Just recently, I was steered to this site..

https://www.passwordstore.org/

And in there, I realized that a very simple self-managed password "vault" can be created with just using gpg from the command line.

For example, if you wanted to store a password for Ebay..

gpp -o pw-for-ebay.gpg -e -r [myID] -

..and the system will open stdin for typing. when done, hit new-line, and ctrl-C [probably ^D in linux], and the file is created with the string stored inside.

H:\temp>gpg -o pw-for-ebay.gpg -e -r august -
File 'pw-for-ebay.gpg' exists. Overwrite? (y/N) y
updated pw is ... blahblahblah111
^C

When you need to view the pw:

H:\temp>gpg -d pw-for-ebay.gpg
gpg: encrypted with 2048-bit RSA key, ID 583B29AD69D0999F, created 2020-01-02
"August Abolins <august@kolico.ca>"
updated pw is ... blahblahblah111

So.. it's relatively simple to have a safe directory with all the pw*.gpg files like that.

Combine that with rclone and a remote defined as "crypt", you can keep a copy of the directory in the cloud where you could access the contents from any other device that has rclone.





--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-01 19:41:00, you wrote to All:

Just recently, I was steered to this site..

https://www.passwordstore.org/

This could be useful if you only have a command line available. But even their examples only store passwords for websites, suggesting there is a browser and a gui available. If that is the case a gui password manager would be more user friendly.

I've been a happy https://pwsafe.org/ user for many many years. Both on Linux and Windows.

And in there, I realized that a very simple self-managed password
"vault" can be created with just using gpg from the command line.

For example, if you wanted to store a password for Ebay..

gpp -o pw-for-ebay.gpg -e -r [myID] -

..and the system will open stdin for typing. when done, hit new-line, and
ctrl-C [probably ^D in linux], and the file is created with the string stored
inside.

H:\temp>> gpg -o pw-for-ebay.gpg -e -r august -

File 'pw-for-ebay.gpg' exists. Overwrite? (y/N) y
updated pw is ... blahblahblah111
^C

When you need to view the pw:

H:\temp>> gpg -d pw-for-ebay.gpg

gpg: encrypted with 2048-bit RSA key, ID 583B29AD69D0999F, created 2020-01-02
"August Abolins <august@kolico.ca>"
updated pw is ... blahblahblah111

So.. it's relatively simple to have a safe directory with all the pw*.gpg files like that.

Interesting, and maybe for emergency use, when a real password manager isn't available, but otherwise I don't find it very practical...


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

I've been a happy https://pwsafe.org/ user for many many years. Both on Linux and Windows.

I may have heard about it in the past. Looks good.

gpg -o pw-for-ebay.gpg -e -r [myID] -

[...]

When you need to view the pw:

H:\temp>> gpg -d pw-for-ebay.gpg

Interesting, and maybe for emergency use, when a real password manager isn't available, but otherwise I don't find it very practical...

Practical is exactly what it is! It doesn't rely on any other 3rd party software. And compatibility across OS changes is ensured.

And.. a terminal is available to anyone, cmd-line or GUI.

Just keep all the .gpg files in a easy to remember folder:

C:\PW

.. and list all of them with DIR (or ls) *.gpg

Simple.

Build it into a script for a faster list from any diretory:

mypws, to produce the output of "dir c:\pw\*.gpg"


I dunno.. I think the use of gpg manually keeps us sharp. "User-friendly" as an excuse to use GUI kinda makes us lazy and dumb.

--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-02 14:38:00, you wrote to me:

Interesting, and maybe for emergency use, when a real password
manager isn't available, but otherwise I don't find it very
practical...

Practical is exactly what it is! It doesn't rely on any other 3rd party software. And compatibility across OS changes is ensured.

And.. a terminal is available to anyone, cmd-line or GUI.

Just keep all the .gpg files in a easy to remember folder:

C:\PW

.. and list all of them with DIR (or ls) *.gpg

Simple.

Build it into a script for a faster list from any diretory:

mypws, to produce the output of "dir c:\pw\*.gpg"

I dunno.. I think the use of gpg manually keeps us sharp. "User-friendly" as
an excuse to use GUI kinda makes us lazy and dumb.

Are you going to use this yourself for every day use?

If so, let us know how you feel about it in a month or a year of usage... ;-)


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

Are you going to use this yourself for every day use?

If so, let us know how you feel about it in a month or a year of
usage... ;-)

I already do, as a kind of backup.

