Tiddlywiki as a password manager

#1

Has anyone tried using TW to store and manage passwords securely with encryption? I’ve been a 1Password user for over a decade and use randomly generated passwords and it’s really good. But TW seems like an excellent alternative since it can store so many kinds of data. For example, security questions are actually terrible because of guessable answers, social engineering etc., so I actually use random alpha-numeric strings as answer for security questions. I also maintain several different email accounts depending for various use cases, so I have to remember what email I used to sign up for a specific service.

Would be super cool if there was a plugin to generate secure passwords with various options similar to what the generator on 1Password’s site.

#2

I store security info in one of my encrypted TWs. Works well.

That’s a good idea to store security questions/answers.

There’s a plugin (forgotten the name) that provides per-tiddler encryption – someone reading this will remember it. @DaveGifford probably has it listed.

#3

Here’s a link for that Encrypt Tiddler plugin by Danielo:

https://danielorodriguez.com/TW5-EncryptTiddlerPlugin/

#4

Those security questions also presume that our minds and lives function in a particular “normal” way. I just don’t have straightforward answers to the “favorite _____” or "first _____ " things they call for. I end up speculating as to what some other version of myself would come up with (and I’m not always good at reading my own mind!). So I might as well do as you do, and fill in random strings – now that I am storing it all in a TiddlyWiki anyway.

Unlike a single-function password manager, your TiddlyWiki can scale and adjust to any kind of related information-gathering – with urls, reminders, credit-balance tallying, snippets of customer assistance chat transactions, etc.

I’ve never before felt less anxiety about losing track of some important financial-legal tidbit (When does passport/license/credit card expire? Who owes me money? What’s regularly auto-charged to which accounts? Where am I waiting for some next step, and from whom?). Adding encryption for individual tiddlers — at least those holding account access details — is essential, of course.

-Springer

#5

Do you a demo available for this without any personal information. I am also trying to make a budget wiki using tiddlytables

#6

Keep in mind that the encryption in TW is something like 54 or 56 bits. Contrast with that of password managers that start at 1024. Also it’s never been vetted to make sure there aren’t any accidental loopholes (like clear-text caches).

Password managers perform other services, like clearing the clipboard after a few seconds, auto-closing the vault after a period of inactivity, and auto-filling forms.

I use full-TW encryption on just one of my files. It has personal info like contacts, and passwords for accounts where security isn’t quite as important. It’s handy for things that change too often for the regular password manager (like Github tokens). I’ll also use it for quickly saving a password that I’ll enter later into the password manager, or for sharing info between devices.

2 Likes
#7

I second Marks suggestion and pay for LastPass as a solution;

  • Can access of different devices apps and browsers
  • Can save as creating a new credential
  • Deeper encryption
  • random passwords
  • Cloud solution I don’t need to manage
  • Grant others access to my vault in an emergency
  • Share credentials with others (update in 1 place)

However I do use tiddlywiki - unencrypted with “credentials” related info, but not the passwords, all the extra features mentioned in this thread.

#8

That doesn’t seem right. TiddlyWiki uses Stanford Javascript Crypto Library, which by default seems to use AES in the CCM mode with 128 bits, and the password is strengthened with PBKDF2.

Unless I’m missing something, this is really good. Practically state of the art, still in 2022.

(Oh, and you can’t compare the key size of symmetric and asymmetric keys like that. Symmetric algorithms such as DES and AES usually have 128-512 bit long keys, while asymmetric algorithms such as RSA should have 2048-4096 bits, since those keys are much easier to guess.)

2 Likes
JavaScript encryption library
#9

I agree the points you listed are all great reasons to pay for a password manager and I plan on continuing my 1Password subscription. But, this particular need arose from a work situation where I was looking for something better than a password protected Excel file to manage various credentials that cannot leave the work network. Excel just became too unwieldy for managing information beyond login credentials.

#10

I have used TiddlyWiki before by using the Encrypt Tiddlers plugin. Depending on the application in your work environment, this really isn’t any more secure than what most people do which is write down their passwords, ie sticky note on their monitor. Or in this case an Excel file.

