Clean Password Management
November 24, 2019
I'm writing this post because of the current push towards online password managers. You're putting all your passwords on someone else's computer (a computer that anyone can access, no less). You not only have no idea how secure your passwords are, but you probably don't even know if your passwords are secured at all! Anyway, on with the article.
I'm going to let you in on a little secret: I have the memory of a goldfish and can't be trusted with any sort of important data whatsoever. That's why I use a clean and sane way to store my passwords: with pass and GPG.
Creating a PGP Key
To encrypt my passwords, I have a PGP key. I created one by installing GPG:
guix package -i gpg
(The packages 'gpg' or 'gpg2' should be available in most package managers)
Then I generated my key with:
I was asked to name my key, I put in "Ben's Key" and my key was generated!
Read more about creating keys here.
Creating the Password Store
I installed the pass password manager:
guix package -i password-store
(The packages 'password-store' or 'pass' should be available in most package managers)
Then I initialized my password store with:
pass init "Ben's Key"
This creates a folder ~/.password-store and encrypts it with the GPG key "Ben's Key".
Now I can create, remove, and organize my passwords instantly:
pass insert favorites/example.com pass generate email/example2.com
Run 'info pass' for a list of examples.
Keeping my Passwords on a USB Drive
For the novelty of it, let's put the encrypted .password-store folder onto a USB drive so that your GPG key and passwords aren't always in one place.
Create a directory to use as a mount point with:
Plug the USB drive into your computer and mount it on our mount point:
mount /dev/sdX ~/.pass-usb
(Where the X in 'sdX' is the drive identifier.)
Move the .password-store directory onto the drive (which is now mounted on .pass-usb):
mv ~/.password-store ~/.pass-usb
And finally tell pass where our new password directory is:
(You may want to put the above line at the bottom of your ~/.bashrc or ~/.profile)
Now, if Ronald McDonald breaks into your house, steals your computer *and* knows your GPG password, he won't be able to read your passwords without the USB drive (but that may be the least of your worries)
Initially I thought this would be a "Well, duh!" kind of article, but after seeing countless ads for online password managers, I figured a counterweight would be nice. Also, well, I just really like pass.
If you're interested in better password management, check out these links:
- DoD Password Management Guideline.
- The Only Secure Password is the One You Can't Remember
- This XKCD comic
- The Usability of Passwords
- How NOT to Store Passwords
Despite what people tell you, I do think we should use randomly-generated passwords. We aren't exactly known for coming up with secure passwords ourselves. Go ahead and try '12345' on any of my old accounts and you'll be logged in! I'd honestly like to be able to come up with secure, memorable passwords every day, but it's so much easier to let my computer do it for me.
As always, drop me a comment by contacting me directly!