Thread: [Passwordsafe-linux] Thoughts on TOTP/HOTP support in PasswordSafe?
Popular easy-to-use and secure password manager
Brought to you by:
ronys
From: Bill B. <de...@bl...> - 2019-10-04 03:55:05
|
Hi all, I've been considering implementing TOTP/HOTP support in PasswordSafe. The idea is that you would be able to store the seed for a given account, then have PasswordSafe generate the TOTP/HOTP code as needed (instead of using something like Google Authenticator). However, I've had some people (unrelated to this project) suggest that this is a Bad Idea^TM. Since I'm writing this email, it's probably obvious that I disagree. I'd be happy to explain my rationale if anyone wants to discuss it. I do think it would be convenient functionality to have for those of use that would use it, and I'm willing to do the work. Well, at least for core and wx. I could probably do the Windows implementation too, but I haven't done Windows GUI programming in something like 20 years. As such, if someone else wanted to handle that piece, I'd be grateful. That said, I don't want to spend the time and effort needed to implement it only to find out that everyone thinks I'm completely bonkers and that it will never get merged. So is this something I should pursue, or should I skip it? Regards, Bill -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |
From: pwsafe.org <ro...@pw...> - 2019-10-04 05:13:30
|
A few thoughts: - This will require format changes - at least one new field to indicate the entry is for a OTP, and not a "regular" password. - Are the specs for the various authenticators out there (Authy, Google Authenticator, etc.) publicly available and usable to implement a clone in pwsafe? - The biggest challenge for implementing this is to do so in a way that won't "penalize" the users of "classic" passwords. By "penalize" I mean require extra clicks/keystrokes over what's required today to create and use a given entry. Discussion? On Fri, Oct 4, 2019 at 6:18 AM Bill Blough via Passwordsafe-devel < pas...@li...> wrote: > Hi all, > > I've been considering implementing TOTP/HOTP support in PasswordSafe. > The idea is that you would be able to store the seed for a given > account, then have PasswordSafe generate the TOTP/HOTP code as needed > (instead of using something like Google Authenticator). > > However, I've had some people (unrelated to this project) suggest that > this is a Bad Idea^TM. Since I'm writing this email, it's probably obvious > that I disagree. I'd be happy to explain my rationale if anyone wants to > discuss it. > > I do think it would be convenient functionality to have for those of use > that would use it, and I'm willing to do the work. Well, at least for > core and wx. I could probably do the Windows implementation too, but I > haven't done Windows GUI programming in something like 20 years. As > such, if someone else wanted to handle that piece, I'd be grateful. > > That said, I don't want to spend the time and effort needed to implement > it only to find out that everyone thinks I'm completely bonkers and that > it will never get merged. > > So is this something I should pursue, or should I skip it? > > Regards, > Bill > > -- > GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 > > > _______________________________________________ > Passwordsafe-devel mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel > -- Ubi dubium, ibi libertas (where there is doubt, there is freedom) |
From: Bill B. <de...@bl...> - 2019-10-04 16:12:00
|
On Fri, Oct 04, 2019 at 08:13:07AM +0300, pwsafe.org wrote: > A few thoughts: > > - This will require format changes - at least one new field to indicate the > entry is for a OTP, and not a "regular" password. I was just looking through the format docs for V3 and V4, and they both list "Two-Factor Key" as a (yet to be implemented) field type (0x1b). Is it safe to assume we could use this? Though we would still need additional fields for OTP parameters (e.g., hash algorithm, length of the generated code, etc.) Since applications are supposed to be able to handle unknown fields in a forward-compatible way, it seems like there shouldn't be an issue with adding new fields to the existing formats (as opposed to waiting and adding it to the next format). Is this correct? > - Are the specs for the various authenticators out there (Authy, Google > Authenticator, etc.) publicly available and usable to implement a clone in > pwsafe? Yes, the HOTP spec is RFC4226 [1] and the TOTP spec is RFC6238 [2]. While I wouldn't be surprised if certain vendors had "peculiarities" with