Any explanation of Why to not store passwords in plaintext and encrypt folder in zip archive (I guess U cant break pass?) Pls don’t be agressive!!

  • TheAnonymouseJoker@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    Files in archives upon being opened are temporarily extracted, which means your passwords there exist as plaintext files. If your system is secure and hardened enough against unauthorised %temp% access on Windows, probably it can work.

      • TheAnonymouseJoker@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        I do not think the standard ZIP decompressor library used in OSes or in general purpose compression software does this. Probably much safer if using RAR.

  • tatterdemalion@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    10 months ago

    If your goal is to “self-host” a password manager, you might as well use Keepass + SyncThing.

    • free software
    • master password protected
    • has organization and auto-fill features
    • can sync across multiple devices

    Usually the downfall of rolling your own password manager is it’s easier to make mistakes and accidentally lock yourself out. Or if you don’t keep backups/replicas then you could easily lose your passwords.

    • gray@pawb.social
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Or self host Bitwarden and you don’t have to bother with syncing the file around.

  • potatopotato@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    I suppose there’s nothing wrong with it when the file is at rest, it looks like zip uses AES 128 or 256 which are adequate if you have a very strong password for the encryption. Ideally the encryption would feature a computationally intensive algorithm to slow guessing attempts when attempting to decrypt so you probably don’t want to use a weak password.

    Usability won’t be great, you’ll be copy pasting constantly and that presents an opportunity for malware to spy on the paste buffer and steal your passwords but it’s a low to medium severity issue.

    If you want to keep everything local I’d recommend KeePass, it’s free, open source, and very strong. It’s kinda the same thing but with the ability to insert passwords directly in some cases and can do more to keep everything organized.

    If you want to use this in environments where you can’t install anything on the systems but don’t want anything online, this is probably acceptable though.

  • beta_tester@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    You can develop apps in a text editor. We don’t do it because we’ve got better tools. Text editor work but developer focused IDE’s work much better and are very convenient.

    it may encrypt your password but using kdbx files are much more convenient, efficient, etc.

  • algernon@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    Very bad, because the usability of such a scheme would be a nightmare. If you have to unzip the files every time you need a password, that’d be a huge burden. Not to mention that unzipping it all would leave the files there, unprotected, until you delete them again (if you remember deleting them in the first place). If you do leave the plaintext files around, and only encrypt & zip for backing up, that’s worse than just using the plaintext files in the backup too, because it gives you a false sense of security. You want to minimize the amount of time passwords are in the clear.

    Just use a password manager like Bitwarden. Simpler, more practical, more secure.

  • zeluko@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    I dont see the “manager” part in your zip archive…
    More like a bunch of text files… and you are doing the job of the manager

    • pafu@feddit.de
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      10 months ago

      pass has a similar spirit, where passwords are just GPG encrypted files with some CLI glue on top.

      You could achieve the same with an encrypted .zip file and a bit of bash, even if it would probably be less ergonomic.

    • nicetriangle@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Yeah zips have no mechanism to prevent brute forcing as far as I’m aware. You can attempt as many passwords as you want as frequently as you want without any sort of rate limit.

      • Danny M@lemmy.escapebigtech.info
        link
        fedilink
        arrow-up
        0
        ·
        10 months ago

        That’s not the issue. You can attempt as many passwords as you want in actually secure password managers as well. KeepassXC for instance IS secure, you can still brute force the password, but because of the hashing algorithm they use it’s extremely hard. With PKZIP if you know some of the words in the file, you can easily guess the password in just a few hours because the encryption algorithm it uses isn’t secure

        • Supermariofan67@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          10 months ago

          Both are true. Brute forcing zips is also faster than brute forcing almost anything else. Other formats use key derivation functions like PBKDF2-SHA1 (hundreds of thousands of iterations of sha1) to slow down the calculation of the key from the password, but PKZIP does not do this. Brute forcing zips can be done at 10 billion passwords per second on a typical GPU, whereas rar/7z/keepass are only a few thousand per second.

          Here’s an interesting research paper describing both the known plaintext attack and the standard brute force attack https://www.scitepress.org/Papers/2019/73605/73605.pdf

  • Elise@beehaw.org
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    To add to the rest: A manager also stores the history. And it has a pass generator. And lots of quality of life things.

  • kureta@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    If you do this, you’ll start writing small scripts to help you with repeating tasks, to simplify somethings, then you’ll start looking for help trying to improve those scripts, then you’ll find better written and tested ones and start replacing yours with those, one by one. Then you’ll probably find pass or other terminal password manager. It can be a fun learning experience but sooner or later you’ll end up using a password manager.

    • Gooey0210@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Pass is pretty cool, used it for many years

      Now switched to vaultwarden so it’s more user friendly for my girlfriend

  • Imprint9816@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    10 months ago

    You can. You can also light your house with just candles. Its just not a very efficient or effective way of doing it and you lose out on modern features.

    • Timwi@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      I’m curious: what modern features are you looking for when setting your house on fire?

  • utopiah@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    Depends against whom you are protecting yourself. If it’s against

    • your younger sibling then it’s probably sufficient
    • some script kiddie or scammer running scripts against the most typical setups, might be just obscure enough
    • a proper targeted attack, then it will depend on which zip software you are using. Most likely the stock one that might (I didn’t bother checking) relying on something that is far from the state of the art in terms of encryption. In that case it will most likely not be secure.
    • a proper attack but you use something like 7z with encryption that is relatively resilient, then most like if you are not facing state actors with huge amount of resources to try to crack it, most likely secure

    Note I’m NOT a security expert so… don’t believe me.

  • cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    10 months ago

    Because it’s bad, prone to errors, user interface is poor and relies on you following your process perfectly every time.

    Bitwarden.

    Or KeePass.

  • Monkey With A Shell@lemmy.socdojo.com
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    There’s two avenues for opening an encrypted file, attacking the password/access method or attacking the encryption itself.

    Generally using a basic zip-lock is not going to have a second factor, a rate limiting mechanism, anything really other than the password to stop a random brute force effort if they got a hold of the file for local processing.

    Using something with some front end protection like bit warden with 2FA or keepass with the key file option added in makes it more a task of Go ng after the crypto itself which is a much much harder approach.

  • Darorad@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    I guess it would work, as long as you’re using an up to date zip implementation with AES-256 encryption. I guess my question would be why bother? Being compressed doesn’t add any real additional benefit, since just using text shouldn’t take up much space.

    Is recommend just using an actual password manager for convenience, since you aren’t really gaining any security by only storing your passwords in a file.