Password Management

Managing passwords is often a challenging task unless you have a eidetic memory or lazy enough to click on forget username/password. I believe the neither of those is gonna end up reading this post and trust me, you are not one of ‘em either!

So, when it comes to managing passwords, the first thing that comes to our mind is the best password management app in the app store or play store. Apparently, when we search it, we will end up in getting to know about the app that is listed in most of the sites and most reviews etc. So obviously, any person would not be needing to ask some security expert to decide on what app to choose.

Now, am I a security expert? Hell no!

I am not against the apps that are listed as the best in any point in time, however I am not someone who believes that the news is always true. Infact, the truth is what the media say it is. And this applies to websites as well. Now, before we get into the actual password management details, lets split things up into discrete pieces, so that we could better understand the need for password management.

  • Why do we need to protect our passwords?
    • Coz’ if someone else gets access to our password, they might tamper with our identity

Let’s call this someone ‘X’

  • Does X really need your password?
    • Unless, you are a friend/enemy of X, X wouldn’t
  • Do I know X personally?
    • Well, most probably no, coz’ X is a company most of the times and X being a person seldom happens

As you see, you cannot be a possible victim unless its X’s personal vendetta or you are on your way to becoming a celebrity/millionaire

Therefore, its unlikely for X to target an individual and lot likely to target a company which has strong user base (One reason why big companies are falling victim to attacks by X). Also, as all of your credentials is stored in one single infrastructure, though the data is encrypted, you still are a victim as you have given all your data to X. Its just a matter of time before X finds a way to decrypt

Well, if that’s the case, what else can we do. Do I mean that there is no actual protection? YES!

But we can definitely work on minimizing the risk of saving all our details under one single infrastructure and maybe placing partial data in a place which is secure and the remaining in an unsecured location. The reason I say unsecured is coz’ this is where the protection actually happens. The last thing they would search is their own backyard. No wants to steal data that is open to everyone. That ain’t stealing anyways!

The phrase That is where they least expect to hit ‘em from just doesn’t apply for X just coz’ there are lot of other better places for them to hit and they would never know if that’s worth it

If this theory sounds good to you, let’s start practicals now. There is an existing password manager which already fits the above theory. You can find the website here

Considering the above theory, you can safely assume that the app needs some basic understanding of the below

  1. How to create a github repository (private repo recommended)
  2. How to generate a PGP key pair (online generator here)

pgp-key-generation
Note: The longer the passphrase, the more secure you password is and its ok to have the expires option set to Never



  1. Once you are done with the above 2 steps, it’s time to install the app from the Compatible Clients section in https://www.passwordstore.org/ site
  2. After installation you would be required to enter the git repo and PGP key pair details before using the app
  3. Once repo and key details are entered you are good to go!

Just to clear things about how this app ties to our theory, we need to understand a little more about how this app works. The repo you create is basically the database where you store your encrypted passwords. That would mean, each user has separate database (git repo) and it is in github (The world’s largest host of source code). Now, the password that you encrypt needs the key and the passphrase in order to be decoded; which again you have it in your local file system. In other words, you have the keys and passphrase in your app data folder and not in any server.

As you see, you have now separated the key (PGP file) and the lock (git repo) and the only possible way to get access to your passwords is to get access to your key, passphrase and github repo! That would mean, hacking any one of these has no impact whatsoever!

As a side note, its better to have a password hint in the password section instead of the actual password in the app

That said, this obviously is not an easy password management practice, but once setup its worth more than the money you spend on any subscription based or paid password management service. And the best part; you can have as many fields you want for any website/app by adding new keys as key value pairs

Now, how do I know if this is the best/right way to manage passwords?

Well, I don’t. It’s just my way 🙂