But most of my passwords are rememered by the browser I use. And even those follow a "recipe" that I use to reconsistute any pw I need for any site - so, I don't really need to remember the password, just the way to build it.
--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-02 17:56:00, you wrote to me:

But most of my passwords are rememered by the browser I use. And even those follow a "recipe" that I use to reconsistute any pw I need for
any site - so, I don't really need to remember the password, just the
way to build it.

That's not good practice! It makes them predictable...

I just have my password manager generate a long random password, consisting of all possible characters, most of the time.


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

But most of my passwords are rememered by the browser I use. And even
those follow a "recipe" that I use to reconsistute any pw I need for
any site - so, I don't really need to remember the password, just the
way to build it.

That's not good practice! It makes them predictable...

The browser is for stuff online that doesn't have access for purchases or banking, just basic logins. And even some of those pws follow a formula/ recipe, so even they can be rebuilt easily.

Nothing about the formula is predictable. Only I know it. It's only in my head. And.. depending on the circumstances for pw changes by some sites, even the tweeking follows a pseudo "rule".

I just have my password manager generate a long random password, consisting of all possible characters, most of the time.

That's fine, but even a set of "random" words or phrase is good enough.

So.. as an example, a random phrase that is only meaningful to you, add some other uniqueness in some other way that only you know, and you have a pw that no one could guess, and it's something you can recover with only the technology of your brain. ;)






--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-03 09:32:00, you wrote to me:

Nothing about the formula is predictable. Only I know it. It's only
in my head. And.. depending on the circumstances for pw changes by
some sites, even the tweeking follows a pseudo "rule".

How long are your passwords? Do they have pronouncable words/parts?

I just have my password manager generate a long random password,
consisting of all possible characters, most of the time.

That's fine, but even a set of "random" words or phrase is good enough.

Sure.

So.. as an example, a random phrase that is only meaningful to you,

When it's meaningful it's not random! ;-)

add some other uniqueness in some other way that only you know, and
you have a pw that no one could guess,

"No one" isn't the problem. It's the automated password guessers that are your adversaries. And they can try thousands or probably milions of passwords in a second, and do that in a smart way.

and it's something you can recover with only the technology of your
brain. ;)

Can you give an example for a ficticious website (without revealing your formula of course)?


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

** On Tuesday 03.02.26 - 15:54, you wrote to me:

Nothing about the formula is predictable. Only I know it. It's only
in my head. And.. depending on the circumstances for pw changes by
some sites, even the tweeking follows a pseudo "rule".

How long are your passwords? Do they have pronouncable words/parts?

Length can vary, depending on the formula output for each "part". Pronouncable words are a choice. Pronouncable or not doesn't really matter if the whole sum of parts makes no "sense".

So.. as an example, a random phrase that is only meaningful to you,

When it's meaningful it's not random! ;-)

It's random in the sense that it can't be associated/findable with anything else in print.

add some other uniqueness in some other way that only you know, and
you have a pw that no one could guess,

"No one" isn't the problem. It's the automated password guessers that
are your adversaries. And they can try thousands or probably milions of passwords in a second, and do that in a smart way.

The automation doesn't matter. The front-ends for password entry would slow down rapid attempts anyway. No site would allow any of those millions of passwords in one second. Login attempts are limited per minute or max out after a handful of tries.

and it's something you can recover with only the technology of your
brain. ;)

Can you give an example for a ficticious website (without revealing your formula of course)?

Sure.

Think of it in 4 or 5 parts: [A] [B] [C] [D] [E]

Part [A] would be something meaningful to you for the particular site/ service: eg. for FictitiousWebsite.com, think of "formula" for it,
say.. FW, or ficweb, or just use the first 3 or 6 consonants, or the vowels, or the consonants for the first word, and vowels for the second word. The possibilities to encode that are limited to the imagination, but just stick to an encoding scheme that you like - and that will make it easy to remember when you need it.

Part [B] could be a string of 4 to 8 numbers that are only meaningful to you, and you can even append a encoded number to that based on the string of chars you used for part [A]. How you encode it is up to you. eg. a simple ROT function, some part of pi, or a combo of 4 numbers from one credit card and the 4 numbers of another credit card [the latter credit card example is something you can always look up if you can't remember that].

Part [C] could be reserved for one or more special characters that most systems often require. So, pick some special char or sequence of chars that you like and that would make sense to you. You could even pick the special char based on the string of chars you ended up for part [A], so that [C] is always different from site to site.

Part [D] could be reserved for a couple of short silly words that can also be processed to make them look less like obvious words. How you process them or not is up to you.

Parts [A] [B] [C] [D] could be in any order you like.

Figure out something else for part [E] which could be another function of any of the other parts.

As a whole, the result will be a pretty fine pw string that only you knew how to construct, and can reconstruct when you need it.

