Clean Password Management
I'm writing this post because of the current push towards online password managers. You're putting all your passwords on someone else's computer (a computer that anyone can access, no less). You not only have no idea how secure your passwords are, but you probably don't even know if your passwords are secured at all! Anyway, on with the article.
I'm going to let you in on a little secret: /I have the memory of a goldfish and can't be trusted with any sort of important data whatsoever/. That's why I use a clean and sane way to store my passwords: with pass and GPG.
Creating a PGP Key
To encrypt my passwords, I have a PGP key. I created one by installing GPG:
guix package -i gpg
(The packages gpg or gpg2 should be available in most package
managers)
Then I generated my key with:
gpg quick-gen-key
I was asked to name my key, I put in "Emily's Key" and my key was generated!
Read more about creating keys here.
Creating the Password Store
I installed the pass password manager:
guix package -i password-store
(The packages password-store or pass should be available in most
package managers)
Then I initialized my password store with:
pass init "Emily's Key"
This creates a folder ~/.password-store and encrypts it with the GPG
key Emily's Key.
Now I can create, remove, and organize my passwords instantly:
pass insert favourites/example.com pass generate email/example2.com
Run info pass for a list of examples.
Keeping my Passwords on a USB Drive
For the novelty of it, let's put the encrypted .password-store folder onto a USB drive so that your GPG key and passwords aren't always in one place.
Create a directory to use as a mount point with:
mkdir ~/.pass-usb
Plug the USB drive into your computer and mount it on our mount point:
mount /dev/sdX ~/.pass-usb
(Where the X in sd X is the drive identifier.)
Move the .password-store directory onto the drive (which is now
mounted on .pass-usb):
mv ~/.password-store .pass-usb
And finally tell pass where our new password directory is:
export PASSWORD_STORE_DIR="$HOME/.pass-usb/.password-store"
(You may want to put the above line at the bottom of your ~/.bashrc
or ~/.profile)
Now, if Ronald McDonald breaks into your house, steals your computer and knows your GPG password, he won't be able to read your passwords without the USB drive (but that may be the least of your worries)
Conclusion
Initially I thought this would be a "Well, duh!" kind of article, but after seeing countless ads for online password managers, I figured a counterweight would be nice. Also, well, I just really like pass.
If you're interested in better password management, check out these links:
- Emacs Pass package
- DoD Password Management Guideline
- The Only Secure Password is the One You Can't Remember
- This XKCD comic
- The Usability of Passwords
- 20 Most Hacked Passwords (Thanks to Ben Brown for the link!)
- How NOT to Store Passwords
Despite what people tell you, I do think we should use randomly-generated passwords. We aren't exactly known for coming up with secure passwords ourselves. Go ahead and try '12345' on any of my old accounts and you'll be logged in! I'd honestly like to be able to come up with secure, memorable passwords every day, but it's so much easier to let my computer do it for me.
As always, drop me a comment by contacting me via email!