their implementation, I'd expect the vast majority of differences to be handled by changing the OTP parameters. > - The biggest challenge for implementing this is to do so in a way that > won't "penalize" the users of "classic" passwords. By "penalize" I mean > require extra clicks/keystrokes over what's required today to create and > use a given entry. I'm open to other ideas, but my initial thought for the UI is - The entry's view/edit dialog would get an additional tab for OTP-related configuration. On this tab, the user could enter their seed/key and configure their parameters. Since I expect that the average user doesn't want to have to know/care about which hash algorithm to choose and similar things, I think we could create some "presets" for common configurations, and give them user-friendly names/descriptions. Then also have a way for advanced users to manually set the parameters if needed. - The entry's right-click menu would get two additional items: - Display Authenticator Code - opens a dialog that shows the code and time remaining indicator (similar to how "Display Password as QR Code" opens a dialog today). This basically presents the same interface as most authenticator apps. There could optionally be a button here to copy the code to the clipboard. - Copy Authenticator Code to Clipboard - copies the code to the clipboard. If implemented as I described above, then the user might have to move past two additional items in the right-click menu. But I don't think there would be any additional clicks to create/use an entry unless the user decided to use OTP for that entry. Bill [1] https://tools.ietf.org/html/rfc4226 [2] https://tools.ietf.org/html/rfc6238 -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |
From: Tom M. <mi...@ni...> - 2019-10-04 05:44:13
|
On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux <pas...@li...> wrote: > > Hi all, > > I've been considering implementing TOTP/HOTP support in PasswordSafe. It seems possible and interesting but I would rather add YubiKey support first. One weakness with password managers is key management for the password manger software itself. Two YubiKey device support please. A pair of YubiKey devices allows a second device to be kept in a sealed tamper evident envelop of the managers or company office safe. The encrypted password-safe file can be replicated as needed for portability. One problem with the Google and Microsoft Authentication is they are tied to devices that are easy to misplace and also have fragile to strong unlock features. They are useful. -- T o m M i t c h e l l ( o n N i f t y E g g ) |
From: pwsafe.org <ro...@pw...> - 2019-10-04 08:07:23
|
Hi Tom, I think that Bill meant adding one time password support for different sites, not for authenticating PasswordSafe itself using TOTP/HOTP. Yubikey is currently supported, including the ability to configure a backup device as you described. Rony On Fri, Oct 4, 2019 at 7:38 AM Tom Mitchell <mi...@ni...> wrote: > On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux > <pas...@li...> wrote: > > > > Hi all, > > > > I've been considering implementing TOTP/HOTP support in PasswordSafe. > > It seems possible and interesting but I would rather add YubiKey support > first. > One weakness with password managers is key management for the password > manger > software itself. Two YubiKey device support please. A pair of > YubiKey devices allows a second device to be > kept in a sealed tamper evident envelop of the managers or company > office safe. The encrypted password-safe file > can be replicated as needed for portability. > > One problem with the Google and Microsoft Authentication is they are > tied to devices that > are easy to misplace and also have fragile to strong unlock features. > They are useful. > > > > -- > T o m M i t c h e l l ( o n N i f t y E g g ) > > > _______________________________________________ > Passwordsafe-linux mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux > -- Ubi dubium, ibi libertas (where there is doubt, there is freedom) |
From: Mark M. <mar...@gm...> - 2019-10-04 12:52:02
|
