Towards Stronger Password Management
Sound The Alarm
Recently, an old password of mine was leaked in a data dump. Two other sites I frequent use the same password — tsk tsk. I was fortunate enough to flag my stolen credit card number before any damage could be done, but some of my personal information was definitely downloaded. What degree of risk or personal harm that opens me up to is unclear.
Realizing that I had no excuse for poor security, I set about improving it. First on deck was expunging the leaked password from any sites still using it. I also wanted to avoid ending up in a similar situation again, and ideally have something else manage my passwords for me. The idea of a browser plugin is appealing, but giving all of my passwords to a third-party company and trusting them with that information is not.
In the past I had used KeePass. The basic idea is that you only have to remember a single master password, which you use to unlock the file with all of your other passwords stored inside. I believe this is a big improvement over using a third-party like LastPass.
One of the bigger annoyances I had over time was around updating my KeePass data. The only way I knew to interact with the tool was through its GUI, which while fully featured, is kind of clunky. It was also annoying to push the password file up and down to my storage server. I wanted to replace it with something simple to use and easy to understand. Being able to use it from the shell would be great too.
A bit of research led to a utility called pass. I'm a couple of months in and extremely pleased with its performance so far.
Here is why this tool is a great fit:
- Simplicity: this tool is a bash script calling out to a handful of well-known tools, which makes it very easy to reason about and understand
- Portability: each password is stored in a separate file2, the scripts are simple to run on other systems and the tools it depends on are widely supported
- Secure: pass uses GPG3, the GNU implementation of the OpenPGP standard.
Manually syncing flat files leaves a lot to be desired. These days I keep my passwords in a private Git repository. Remember, without my gpg key and its password, the passwords in that repository are just encrypted blobs. Any machine that can authenticate to the repository can access the password store, making my workflow easy to use across multiple machines.
With a little work upfront, I've set up a much more secure system to manage my passwords. It is also trivial now for me to write a bash script that replaces old passwords every couple of weeks! This is not perfect security, but it goes a long way. I also highly encourage the use of 2FA to protect yourself in the event that one of your passwords is compromised.
Some words of advice: – Keep a secure backup of your key material. If you lose the skeleton key, you lose access to all the stuff in your password store! – Even with good tooling, a potentially compromised machine won't do much to protect your data. Be mindful of any machines you store or generate gpg keys on, who has access to them, et cetera. – It is worth taking a little time to understand the basics of GPG, asymmetric crypto, and the shell before you adopt this toolchain.
1) KeePass also lets you feed it a key file. 2) Pass is a great example of the Unix philosophy in action. As a set of guiding principles, they're invaluable to any developer. 3) GPG is a pretty interesting piece of software, both for its philosophies like web of trust and for the political struggle endured by its author Phil Zimmerman, at a time when the US government tried to outlaw publishing cryptography online. I am incredibly grateful to folks like Mr. Zimmerman, who dedicated so much time and energy into preserving our online freedoms and empowering us with better tools to stay safe.