Muto - Blog - Feed

Clean Password Management

I can't stand the current push towards online password managers. You're putting all your passwords on someone else's computer (a computer that anyone can access, no less). You not only have no idea how secure your passwords are, but you probably don't even know if your passwords are secured at all! Anyway, on with the article.

I'm going to let you in on a little secret: I have the memory of a goldfish and can't be trusted with important data. That's why I manage passwords: with pass and GPG.

Creating a PGP Key

I use a PGP key to encrypt my passwords. To make a PGP key, you can tryinstalling gpg from your package manager.

gpg gen-key "Emily's Key"

It asked me to choose a password for the key, then my key was created!

Read more about creating keys here

Creating the Password Store

The package password-store should be available in most package managers. I initialized my password store with:

pass init "Emily's Key"

This creates a folder ~/.password-store and encrypts it with the PGP key Emily's Key!

I can add, generate, remove, and move my passwords:

pass insert  fav/
pass generate  mail/
pass rm  mail/
pass mv  fav/  new/

Run info pass for a list of examples.

Keeping my Passwords on a USB Drive

For the novelty of it, let's put the encrypted .password-store folder onto a USB drive so that your GPG key and passwords aren't always in one place.

Create a directory to use as a mount point:

mkdir ~/.pass-usb

Plug the USB drive into your computer and mount it on our mount point:

mount /dev/sdX ~/.pass-usb

(Where the X in sdX is the drive identifier.)

Move the .password-store directory onto the drive (which is now mounted on .pass-usb):

mv ~/.password-store .pass-usb

And finally tell pass where our new password directory is:

export PASSWORD_STORE_DIR="$HOME/.pass-usb/.password-store"

(You may want to put the above line at the bottom of your ~/.bashrc or ~/.profile)

Now, if Ronald McDonald breaks into your house, steals your computer and knows your GPG password, he won't be able to read your passwords without the USB drive (but that may be the least of your worries)


Initially I thought this would be a "Well, duh!" kind of article, but after seeing countless ads for online password managers, I figured a counterweight would be nice. Also, well, I just really like pass.

If you're interested in better password management, check out these links:

Despite what people tell you, I do think we should use randomly-generated passwords. We aren't exactly known for coming up with secure passwords ourselves. Go ahead and try '12345' on any of my old accounts and you'll be logged in! I'd honestly like to be able to come up with secure, memorable passwords every day, but it's so much easier to let my computer do it for me.