--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-04 22:26:00, you wrote to me:

Nothing about the formula is predictable. Only I know it. It's
only in my head. And.. depending on the circumstances for pw
changes by some sites, even the tweeking follows a pseudo "rule".

How long are your passwords? Do they have pronouncable words/parts?

Length can vary, depending on the formula output for each "part". Pronouncable words are a choice. Pronouncable or not doesn't really matter if
the whole sum of parts makes no "sense".

Well it makes your password easier to guess. Password guessers use dictionaries.

add some other uniqueness in some other way that only you know, and
you have a pw that no one could guess,

"No one" isn't the problem. It's the automated password guessers that
are your adversaries. And they can try thousands or probably milions of
passwords in a second, and do that in a smart way.

The automation doesn't matter. The front-ends for password entry would slow
down rapid attempts anyway. No site would allow any of those millions of passwords in one second. Login attempts are limited per minute or max out after a handful of tries.

It will probably do for those type of attacks. But sometimes databases get stolen. Or hackers get direct access to the systems that store the (encoded) passwords.

Can you give an example for a ficticious website (without revealing
your formula of course)?

Sure.

Think of it in 4 or 5 parts: [A] [B] [C] [D] [E]

Part [A] would be something meaningful to you for the particular site/ service: eg. for FictitiousWebsite.com, think of "formula" for it,
say.. FW, or ficweb, or just use the first 3 or 6 consonants, or the vowels,
or the consonants for the first word, and vowels for the second word. The possibilities to encode that are limited to the imagination, but just stick
to an encoding scheme that you like - and that will make it easy to remember
when you need it.

Part [B] could be a string of 4 to 8 numbers that are only meaningful to you,
and you can even append a encoded number to that based on the string of chars
you used for part [A]. How you encode it is up to you. eg. a simple ROT
function, some part of pi, or a combo of 4 numbers from one credit card and
the 4 numbers of another credit card [the latter credit card example is something you can always look up if you can't remember that].

Part [C] could be reserved for one or more special characters that most systems often require. So, pick some special char or sequence of chars that
you like and that would make sense to you. You could even pick the special char based on the string of chars you ended up for part [A], so that [C] is
always different from site to site.

Part [D] could be reserved for a couple of short silly words that can also be
processed to make them look less like obvious words. How you process them or
not is up to you.

Parts [A] [B] [C] [D] could be in any order you like.

As long as you always use the same order. Otherwise you can forget which order you used for a particular website. ;-)

Figure out something else for part [E] which could be another function
of any of the other parts.

As a whole, the result will be a pretty fine pw string that only you
knew how to construct, and can reconstruct when you need it.

The devil is in the details I suppose. Depending on a few variables in your sceme, it might be sufficiently random for passwords guessers (which have become quite advanced, and will only become better in the future) to not break it.

But I think it's much easier and safer, to use long truly randomly generated passwords and store them in a password manager.


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

Length can vary, depending on the formula output for each "part".
Pronouncable words are a choice. Pronouncable or not doesn't really
matter if the whole sum of parts makes no "sense".

Well it makes your password easier to guess. Password guessers use dictionaries.

First of all, a password guesser only comes into play when the hacking system relies on known email addresses that are assumed to be the username part.

There is no risk of hack if even the username part follows some obfuscation process too.

I don't know about you, but many of my site/system logins are NOT email addresses. So, to guess the right username + password pair would be nearly impossible to "guess", and force-feeding millions of combinations of those at the user interface would be impossible.

[...] But sometimes databases
get stolen. Or hackers get direct access to the systems that store the (encoded) passwords.

I think unencryted databases are the true target.

Parts [A] [B] [C] [D] could be in any order you like.

As long as you always use the same order. Otherwise you can forget which order you used for a particular website. ;-)

That's right. Find the "formula" that works for you, and stick with it, and then you can recreate a pw for any site you need. The whole point is to
avoid having to remember a particular pw string - just rebuild it.

The devil is in the details I suppose. Depending on a few variables in your sceme, it might be sufficiently random for passwords guessers
(which have become quite advanced, and will only become better in the future) to not break it.

Still, the guessers are useless if they can't throw all their guesses at an account in a few seconds.

But I think it's much easier and safer, to use long truly randomly generated passwords and store them in a password manager.

I dunno.. I find it quite easy (and fun) to rebuild my passwords when I have to. I might need to use an intermediary computer to access something temporarily, and I won't need to rely on any other devices to provide the pw.

And length is not as critical as to avoid outright guessable. I have a friend who simply uses her first name and 1234 for her hotmail account, and her name is in the email address itself!

