Revelation Password Manager is Worth It

A Tech article with 3 comments posted 21 March 2010.
Tags: , ,

I just posted this comment in response to an article at ChurchIT about RandomKeyGen.com

I think I’d give this one a pass. The “Decent Passwords” section is pretty reasonable, but beyond that is getting mighty insane. For web hosts, in most circumstances one should be using public key auth over SSH and disabling password access altogether, and almost everyone has “sudo” or whatever the Mac or Windows equivalent is configured, so setting Admin/root passwords is a bit irrelevant.

Besides, for these forgettably long passwords (okay, maybe you 8bit guys are superhuman, but the rest of us) you’re going to use a password manager, and that’s going to need to be guarded by something you can remember and type in regularly. Hopefully that password manager will generate a decent password for you.

After writing that, I realized that I had drafted, but somehow had forgotten to publish, an article describing my favorite password manager (for Linux): Revelation Password Manager.

I’ve been wanting to keep passwords to sensitive websites, particularly online banking, in a more secure place than Firefox offers in its Saved Passwords feature. I had been using GPass for a while, but found it clunky and limited. I was looking for these features:

  1. Strong encryption
  2. Able to store a variety of types of credentials
  3. Easy to use
  4. Able to specify a location for storing the password file (GPass in particular doesn’t offer this)

I finally settled on Revelation Password Manager. Revelation is great because it:

  1. Offers all of the stuff above
  2. Has a panel tray icon for quick access to credentials
  3. A nice interface for generating random passwords

Unfortunately, something no password manager currently offers is a way to store those blasted “additional credentials” and “security questions” that financial institutions are demanding nowadays. Not only must I remember my username and password, but now I have to remember the exact capitalization, punctuation, and spelling of three or more answers to security questions, but some banks are also specifying security images that you need to recognize or even pick out of a list in order to thwart robots. My suggestion: choose terse, punctuation free, lowercase answers and list them in the “description” field in Revelation. It’s probably not as secure, but when you’re using a random twelve character alphanumeric password that even you don’t try to remember, the security questions are probably superfluous. The other suggestion: since you’re writing down the answers to those questions anyway, you might as well lie. After all, the answers are usually pretty guessable.

You might also enjoy:
  1. Airport security is “security theater”
  • http://twitter.com/oschurch Open Source Church

    You might also want to take a look at KeyPassX if you haven't already.

    http://www.keepassx.org/

    I think it has everything you mentioned plus flexible comments section for your security questions and it's cross platform (I use it on Windows at work and Ubuntu at home).

    Kevin
    http://www.opensourcechurch.com

  • http://www.tedcarnahan.com/ Ted Carnahan

    Kevin -

    Thanks for pointing out KeyPassX – pretty cool program. I like the way that
    the program is organized, and the AutoType feature looks like it could be a
    timesaver. One downside for me would be that it's a Qt-based program (KDE),
    while I'm more of GNOME guy myself. But it looks great for people on
    Kubuntu and the like.

  • human3rror

    cool!

Stop SOPA