TiddlyWiki as a password store

[Tobias Beer]

I was wondering if using a combination of encryption and maybe TiddlySpot

was safe enough for recreating something like keepass or mitto with TiddlyWiki (minus any 1-click-login).

Thoughts?

Best wishes,

— tb

[PMario]

The encryption may be safe enough, but the workflow isn't.

eg:
 - keepass removes plain text passwords from the system memory after 10 seconds.
 - If you decrypt TW all the stuff is plain text in the browser. If you copy a password it will stay in memory.
    - switching the browser window into the background, will not activate the encryption agina ...

eg:
 - autofill passwords with keepass has a special mechanism to avoid "key locking"
 - if you copy / paste a PW with TW "key locking" will be trivial

So in no way I personally would use TW as a cloud based password store. Not because of the javascript based encryption software but because of the unsafe workflow.

just my thoughts
mario

[Tobias Beer]

Thanks Mario,

Some good points. So the scores are roughly...

Keepass 10 : TiddlyWiki 1

May I ask what you use?

Best wishes,

— tb

[PMario]

On Thursday, September 17, 2015 at 11:08:53 AM UTC+2, Tobias Beer wrote:

Some good points. So the scores are roughly...

Keepass 10 : TiddlyWiki 1

May I ask what you use?

KeePass2 .. It works well with windows and ubuntu. So I can use the same password store file for both environments. ... The only problem atm is my mobile device :) It uses ubuntu touch.


There is also one more thing. You wrote: "and maybe TiddlySpot"

TiddlySpot uses basic http with username, password authentication at the moment. This mechanism is all plain text.

So logging on to tiddlyspot on a public wifi is an invitation for a "man in the middle" attack.

As I wrote. Most of the time the encryption mechanisms are not the vulnerable elements.

Users and their "bad habbits" are one element. eg: using the same and easy to guess passwords for way to many sites.

... and ... the annual cost and complexity to enable https:// is the second element, why the web is still an insecure place.

--- OT

https://letsencrypt.org/ may be an interesting approach to create free certs. ... But the last time I visited the project page, they where not finished yet. .. So time to have a new look ;)

-m

[Spangenhelm]

Hi guys! Good question: I guess you are right about the security risks for a cloud-based use (i effectively use tw for storing my credentials but offline only so far, and it is clearly missing a autofill feature though!)

Btw Mario you said you were using ubuntu touch on your mobile? So do i ! What brand is your phone? Bq? mine is (Aquaris 4.5 Ubuntu Edition) and i'm pretty happy with it altough there is no easy to sync it with the cloud except via google.. Or have you find a way to do so? Webdav/Cardav and things like that do not seems to be available yet afaik...

Tchuss

[PMario]

On Thursday, September 17, 2015 at 2:27:24 PM UTC+2, Spangenhelm wrote:

Hi guys! Good question: I guess you are right about the security risks for a cloud-based use (i effectively use tw for storing my credentials but offline only so far, and it is clearly missing a autofill feature though!)

I'm "kind of ok" for offline use but I still have some doubts and "open URL" and "autofill" are a big win with the native programs.

------------ OT

Btw Mario you said you were using ubuntu touch on your mobile

I did create a new thread :) https://groups.google.com/forum/#!topic/tiddlywiki/XxHuCL3AyeM

------------ EOT

-mario