x alpha)

• last release: 2010-03-07 version 2.0 alpha 6 released on 2014-04-12
• has a password generation utility
• with a shortcut, you can make it automatically type username and password in any window.
• automatically clears out the clipboard after a (customizable) delay.

KeePassXC

https://keepassxc.org/

Fork of KeePassX that fixes a bunch of things, makes interactions with the database faster and pushes forward discussion and development.

password gorilla

• http://fpx.de/fp/Software/Gorilla/

• crossplatform (linux, windows, osx) TCL/TK

• compatible with PasswordSafe v2-3

• Last release: July 3, 2006.

• New Development going on: http://github.com/zdia/gorilla

Revelation

• http://oss.codepoet.no/revelation/wiki/Home

• active projet
• GUI
• "Revelation is a password manager for the GNOME 2 desktop. It organizes accounts in a tree structure, and stores them as AES-encrypted XML"
• allow import/export in more than 10 formats
• multi users: ? putting the database under version control ?

gnu keyring

For Palms. http://gnukeyring.sourceforge.net/

gpass

A Gnome password manager

• last release: 2006-03-25

MyPasswordSafe

http://www.semanticgap.com/myps/ PasswordSafe-compatible, in theory. Linux GUI.

• last release: February 4th, 2004 (My experience: Was unable to create groups)

• New Development going on: http://github.com/sneakin/mypasswordsafe

PWS

• GUI, "pws aims to be a fully compatible passwordsafe implementation. heart of the project is libpws, a general library for reading and writing passwordsafe compatible files. currently passwordsafe files format v2 and passwordsafe files format v3.2 are supported."
• looks interesting, but no commandline version
• last release: 09 Dec 2008

• http://www.pwsafe.de/

Web based

Those are completely web-based.

Mitro

https://www.mitro.co/ - online, owned by Twitter and recently (2014) open-sourced.

• supports teams
• zero-knowledge server
• LDAP support as a paid feature
• imports from other software
• client side: browser plugin
• server side: java
• no debian package

ClipperZ

http://www.clipperz.com/ is an online, zero-knowledge service that has been released under the AGPL, on github - because Google refuses AGPL projects (!!).

• AGPL
• last release: none (last commit march 2012)

Update: server side is "for educational purposes only" and has security issues, so basically unusable. -- TheAnarcat 2015-08-05 10:36:13

Corporate vault

http://sourceforge.net/projects/corporatevault/

• last release: 2010-08-13 (0.6.7)

Team pass

http://www.teampass.net/

• multi-user
• AES-256
• LDAP auth
• imports passwords from Keepass
• last release: April 18, 2012 (2.1.7)

Mortimer

https://github.com/aiaio/mortimer

• rails-based
• based on "public-key crypto"
• last release: none (alpha)

w3pw

Web based, PHP, MySQL.

http://w3pw.sourceforge.net/

duse

http://duse.io/

has an interesting theoritical paper: https://github.com/duse-io/seminar-paper

certainly zero-knowledge, but seems only one author, a little academic...

vault

https://vaultproject.io/ - from the Vagrant people

not sure it's zero-knowledge. but it supports LDAP authentication and seems generally well designed.

Vaultier

https://www.vaultier.org/

https://www.vaultier.org/features/

https://www.vaultier.org/install/

• Python/Django
• BSD-3Clause
• RSA
• Belle interface
• Clef (gpg?) réside sur le poste de l'utilisateur
• Peut utiliser Docker pour l'install

autres

zxcvbn

Un bon estimateur de la qualité d'un password:

https://github.com/dropbox/zxcvbn