The Sisyphus of our time: trying to safely manage your passwords
I don’t know for you, but it’s been a long time since I abandoned the idea to try to memorize my passwords. I try to be safe, and password theft happens so quickly that I don’t want to share a password between two entities (for a loose definition of “entities”, from products to companies to emails or administrative services). And by consequence, I need legion of them.
Moreover, these passwords must be disposable, rather long (less than 10 characters is useless nowadays) and completely random to be of any usefulness against brute force attacks.
Oh, and of course, these passwords are the keys to many personal aspects of my life. They must be stored (or at least backed up) somewhere that belongs to me, and in the foreseeable future, I can’t accept to rely on a commercial entity to keep these things for me – what happens if our interests diverge (and they will), or if they are legally bound through national laws to let the state access them? (yes USA, I’m looking at you). So no 1password for me.
Given all these prerequisites, and the fact that I can barely remember my phone number, let alone tens of string of characters looking like “4J0,0(J/[aT_!axi:” (yes, I use pwgen with completely random passwords), 6 or 7 seven years ago I set up a workflow to keep these passwords safe, be able to share them between my machines or even store them on the net^Wcloud in a non intrusive way for when I need them.
Just one damn encrypted file and smart tools to handle it
The basic idea is quite simple: put all these passwords in an encrypted file, with a cryptography protection that looks like a good level for what it protects. I mean, I’m not a spy and don’t know any state secrets, I don’t need to protect millions of $, and well, the majority of passwords in that file allow to access websites like “http://stackoverflow.com/” or “https://issues.scala-lang.org” – not something needing secure tokens on a protected self contained device.
But on the other hand, the process to access, add, share, and well, update the damn file must be as easy as possible. I consult the file dozens of times a day, on several machines, add new passwords quite often, revoke/update others… It must be as quick, easy and unobtrusive as possible.
And I’m happy with what the workflow looks like now:
% # get back your passwords % git pull origin master % # generate new passwords for new sites % pwgen LUP6d*_MvjGp lwK::I91y;Q_ H{(Z5EorHiY! U'4EQX*fjT-} G?'xKNe#ez1. |j8gM]K39r<6 … % #look at your passwords file % vim passwords.gpg You need a passphrase to unlock the secret key for user: "Francois Armand (fanf) <fanf42@gmail.com>" 2048-bit ELG-E key, … Enter passphrase: [edit your file, get or change passwords...] :x [the file is automatically encrypted back] % #update the file and share it % git commit -am “Changed the password to access my blog” % git push origin master
Nice! And setting the tools is quite easy:
- Install and create a strong GPG key, and protect it with a SECURE key phrase. That’s the only thing you need to remember, be enthusiastic about it, and you can use gpg-agent to only write it once by session
- Configure VIM to automatically decrypt the file when opened, and encrypt it back when saved/closed with your passphrase
- Use a private Git repository to version the file and share it between machines and removable devices
Install and configure GPG
There are tons of resources on internet about that, so here is the minimal aspect:
% # install gnupg % sudo apt-get install gnupg % # generate a new key - 4096 is a good length % gpg --gen-key
Configure VIM to transparently decrypt .gpg files
This is the interesting part! All you need to do is add in your .vimrc:
https://gist.github.com/fanf/bad235a1b587eeb176c0
Note: it seems that now, there is a vim-script for that.
On Debian, installing the vim-scripts package should bring you the feature directly.
Use Git to share and version the file
Git is such a wonderful tool that I tend to use everywhere: I’m versioning all my configuration files, personal environment, interesting scripts, notes, anything worth remembering with it. The best part is that it’s distributed: if I want to backup these things on a USB key, plug the thing in and clone the repo. Sharing on internet to have global access to unsensitive data? Just create a Github repository, or if you need personal, free, private repositories, use Bitbucket.
Again, resources on Git are everywhere on the internet, so just for reference, it boils down to:
% # initializing % git init % git add password.gpg % git commit -m “initial passwords” % # sharing on an USB stick % cd /media/myusbkey % git clone /path/to/the/git/directory % # done
And we are done. We can now (relatively) safely use passwords, until a better, safer, more personal, more secure, simpler authentication method appears and is adopted.
Note: a program exists to do almost this, and is even able to really merge passwords with Git thanks to a tree of directories/files. I prefer having all the passwords in the same file (easier for me to find back the one I’m looking for) and merge by hand, but for reference (and because it’s a very good piece of software), it’s here.