Another fellow uses the layout of the keyboard to guide him to "remember" his passswords. Eg. the leftmost keys on the kb = qweasdzxc, or qazwsxed, and then some numbers. Personally, I would not use that scheme as the sole pw. Instead, maybe the qweasdzxc or qazwsxedc strings could be one of the parts in [A] [B] [C] as a minimum.

I do admit, that some of my sites don't follow exactly the same scheme between them. I do something different for financial/banking accounts too. And a few older sites have pws before I came up with the formula method.

I have stored a few more pws using my gpg method. I luv it.

I wish I had thought of using my formula method and gpg store idea for my facebook account that I started using over about 15yrs ago. Last night, I accidentally logged out of facebook and the recovery system is not allowing me to finish authentication unless I "use another device"! That is impossible, since I've only ever used facebook on only one recent device which is the one I logged out of!

I did once access facebook on one of my iPods, but the wifi on it stopped working a long time ago.

For recovery, facebook can send a 6-digit code to an email address that I had associated with facebook. That works. But when I enter the 6-digits at the facebook prompt for those digits, it comes up with "you have to use another device that you used before". That requirement is stupid! I think this might be the perfect time to drop Facebook.

--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-06 20:13:00, you wrote to me:

I don't know about you, but many of my site/system logins are NOT
email addresses.

You often don't have choice...

[...] But sometimes databases
get stolen. Or hackers get direct access to the systems that store the
(encoded) passwords.

I think unencryted databases are the true target.

Those are the targets with high reward, but they shouldn't exist anymore. ;-)

And length is not as critical as to avoid outright guessable. I have
a friend who simply uses her first name and 1234 for her hotmail
account, and her name is in the email address itself!

Hmmm... I'm surprised that is still allowed by hotmail...

Another fellow uses the layout of the keyboard to guide him to
"remember" his passswords. Eg. the leftmost keys on the kb =
qweasdzxc, or qazwsxed, and then some numbers. Personally, I would
not use that scheme as the sole pw. Instead, maybe the qweasdzxc or qazwsxedc strings could be one of the parts in [A] [B] [C] as a
minimum.

I don't use such easy scheme's, but i sometimes use easy to type passwords (for me) when I can't use a password manager.

I do admit, that some of my sites don't follow exactly the same scheme between them. I do something different for financial/banking accounts too. And a few older sites have pws before I came up with the formula method.

My financial accounts all use some kind of 2 factor authentication nowadays anyway...

For recovery, facebook can send a 6-digit code to an email address
that I had associated with facebook. That works. But when I enter
the 6-digits at the facebook prompt for those digits, it comes up with "you have to use another device that you used before". That
requirement is stupid!

Indeed. Devices come and go, they shouldn't use a scheme that depends on it. It would cause a lot of trouble...

I think this might be the perfect time to drop Facebook.

It's always a good time to drop Facebook! ;-)


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

I don't know about you, but many of my site/system logins are NOT
email addresses.

You often don't have choice...

So.. a simple algorythm for the username might also be a good idea - something that you can reconstitute based on the site you are using.

I think unencryted databases are the true target.

Those are the targets with high reward, but they shouldn't exist
anymore. ;-)

Yeah.. an encrypted set of files are useless blobs.

Seems ironic that even with the most strict rules about good usernames and complex passwords, the most successful way to hack a system is via "click here" emails.

And length is not as critical as to avoid outright guessable. I have
a friend who simply uses her first name and 1234 for her hotmail
account, and her name is in the email address itself!

Hmmm... I'm surprised that is still allowed by hotmail...

Well.. that was a number a years ago. Since then, she has replaced her laptop at least twice. Maybe she used the "forgot password" process and was forced to "upgrade"/change the password, dunno.

Another fellow uses the layout of the keyboard to guide him to
"remember" his passswords. Eg. the leftmost keys on the kb =
qweasdzxc, or qazwsxed, and then some numbers. Personally, I would
not use that scheme as the sole pw. Instead, maybe the qweasdzxc or
qazwsxedc strings could be one of the parts in [A] [B] [C] as a
minimum.

I don't use such easy scheme's, but i sometimes use easy to type passwords (for me) when I can't use a password manager.

What do you mean "easy to type"? Everything is easy to type. If you are processing something in your head to come up with a password string (and that you hope to remember later) then you are already using something akin to my scheme - you just have to modify it in such a way that you wouldn't have to actually "remember" the pw, but how to rebuild the pw.

My financial accounts all use some kind of 2 factor authentication nowadays anyway...

2FA [sending an sms string to a phone] seems secure. But my bank doesn't always go through that route when I need to relogin the same day from the same device a little while later.