Hi there, I've done a bit of work on this for my app (Strongbox) which supports KeePass and Password Safe. In the KeePass windows world people used plugins to manage this feature. It has proven to be popular and has been made native in KeePassXC (A cross platform KeePass client) and also in my own app. I'd be happy to help with any queries you have. Currently if a user adds a TOTP via my app to their Password Safe database I support this by appending an OTPAUTH url to their notes field (less than ideal but functional). To answer one of the questions raised above: - Are the specs for the various authenticators out there (Authy, Google Authenticator, etc.) publicly available and usable to implement a clone in pwsafe? Yes (the standard is RFC 6238) Other things to think about off the top of my head for anyone looking to implement this: - Parameters are often required (Hash Algorithm (usually SHA1), Number of Digits (usually 6), Period (usually 30 seconds)) - OTPAUTH urls could be supported, they combine the parameters, the seed and some metadata like the Issuer, Name, Username and look like: otpauth://totp/ ACME%20Co:joh...@em...?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=8&period=31 They are usually scanned from a QR Code. - Some people use a variant of the standard RFC 6238 algo for use with "Steam" tokens, a gaming provider. FWIW, this is handled in the KeePass world by using "Custom Fields", basically a feature that allows for a set of Key-Value Pairs. I don't believe the equivalent exists in the Password Safe world and you might not want to go that route anyway, but in short a TOTP configuration can be added to any entry alongside a regular password. Hope that's helpful. Best, -Mark On Fri, 4 Oct 2019 at 09:07, pwsafe.org <ro...@pw...> wrote: > Hi Tom, > > I think that Bill meant adding one time password support for > different sites, not for authenticating PasswordSafe itself using TOTP/HOTP. > > Yubikey is currently supported, including the ability to configure a > backup device as you described. > > Rony > > On Fri, Oct 4, 2019 at 7:38 AM Tom Mitchell <mi...@ni...> wrote: > >> On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux >> <pas...@li...> wrote: >> > >> > Hi all, >> > >> > I've been considering implementing TOTP/HOTP support in PasswordSafe. >> >> It seems possible and interesting but I would rather add YubiKey support >> first. >> One weakness with password managers is key management for the password >> manger >> software itself. Two YubiKey device support please. A pair of >> YubiKey devices allows a second device to be >> kept in a sealed tamper evident envelop of the managers or company >> office safe. The encrypted password-safe file >> can be replicated as needed for portability. >> >> One problem with the Google and Microsoft Authentication is they are >> tied to devices that >> are easy to misplace and also have fragile to strong unlock features. >> They are useful. >> >> >> >> -- >> T o m M i t c h e l l ( o n N i f t y E g g ) >> >> >> _______________________________________________ >> Passwordsafe-linux mailing list >> Pas...@li... >> https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux >> > > > -- > Ubi dubium, ibi libertas (where there is doubt, there is freedom) > _______________________________________________ > Passwordsafe-devel mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel > |
From: Bill B. <de...@bl...> - 2019-10-04 16:22:11
|
Hi Mark, Thanks for the info! This definitely gives me more to think about. Also, I very much appreciate the offer to answer questions. I may take you up on that at some point. Regards, Bill On Fri, Oct 04, 2019 at 01:51:11PM +0100, Mark McGuill wrote: > Hi there, > > I've done a bit of work on this for my app (Strongbox) which supports > KeePass and Password Safe. > > In the KeePass windows world people used plugins to manage this feature. It > has proven to be popular and has been made native in KeePassXC (A cross > platform KeePass client) and also in my own app. > > I'd be happy to help with any queries you have. Currently if a user adds a > TOTP via my app to their Password Safe database I support this by appending > an OTPAUTH url to their notes field (less than ideal but functional). > > To answer one of the questions raised above: > > - Are the specs for the various authenticators out there (Authy, Google > Authenticator, etc.) publicly available and usable to implement a clone in > pwsafe? > Yes (the standard is RFC 6238) > > Other things to think about off the top of my head for anyone looking to > implement this: > > - Parameters are often required (Hash Algorithm (usually SHA1), Number of > Digits (usually 6), Period (usually 30 seconds)) > - OTPAUTH urls could be supported, they combine the parameters, the seed > and some metadata like the Issuer, Name, Username and look like: > > otpauth://totp/ > ACME%20Co:joh...@em...?