Best Practices: Passwords

December, 03 2010

When I decided to start working for myself, I felt I needed to establish best practices as soon as possible, while I still had time. My clients would be trusting me to with their information and access to their systems and I wanted to make sure I was being responsible.

Password management is one area I targeted. Even if you aren't in business for yourself, being secure online basically requires a good password management scheme.

Existing Options

There are a lot of solutions and partial solutions out there. For example browsers will remember arbitrary passwords for you, but that is only most convenient when you are using that browser. Many of my passwords are for ssh accounts and I planned on using multiple users on my laptop.

Other 3rd party solutions exists like Splash Data and 1Password. My problem with their approach was not being clear how to backup and recover the data cross computers. As I will write about soon, backups is one of the other best practices I focused on.

Rolling Your Own

I talked to my resident cryptography expert Douglas Stebila about how he was using a simple system which seem to fit my requirements. It was easy to use, backup, and completely transparent.

This approach is best for those who understand the command line, shell scripts and grep and who are using Unix compatible systems like Linux or Mac OS X. Cygwin would also work.

The core idea is to store all your password in an OpenSSL encrypted file. You decrypt the file and pass it through grep to look up passwords. I use a format of "description: password", but everything is customizable. I implemented a series of shell scripts and one Python script to make it all work.

First lets look at the passwords script.

#!/bin/bash
openssl enc -d -aes128 < /somewhere/accessible/passwords.aes128 | grep -i $1

# Usage: passwords blah # password: <Enter master password> # Finds all descripts or passwords with "blah" in them

I make sure that the passwords script is always on the path and the passwords.aes128 file is accessible. It is important you make sure your master password is a strong password since it protects everything.

The master password is really just the password you encrypt the passwords.aes128 file with, so when you are editing it and re-encrypting it, make sure you don't mistype it or you could loose your password archive. Again a backup strategy is important.

I manage the file with a set of scripts. First there is passwords-decompress and passwords-edit:

#!/bin/bash
openssl enc -d -aes128 < /somewhere/accessible/passwords.aes128 >/somewhere/accessible/passwords.aes128.decrypted
#!/bin/bash
vi /somewhere/accessible/passwords.aes128.decrypted

Most of these scripts are just so I need to remember paths and arguments. I want adding passwords to be as easy as possible. To generate a new password I use something like the following Python script.

import random

chars = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"

if __name__ == "__main__":
    print "Password Helper. Albert O'Connor. 2010"

    desc = raw_input("Enter password description: ")

    password = ""
    for i in range(8):
        password += random.choice(chars)

    print "%s: %s" % (desc, password)

The last line this script prints out is what I copy and paste into the passwords file. If you want to be more secure about it you can use Python Cryptography's Random. Once I have edited the decrypted passwords my satisfaction I run passwords-compress.

#!/bin/bash
openssl enc -e -aes128 < /somewhere/accessible/passwords.aes128.decrypted > /somewhere/accessible/passwords.aes128

This is where you have to be careful, since consistently mistyping your master password can lead to inaccessible data. I always test out the new password I added with passwords before backing up with passwords-backup.

#!/bin/bash
cp /somewhere/accessible/passwords.aes128 /somewhere/accessible/passwords.aes128.backup
scp /somewhere/accessible/passwords.aes128 user@server.org:~/backup/

This makes a local and off site backup of the encrypted file. Finally I clean up with passwords-cleanup:

#!/bin/bash
srm  /somewhere/accessible/passwords.aes128.decrypted

Because leaving decrypted versions of your passwords file around totally defeats the purpose. Now whenever you need a password, open a prompt, type passwords blah, enter your master password, and you will get all your passwords for blah. Close the terminal when you are done though!

No matter what, if you will be freelancing in a digital world, keeping track of passwords is something you have to do. This method is simple, the encryption is secure enough for the NSA, and highly usable. If it doesn't suit your taste employ another one, just make sure you are using one.


Tweet comments, corrections, or high fives to @amjoconn