Tiddlywiki as a password manager

jollygoose · June 2, 2022, 7:26pm

Has anyone tried using TW to store and manage passwords securely with encryption? I’ve been a 1Password user for over a decade and use randomly generated passwords and it’s really good. But TW seems like an excellent alternative since it can store so many kinds of data. For example, security questions are actually terrible because of guessable answers, social engineering etc., so I actually use random alpha-numeric strings as answer for security questions. I also maintain several different email accounts depending for various use cases, so I have to remember what email I used to sign up for a specific service.

Would be super cool if there was a plugin to generate secure passwords with various options similar to what the generator on 1Password’s site.

CodaCoder · June 2, 2022, 8:12pm

I store security info in one of my encrypted TWs. Works well.

That’s a good idea to store security questions/answers.

There’s a plugin (forgotten the name) that provides per-tiddler encryption – someone reading this will remember it. @DaveGifford probably has it listed.

Springer · June 2, 2022, 8:55pm

Here’s a link for that Encrypt Tiddler plugin by Danielo:

https://danielorodriguez.com/TW5-EncryptTiddlerPlugin/

Springer · June 2, 2022, 9:07pm

Those security questions also presume that our minds and lives function in a particular “normal” way. I just don’t have straightforward answers to the “favorite _____” or "first _____ " things they call for. I end up speculating as to what some other version of myself would come up with (and I’m not always good at reading my own mind!). So I might as well do as you do, and fill in random strings – now that I am storing it all in a TiddlyWiki anyway.

Unlike a single-function password manager, your TiddlyWiki can scale and adjust to any kind of related information-gathering – with urls, reminders, credit-balance tallying, snippets of customer assistance chat transactions, etc.

I’ve never before felt less anxiety about losing track of some important financial-legal tidbit (When does passport/license/credit card expire? Who owes me money? What’s regularly auto-charged to which accounts? Where am I waiting for some next step, and from whom?). Adding encryption for individual tiddlers — at least those holding account access details — is essential, of course.

-Springer

arunnbabu81 · June 2, 2022, 9:34pm

Do you a demo available for this without any personal information. I am also trying to make a budget wiki using tiddlytables

Mark_S · June 2, 2022, 9:59pm

Keep in mind that the encryption in TW is something like 54 or 56 bits. Contrast with that of password managers that start at 1024. Also it’s never been vetted to make sure there aren’t any accidental loopholes (like clear-text caches).

Password managers perform other services, like clearing the clipboard after a few seconds, auto-closing the vault after a period of inactivity, and auto-filling forms.

I use full-TW encryption on just one of my files. It has personal info like contacts, and passwords for accounts where security isn’t quite as important. It’s handy for things that change too often for the regular password manager (like Github tokens). I’ll also use it for quickly saving a password that I’ll enter later into the password manager, or for sharing info between devices.

TW_Tones · June 3, 2022, 2:46am

I second Marks suggestion and pay for LastPass as a solution;

Can access of different devices apps and browsers
Can save as creating a new credential
Deeper encryption
random passwords
Cloud solution I don’t need to manage
Grant others access to my vault in an emergency
Share credentials with others (update in 1 place)

However I do use tiddlywiki - unencrypted with “credentials” related info, but not the passwords, all the extra features mentioned in this thread.

cdaven · June 3, 2022, 5:24am

That doesn’t seem right. TiddlyWiki uses Stanford Javascript Crypto Library, which by default seems to use AES in the CCM mode with 128 bits, and the password is strengthened with PBKDF2.

Unless I’m missing something, this is really good. Practically state of the art, still in 2022.

(Oh, and you can’t compare the key size of symmetric and asymmetric keys like that. Symmetric algorithms such as DES and AES usually have 128-512 bit long keys, while asymmetric algorithms such as RSA should have 2048-4096 bits, since those keys are much easier to guess.)

jollygoose · June 3, 2022, 7:33pm

I agree the points you listed are all great reasons to pay for a password manager and I plan on continuing my 1Password subscription. But, this particular need arose from a work situation where I was looking for something better than a password protected Excel file to manage various credentials that cannot leave the work network. Excel just became too unwieldy for managing information beyond login credentials.

markkerrigan · June 3, 2022, 11:50pm

I have used TiddlyWiki before by using the Encrypt Tiddlers plugin. Depending on the application in your work environment, this really isn’t any more secure than what most people do which is write down their passwords, ie sticky note on their monitor. Or in this case an Excel file.

The correct answer would be your employer should invest in some sort of password manager or implement more single sign-on. But of course modernizing IT takes time. And it depends on how much you are interacting with internal or external sites.

I too have been a long time user of 1Password and do not like the move to a subscription only offering. I still use 1Password6 with Dropbox sync and on Android. It all still “just works” for the time being. But I have done research into alternatives should the day come when it will no longer work how I want it to. If anyone is looking for 1Password alternatives, I suggest looking into Strongbox (macOS only), which using the KeePass database or Bitwarden (all major platforms), which does have a paid syncing service .

Taltessy · June 5, 2022, 7:12pm

I also suggest to use a proper password managerinstead of TiddlyWiki. I’m not an expert in this field, but I try to follow what some IT security researchers say and they recommend:

KeePass database with KeePassCX as client. There are other clients, but KeePassCX is actively maintained and has some nice usability features which will make it more secure in the end
bitwarden

I personally use KeePassCX and really like it. You have a note entry in the KeePass database where you could save some information.

pmario · June 6, 2022, 10:01am

I personally wouldn’t use TW as a password manager, since all the data is decrypted as long as the tab is open. So if you forget to “close” it, everyone can access all the info in your browser tab.

There is a plugin, that lets you encrypt / decrypt single tiddlers. … BUT … the plugin system itself is a very powerful “attack vector” for social engineering.

TW also has a relatively huge “attack surface”, since it contains a lot of API functions that make it easy to retrieve data from the “store”. That’s by design, since TW wasn’t developed to be used as a password manager. It’s more like a general purpose CMS (content management system)

For me a PW-manager only should have the minimal API functions needed to make it work for exactly that purpose.

Just my opinion.