Posts about passwords

Password databases: updating master key

It's been five years since I created my Unix password store, encypted with my GPG key pair password-store. That key expired and now I need to update my database to a new master key.

Now is also a good time to clear out the git history. My key has not (to my knowledge) been compromised, so I don't need to remove all instances of passwords encrypted with the old key, but it will be nice to clear out the old history.

Read more…

ssh-pass

I've been using pass for a while now and I really like it. But I don't like putting passwords or passphrases into my system clipboard if I can help it: writing code to sniff the clipboard is child's play, so I'd like to avoid that attack vector if possible.

One place that I thought would be simple would be the SSH utility to add keys to your SSH Agent: ssh-add. It should be possible to do something like this:

$ pass github/sinewalker|head -1|ssh-add github/sinewalker

Unfortunately this isn't so: ssh-add doesn't accept your passphrase from STDIN when piped like this.

But, there is a way to do it.

Read more…

Password databases: setting up password-store on a Unix computer

Having covered what pass is, why I'm using it, and the required supporting tools gnupg, git, ssh and a private git remote, it's time to go over how to put the system together.

Setting it all up on a Unix computer is fairly straight-forward. Getting it onto an Android is a bit different. So in this post I'll cover how the pieces of the system fit together, and then walk through setting it up on Unix.

Synchronising your local password-store git repository with your remote store is done a bit differently depending if this is the first time you're setting up the remote, or if you already have a remote and you wish to merge it into your new local. I'll cover that too.

Read more…

Password databases: from KeePassX to Unix password store

Passwords. We all have a lot of them to remember — most of us have too many. How do you keep track of them all?

Originally I used to just remember passwords for everything, like most people. I soon found this doesn't scale past about 7 passwords and PINs. Rather than use the same passwords everywhere, I started to keep a secret list of passwords, but it was a pain to keep that list with me, and what if it was discovered?

After been keeping my passwords in a GPG-encrypted text file for a few years, I then started using a KeePassX database, and that's been pretty successful. I sync the database to my phone so that I can have my passwords with me whenever needed, but it is a little bit clunky to use.

At the recomendation from someone at work, I checked out pass, “the standard Unix password manager”. It offers all the features I've been using from KeePassX for a few years now, only with much better syncronisation based upon git+ssh.

Pass is also integrated into browsers, editors, and even a few operating systems, so it's potentially a lot less clunky and risky to use than how I was using KeePassX with passwords entered via the system clipboard.

This post reviews my password management approaches to date and gives an overview of Pass.

Read more…