Clean Password Management
I can't stand the current push towards online password managers. You're putting all your passwords on someone else's computer (a computer that anyone can access, no less). You not only have no idea how secure your passwords are, but you probably don't even know if your passwords are secured at all! Anyway, on with the article.
I'm going to let you in on a little secret: I have the memory of a goldfish and can't be trusted with important data. That's why I manage passwords: with pass and GPG.
Creating a PGP Key
I use a PGP key to encrypt my passwords. To make a PGP key, you can tryinstalling
gpg from your package manager.
gpg gen-key "Emily's Key"
It asked me to choose a password for the key, then my key was created!
Creating the Password Store
password-store should be available in most package managers. I initialized my password store with:
pass init "Emily's Key"
This creates a folder
~/.password-store and encrypts it with the PGP key
I can add, generate, remove, and move my passwords:
pass insert fav/example.com pass generate email@example.com pass rm firstname.lastname@example.org pass mv fav/example.com new/example.com
info pass for a list of examples.
Keeping my Passwords on a USB Drive
For the novelty of it, let's put the encrypted
.password-store folder onto a USB drive so that your GPG key and passwords aren't always in one place.
Create a directory to use as a mount point:
Plug the USB drive into your computer and mount it on our mount point:
mount /dev/sdX ~/.pass-usb
(Where the X in
sdX is the drive identifier.)
.password-store directory onto the drive (which is now
mv ~/.password-store .pass-usb
And finally tell pass where our new password directory is:
(You may want to put the above line at the bottom of your
Now, if Ronald McDonald breaks into your house, steals your computer and knows your GPG password, he won't be able to read your passwords without the USB drive (but that may be the least of your worries)
Initially I thought this would be a "Well, duh!" kind of article, but after seeing countless ads for online password managers, I figured a counterweight would be nice. Also, well, I just really like pass.
If you're interested in better password management, check out these links:
- Emacs Pass package
- DoD Password Guideline
- The Only Secure Password is the One You Can't Remember
- This XKCD comic
- The Usability of Passwords
- 20 Most Hacked Passwords (Thanks to Ben Brown for the link!)
- How NOT to Store Passwords
Despite what people tell you, I do think we should use randomly-generated passwords. We aren't exactly known for coming up with secure passwords ourselves. Go ahead and try '12345' on any of my old accounts and you'll be logged in! I'd honestly like to be able to come up with secure, memorable passwords every day, but it's so much easier to let my computer do it for me.