RT Cunningham

Buttercup is a Fantastic Password Manager, Much Better than Others

Buttercup Password Manager I’ve used LastPass as my password manager for years. It has never failed to flawlessly work as intended. The one thing that always concerned me, however, was relying on a third-party service for security. I found a product called “Buttercup” today, prompted by an article at Ghacks.

After installing it as a desktop client and web browser extension, I can safely say my LastPass days will soon be over. You can find Buttercup here or here.

Buttercup Vaults

I have Buttercup installed as a desktop client on Linux Mint. I also have it installed as an extension in my Brave Browser. The vault I chose to use is WebDAV, using a subdomain of mine that I won’t even mention (for added security). You can choose any of these:

If you connect online drive storage services to your computer, in directories of their own, you can use others like Mega and pCloud (or any other service you can imagine).

WebDAV versus Online Storage Services

The online storage services I mentioned all give you few megabytes or gigabytes for free. After that, you have to pay. I have over five gigabytes available with Dropbox and around 15 gigabytes available with Google Drive. I still have over 22 gigabytes available with my web hosting account, which I’m only paying $5.00 a month for.

There are plenty of tutorials about setting up WebDAV servers. I found one for Nginx and adapted it for my own needs. The Nginx server block looks something like this:

server {
    listen                            443 ssl http2;
    server_name                       servername.tld;
    root                              /home/servername.tld;
    auth_basic                        "Restricted";
    auth_basic_user_file              /etc/nginx/.passwords;
    dav_methods                       PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods                   PROPFIND OPTIONS;
    dav_access                        user:rw group:rw all:r;
    client_body_temp_path             /tmp/nginx/webdav;
    client_max_body_size              0;
    create_full_put_path              on;
}

If you don’t use SSL/HTTPS, you’re asking for trouble. Your password can be intercepted. I suggest using a password you never use anywhere else and one that can’t be guessed in more than a day or two. Since you’re storing an encrypted file, you should be able to replace the passwords long before the file can be decrypted with available methods today.

The Buttercup Name Threw Me for a Loop

I have no idea why the author of this software package chose the name “Buttercup”. The only reference I can mention is the phrase, “Suck it up, buttercup”, which is used when people tend to wimp out when doing something other than the norm.

Personally, I don’t need to suck up anything. There are more than a hundred ways to store passwords and I’ve used a good portion of them in the past. Buttercup makes things easier.

I’ve already exported my LastPass database and I’ve already imported it to my Buttercup database (the .bcup file). It’s going to take a few days to go through all the “documents” and clean it all up. Once I’m done, I won’t have to rely on any other service and I’ll have full control of my passwords on my own storage space.

If it works well, I’ll offer the space to both of my sons and their families. Security in today’s web environment is a must and their peaces of mind only enhances my own. What more could anyone ask?

Next Day Note

After some experimentation, I found I could prevent a connection to the WebDAV server from anything but my web browser extension. I’m simply using a persistent cookie and if that cookie doesn’t exist, no connection can be made. File managers and other WebDAV clients don’t do cookies. Web browsers, and by extension (no pun intended), web browser extensions do. So… I now have two authentication methods in place.

Share:    

RT Cunningham
July 30, 2019 11:00 pm
Technology