So I have gone through all the questions in here about how not to build your own password manager, and I am not trying to reinvent a wheel. I am trying to understand if I store my passwords on my own laptop in a file and then encrypted with AES-256-CBC just using openssl in mac. I can decrypt and peek at my passwords when I would like it. So, could experts on crypto shed some insights on how secure this would be? Also, let's not talk about redundancy (or what if I lose my laptop), or how hard it is to manage such file. I understand all those, I use 1Password. Here the intention is to understand security. Can someone with access to my laptop crack it to get my passwords?
Asked
Active
Viewed 128 times
-2
-
1I'm voting to close this question as off-topic because this is not a programming question. Perhaps crypto.SE is a better fit. – bartonjs Sep 19 '19 at 17:13
-
It is not off-topic (Please check the guidelines). Why is it not a programming question? It is about knowing the best practice and limitation when doing programming. Or are you suggesting the bash script that involves openssl command is not programming. My understanding is everyscript that instructs a computer what to do is programming. Also please answer if you know the subject, else do not create noise. – Dangerous Scholar Sep 19 '19 at 17:54
-
You are not asking for help with a bash script that encrypts a file though. You are asking about the security of an encryption scheme and that's certainly not about programming. You yourself directly addressed "experts on crypto" and not "experts on programming". The crypto experts are over on [Crypto SE](https://crypto.stackexchange.com/). – Peter Sep 20 '19 at 06:26
-
No this is basically intended towards design. I have seen a lot of posts when someone asks how they want to build their own password manager and people just point them to existing awesome tools and discourage them from building their own password manager, which I understand. The same reason I did not want to phrase the question that way. For various reasons, personally, I want to avoid using any other service to store my passwords. So figuring out, if my MVP system was to be designed the away above (which is storing the password in a file and encrypt/decrypt for retrieval) would work. – Dangerous Scholar Sep 20 '19 at 21:24
1 Answers
1
Where is the key? You should use openssl-enc with the -pbkdf2 option and appropriate parameters to make the key as secret as possible. CBC mode is not considered strong enough, see How to choose an AES encryption mode
Jonathan Rosenne
- 2,055
- 15
- 24
-
Key is the one password what I will remember so it's in my head. – Dangerous Scholar Sep 20 '19 at 21:22
-
Unless the password you use is well chosen, a KDF, such as pbkdf2, with appropriate parameters, will make it much more difficult to crack it. – Jonathan Rosenne Sep 21 '19 at 05:57