I could be held hostage and someone else could be forcing me to enter the 1st layer of login, and the perps could be in control of my phone.

"you have to use another device that you used before". That
requirement is stupid!

Indeed. Devices come and go, they shouldn't use a scheme that depends on it. It would cause a lot of trouble...

Yes.. I am sure many people only have ONE phone that they use for their FB, twitter, instagram, etc. If that device is lost or stolen or damaged, there is no way to fulfill the stupid FB requirement to "use a another device that you logged in with before" requirement. And, those people may not even realize they will be in trouble to fulfill that requirement in the future.

I think this might be the perfect time to drop Facebook.

It's always a good time to drop Facebook! ;-)

I've always felt frustrated watching businesses feeling compelled to register with all the social media apps out there: FB, X, IG, etc.. What a stupid management nightmare to keep fresh and updated!

I only started using FB for my business recently. It actually started to be handy to post a sale or a quick announcement. And, I only recently added a new image for my top "banner". https://facebook.com/AshliesBooks ..but ultimately, FB is still a walled-garden and only other FB members can see the full content anyway.

Meanwhile, Google Business has introduced a "Posts" option. I think I can duplicate most of the same FB functions I was used to, and just use the Google system. No one needs to have a Google account to be able to see my business content.

--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-07 18:27:00, you wrote to me:

And length is not as critical as to avoid outright guessable. I
have a friend who simply uses her first name and 1234 for her
hotmail account, and her name is in the email address itself!

Hmmm... I'm surprised that is still allowed by hotmail...

Well.. that was a number a years ago. Since then, she has replaced her laptop at least twice. Maybe she used the "forgot password" process and was
forced to "upgrade"/change the password, dunno.

Most likely...

Another fellow uses the layout of the keyboard to guide him to
"remember" his passswords. Eg. the leftmost keys on the kb =
qweasdzxc, or qazwsxed, and then some numbers. Personally, I would
not use that scheme as the sole pw. Instead, maybe the qweasdzxc or
qazwsxedc strings could be one of the parts in [A] [B] [C] as a
minimum.

I don't use such easy scheme's, but i sometimes use easy to type
passwords (for me) when I can't use a password manager.

What do you mean "easy to type"? Everything is easy to type.

I'm a ten finger blind typer. Then some keys are closer to the starting position for your fingers, and some order of keys are also easier/faster to type.

My financial accounts all use some kind of 2 factor authentication
nowadays anyway...

2FA [sending an sms string to a phone] seems secure. But my bank doesn't always go through that route when I need to relogin the same day from the same device a little while later.

Indeed, some make you only do that once in a X period of time...

I could be held hostage and someone else could be forcing me to enter
the 1st layer of login, and the perps could be in control of my phone.

When "attackers" have fysical access to you or your loved ones, and are willing to do everything it takes, then no sceme works...

I only started using FB for my business recently. It actually started
to be handy to post a sale or a quick announcement. And, I only
recently added a new image for my top "banner". https://facebook.com/AshliesBooks ..but ultimately, FB is still a walled-garden and only other FB members can see the full content
anyway.

Does the account have followers/friends?


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

I only started using FB for my business recently. It actually started
to be handy to post a sale or a quick announcement. And, I only
recently added a new image for my top "banner".
https://facebook.com/AshliesBooks ..but ultimately, FB is still a
walled-garden and only other FB members can see the full content
anyway.

Does the account have followers/friends?

Does the link load for you? As a non-registered user now, I only see "Following" = 0 and "Followers" = 53 ..so no great loss.



--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)

Hi August,

On 2026-02-08 08:45:00, you wrote to me:

I only started using FB for my business recently. It actually
started to be handy to post a sale or a quick announcement. And, I
only recently added a new image for my top "banner".
https://facebook.com/AshliesBooks ..but ultimately, FB is still a
walled-garden and only other FB members can see the full content
anyway.

Does the account have followers/friends?

Does the link load for you? As a non-registered user now, I only see "Following" = 0 and "Followers" = 53 ..so no great loss.

I see the same...


Bye, Wilfred.

--- FMail-lnx64 2.3.2.6-B20251227
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

** On Sunday 08.02.26 - 13:02, you wrote:

What do you mean "easy to type"? Everything is easy to type.

I'm a ten finger blind typer. Then some keys are closer to the starting position for your fingers, and some order of keys are also easier/faster to type.

Which reminds me, I found this:

"You can even create a random left-hand password, which would let you type your password with one hand.

</dev/urandom tr -dc '12345!@#$%qwertQWERTasdfgASDFGzxcvbZXCVB'


--
../|ug

--- OpenXP 5.0.64
* Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58)