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=8&period=31 > > They are usually scanned from a QR Code. > > - Some people use a variant of the standard RFC 6238 algo for use with > "Steam" tokens, a gaming provider. > > FWIW, this is handled in the KeePass world by using "Custom Fields", > basically a feature that allows for a set of Key-Value Pairs. I don't > believe the equivalent exists in the Password Safe world and you might not > want to go that route anyway, but in short a TOTP configuration can be > added to any entry alongside a regular password. > > Hope that's helpful. > > Best, > -Mark > > On Fri, 4 Oct 2019 at 09:07, pwsafe.org <ro...@pw...> wrote: > > > Hi Tom, > > > > I think that Bill meant adding one time password support for > > different sites, not for authenticating PasswordSafe itself using TOTP/HOTP. > > > > Yubikey is currently supported, including the ability to configure a > > backup device as you described. > > > > Rony > > > > On Fri, Oct 4, 2019 at 7:38 AM Tom Mitchell <mi...@ni...> wrote: > > > >> On Thu, Oct 3, 2019 at 8:55 PM Bill Blough via Passwordsafe-linux > >> <pas...@li...> wrote: > >> > > >> > Hi all, > >> > > >> > I've been considering implementing TOTP/HOTP support in PasswordSafe. > >> > >> It seems possible and interesting but I would rather add YubiKey support > >> first. > >> One weakness with password managers is key management for the password > >> manger > >> software itself. Two YubiKey device support please. A pair of > >> YubiKey devices allows a second device to be > >> kept in a sealed tamper evident envelop of the managers or company > >> office safe. The encrypted password-safe file > >> can be replicated as needed for portability. > >> > >> One problem with the Google and Microsoft Authentication is they are > >> tied to devices that > >> are easy to misplace and also have fragile to strong unlock features. > >> They are useful. > >> > >> > >> > >> -- > >> T o m M i t c h e l l ( o n N i f t y E g g ) > >> > >> > >> _______________________________________________ > >> Passwordsafe-linux mailing list > >> Pas...@li... > >> https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux > >> > > > > > > -- > > Ubi dubium, ibi libertas (where there is doubt, there is freedom) > > _______________________________________________ > > Passwordsafe-devel mailing list > > Pas...@li... > > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel > > > _______________________________________________ > Passwordsafe-devel mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-devel -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |
From: Bill B. <de...@bl...> - 2019-10-04 20:55:37
|
Hi again, Someone contacted me privately and suggested that HOTP might be problematic, since the counter must be kept in sync with the server. If the user has their database set to read-only, then that creates an issue, as does recovering an older database from backup. If we can find a way around those issues, then great. If not, then it would probably be better to only provide TOTP support. (HTOP would still need to be implemented because TOTP relies upon it, but we could not expose it and keep it internal-only) Bill On Thu, Oct 03, 2019 at 11:18:02PM -0400, Bill Blough via Passwordsafe-linux wrote: > Hi all, > > I've been considering implementing TOTP/HOTP support in PasswordSafe. > The idea is that you would be able to store the seed for a given > account, then have PasswordSafe generate the TOTP/HOTP code as needed > (instead of using something like Google Authenticator). > > However, I've had some people (unrelated to this project) suggest that > this is a Bad Idea^TM. Since I'm writing this email, it's probably obvious > that I disagree. I'd be happy to explain my rationale if anyone wants to > discuss it. > > I do think it would be convenient functionality to have for those of use > that would use it, and I'm willing to do the work. Well, at least for > core and wx. I could probably do the Windows implementation too, but I > haven't done Windows GUI programming in something like 20 years. As > such, if someone else wanted to handle that piece, I'd be grateful. > > That said, I don't want to spend the time and effort needed to implement > it only to find out that everyone thinks I'm completely bonkers and that > it will never get merged. > > So is this something I should pursue, or should I skip it? > > Regards, > Bill > > -- > GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 > > > _______________________________________________ > Passwordsafe-linux mailing list > Pas...@li... > https://lists.sourceforge.net/lists/listinfo/passwordsafe-linux -- GPG: 5CDD 0C9C F446 BC1B 2509 8791 1762 E022 7034 CF84 |