The correct answer would be your employer should invest in some sort of password manager or implement more single sign-on. But of course modernizing IT takes time. And it depends on how much you are interacting with internal or external sites.

I too have been a long time user of 1Password and do not like the move to a subscription only offering. I still use 1Password6 with Dropbox sync and on Android. It all still “just works” for the time being. But I have done research into alternatives should the day come when it will no longer work how I want it to. If anyone is looking for 1Password alternatives, I suggest looking into Strongbox (macOS only), which using the KeePass database or Bitwarden (all major platforms), which does have a paid syncing service .

#11

I also suggest to use a proper password managerinstead of TiddlyWiki. I’m not an expert in this field, but I try to follow what some IT security researchers say and they recommend:

  • KeePass database with KeePassCX as client. There are other clients, but KeePassCX is actively maintained and has some nice usability features which will make it more secure in the end
  • bitwarden

I personally use KeePassCX and really like it. You have a note entry in the KeePass database where you could save some information.

#12

I personally wouldn’t use TW as a password manager, since all the data is decrypted as long as the tab is open. So if you forget to “close” it, everyone can access all the info in your browser tab.

There is a plugin, that lets you encrypt / decrypt single tiddlers. … BUT … the plugin system itself is a very powerful “attack vector” for social engineering.

TW also has a relatively huge “attack surface”, since it contains a lot of API functions that make it easy to retrieve data from the “store”. That’s by design, since TW wasn’t developed to be used as a password manager. It’s more like a general purpose CMS (content management system)

For me a PW-manager only should have the minimal API functions needed to make it work for exactly that purpose.

Just my opinion.

4 Likes
#13

Password Management in my opinion is an approach that needs a thought out plan, most users, could use some guidance counseling.

After two years is there a solutions out there or is it still (as of date) a bad/risky idea/alternative? Has there been any updates on this conversation or on overcoming the impossibility of a secure pwTiddlyManager?

Legend speaks of these security guard tiddlers with batons named TW5 PasswordVault, TW Encryption, TW Password Widget that were suppose to drive the armored truck.

any opinions/experience/recommendations on using projects such as?
TiddlyFolio - Your Wiki Wallet v1.1 available for Firefox+TiddlyFox
or plugins out there i.e.
Danielo Rodriguez’ plug-in to encrypt single tiddlers

1 Like
#14

This is a TWclassic edition and can not be used with TW5

This should still be a valid option to encrypt and decrypt single tiddlers, but it also has the same weak points every TW has. It’s not designed to be a password manager.

TW is designed to be extended by users in ways we cannot foresee. It’s designed to be extended using 3rd party plugins, which can be hard to review and users do not really know, what they can do.

My opinion pasted at: Tiddlywiki as a password manager - #12 by pmario still stands.

There has been an other discussion: Query: How secure is the inbuilt encryption option in TW?

TW uses the SJSC Library which was created in 2009 and the defaults it uses made sense in 2009. As I wrote at: Query: How secure is the inbuilt encryption option in TW? - #16 by pmario we should change the default values to modern standards.

3 Likes
#15

I just want to support and enforce Marios position on this. I believe there are “known unknowns and unknown unknowns” in relation to TiddlyWiki so do not think it suitable as a password manager, specifically because a good password manager is on the internet and has overlay tools etc… across many platforms. I use “LastPass premium” which illustrates what it needs.

  • I do not want to enter into a debate about lastpass or its competitors please

However;

I use tiddlywiki as a personal organiser which I keep local, and I have just a few key passwords documented in a large wiki in obscure ways, typically master passwords I do not use normally. They do not give away where they are in use, even that they are passwords.

  • Beyond this basic use I would not use it for a password manager, and a lot of systems are trying to move away from passwords.
1 Like
#16

even though this is a really old thread… I have been using KeePass and KeePassXC for years, and they are great!

1 Like
#17

How come noone mentioned TiddlyPWA ?

IMO is “the wiki” for storing sensible info like passwords