Clean Password Management

November 24, 2019

I'm writing this post because of the current push towards online password managers. You're putting all your passwords on someone else's computer (a computer that anyone can access, no less). You not only have no idea how secure your passwords are, but you probably don't even know if your passwords are secured at all! Anyway, on with the article.

I'm going to let you in on a little secret: I have the memory of a goldfish and can't be trusted with any sort of important data whatsoever. That's why I use a clean and sane way to store my passwords: with pass and GPG.


Creating a PGP Key

To encrypt my passwords, I have a PGP key. I created one by installing GPG:

guix package -i gpg

(The packages 'gpg' or 'gpg2' should be available in most package managers)

Then I generated my key with:

gpg quick-gen-key

I was asked to name my key, I put in "Ben's Key" and my key was generated!

Read more about creating keys here.


Creating the Password Store

I installed the pass password manager:

guix package -i password-store

(The packages 'password-store' or 'pass' should be available in most package managers)

Then I initialized my password store with:

pass init "Ben's Key"

This creates a folder ~/.password-store and encrypts it with the GPG key "Ben's Key".

Now I can create, remove, and organize my passwords instantly:

pass insert favorites/example.com
pass generate email/example2.com

Run 'info pass' for a list of examples.


Keeping my Passwords on a USB Drive

For the novelty of it, let's put the encrypted .password-store folder onto a USB drive so that your GPG key and passwords aren't always in one place.

Create a directory to use as a mount point with:

mkdir ~/.pass-usb

Plug the USB drive into your computer and mount it on our mount point:

mount /dev/sdX ~/.pass-usb

(Where the X in 'sdX' is the drive identifier.)

Move the .password-store directory onto the drive (which is now mounted on .pass-usb):

mv ~/.password-store ~/.pass-usb

And finally tell pass where our new password directory is:

export PASSWORD_STORE_DIR="$HOME/.pass-usb/.password-store"

(You may want to put the above line at the bottom of your ~/.bashrc or ~/.profile)

Now, if Ronald McDonald breaks into your house, steals your computer *and* knows your GPG password, he won't be able to read your passwords without the USB drive (but that may be the least of your worries)


Conclusion

Initially I thought this would be a "Well, duh!" kind of article, but after seeing countless ads for online password managers, I figured a counterweight would be nice. Also, well, I just really like pass.

If you're interested in better password management, check out these links:

Despite what people tell you, I do think we should use randomly-generated passwords. We aren't exactly known for coming up with secure passwords ourselves. Go ahead and try '12345' on any of my old accounts and you'll be logged in! I'd honestly like to be able to come up with secure, memorable passwords every day, but it's so much easier to let my computer do it for me.

As always, drop me a comment by contacting me directly!