Is there a local-system-only (Win/IOS/Mac) password manager that is Yubikey (or similar) capable?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

JimWilliamson

Member
Nov 15, 2020
24
7
Is there a local-system-only (Win/IOS/Mac) password manager that is Yubikey (or similar) capable?

I'm looking to move to a password manager that is security key capable (in addition to password) but wish it to be a local only / offline setup. Does such a system exist?

The only setup I have found is Bitwarden's ability to run a "local server" for the hosting. I have not looked into it and wish to see if anything else would be recommended.

Thanks - Jim
 

PHolder

Well-known member
Sep 16, 2020
630
2
308
Ontario, Canada
Is there a local-system-only (Win/IOS/Mac) password manager that is Yubikey (or similar) capable?
Yes one claims to exist, no it doesn't do what you want and gives a false sense of security. Yubikey's have a number of features. The initial Yubikey authentication method REQUIRES online access to Yubikey's server (or one of your own if you want to totally forgo Yubikey working anywhere but with your server.) The way this mode works is with a secret shared between your key and their server... they preloaded it in their server when they built your key. (There is a way to replace it, but you still have to send it to them.)

One of the other ways it can work is to manually type a password for you. Basically you preload it with a [strong] password, and when you use this mode, it will simulate your keyboard typing that password in. Of course if your focus is not right (say you have a Word document focused) then the Yubikey can't know this, and there goes your password rapidly typed into the wrong place (like in the middle of that Word document.)

Also, Yubikey in most of its modes is only about authentication. Since you want to use local authentication, you do realize that anyone who copied your data offsite, could work around the local authentication by bypassing it. The only way this could be avoided would be if the Yubikey stored a password that the password manager could use to do crypto with in secret. Yubico does make a device that does this, but it's very expensive in comparison to a Yubikey. Check out the Yubico HSM (hardware security module) if you have the programming chops to create an app with it. (As far as I know, there aren't many publicly available apps or tools that use it because of the cost.)

This is a fundamental rule of crypto... you need a password supplied in order to use it, or you need a device that can proxy the use of the password. Yubikeys are not designed to act as a proxy (with the possible exception of the FIDO modes, but those modes were designed for online use with a 3rd party too.)
 
Dec 20, 2020
5
0
I use KeepassXC, a better-supported fork of Keepass. Unlock with Yubikey static password feature (not OTP) plus one of my PINs (taps head).

PHolder's concern about Autotype into a Word doc is definitely valid. From inside the KeepassXC app, you can Ctrl+V and it'll automatically Alt+Tab to the last used app and paste a pre-defined sequence (including Tabs, pauses, etc.). Super handy for daily use and also unusual circumstances, like a VM without Guest Additions support for shared clipboard. But the wrong combination could end up posting my Hotmail password in this forum!

You can also just double click the entry's password field and navigate to the window and field to manually paste. The clipboard clears by default at... 10 seconds? 12? I forget, but that's configurable as well.

It also supports plugins to work directly with your browser, but I don't use that.
 

Attachments

  • Screenshot from 2020-12-21 08-20-43.png
    Screenshot from 2020-12-21 08-20-43.png
    20.3 KB · Views: 43

JimWilliamson

Member
Nov 15, 2020
24
7
Thanks to both.

Re-reading my initial post, specifically after PH's comment, I should remove "offline". The systems it would be used on would be online. I simply have a preference for the encrypted file to be locally stored (without any copy stored online).
 

PHolder

Well-known member
Sep 16, 2020
630
2
308
Ontario, Canada
If the only thing being done online is authentication, then this is easily bypassed if they have a local copy of the app/data. (They would just patch out the online auth check, since you still need to supply the password locally.)
 

Bruce

New member
Sep 18, 2020
3
1
Michigan, USA
You might look at this: https://pwsafe.org/ They claim to support Yubico keys and you can use the key along with your on key phrase as well if you want. Pwsafe is local only, it has no on-line component. Originally developed by Bruce Schneier. I have used it for years.
 

rfrazier

Well-known member
Sep 30, 2020
231
77
LastPass can be used in offline mode although you might have to be online to set it up initially. I have mine set to allow that option, but haven't tested it in a while. I'm normally online so all the passwords are synced to the central server. I also believe LastPass can be used with Yubikey.

May your bits be stable and your interfaces be fast. :cool: Ron
 

JimWilliamson

Member
Nov 15, 2020
24
7
PWsafe - I'll check it out.
LastPass Offline - Hmmm - curious - I'll look into that too.

Thank you.

EDIT - Some PWsafe info:

It looks like the PWsafe IOS app is capable of iTunes file sharing to sync the database between WinOS/MacOS and an IOS device - no need to place the database online (iCloud / DropBox) - a nice thing.
 
Last edited:
Is there a local-system-only (Win/IOS/Mac) password manager that is Yubikey (or similar) capable?

I'm looking to move to a password manager that is security key capable (in addition to password) but wish it to be a local only / offline setup. Does such a system exist?

The only setup I have found is Bitwarden's ability to run a "local server" for the hosting. I have not looked into it and wish to see if anything else would be recommended.

Thanks - Jim
Try the StrongBox app. It is available for macOS and iOS/iPadOS.

It is KeePass compatible and you can optionally use a YubiKey. It is based on a freemium model. The paid version is VERY expensive.
 

danlock

Well-known member
Sep 30, 2020
133
45
I use Password Safe also (Bruce Schneier's program which encrypts the password database with at least Twofish), but I never use the auto-type feature. I like it because it's compatible with every OS I use.. android, Windows, Linux, etc., and it has an auto-sync feature which ensures I have the latest version of my encrypted passwords file on every device. It's quite nice and still under active development.

Dragging-and-dropping the username icon to the username field and the "key" icon to the password field (preferably in the reverse order, but sometimes that's not possible, and sometimes I have to use the clipboard instead of drag and drop) then clicking the "clear clipboard" button in pwsafe is easy.

You can also set it to wipe its memory and lock the database after a time of inactivity time or when you minimize the window or close the program, among other things... and force a delay between master password entry and decryption to make brute-forcing harder or impossible. Like SQRL, there are no backdoors.

I don't know if @PHolder likes pwsafe very much, but it works well for me, as far as I can tell.

There's another thread here where we discussed Password Safe and password managers months ago; it shouldn't be too hard to find.
 
  • Like
Reactions: JimWilliamson

PHolder

Well-known member
Sep 16, 2020
630
2
308
Ontario, Canada
I don't know if @PHolder likes pwsafe very much
I have no issues with pwsafe that I know of, but I dislike their implication of supporting Yubikeys as [local] 2FA... which was what was discussed in another thread. Just have a secure password and I assume it's fine for local password management.
 
  • Like
Reactions: danlock