I don't want to put my trust in any third party. Be it Google/Mozilla (via saved passwords in browser), or some dedicated password manager like KeyPass.
Simple tools are easier to understand and bend to my will. It also means I'll be able to intervene when something goes wrong.
I should be able to make the tool a part of my forever changing workflow. It should play nice with presence/absence of other tools.
Tools I chose
Pass - The simple password manager
I think it is as simple as it gets. A password-store in pass is a git repo (so a directory) which contains gpg encrypted files. Each file represent one set of credentials, and can contain all the plain-text, not just password and username. E.g I often end up storing recovery codes for accounts in these.
There are no third-parties involved, encryption happens on my machine, and I can store my password store anywhere I want (e.g a private git repo on github).
Most pass operations are convenience wrappers on basic operations provided by other tools; e.g
edit = decrypting a file + open it in an editor + re-encrypting + git-commit.
Pass has a whole ecosystem of tools written around it, which makes it an easy choice considering how much work it saves me when integrating it in my workflow.
rofi-pass - Rofi-based UI for pass for desktop
Rofi is a lightweight popup choice-selection UI, which has so far worked out-of-the-box on all window-managers I have used. rofi-pass extends rofi with:
- Ability to search and select credentials stored in pass
- Auto-fill credentials into any GUI app
fireword - Converting easy-to-remember passwords to hard-to-crack ones
Not all credentials need to be saved. Occasionally I need to create throwaway accounts, for which I like to keep easy-to-guess (for me) passwords. But I want even these password to be opaque (so analyzing them wouldn't reveal a theme of my throwaway passwords).
Fireword is a small script I wrote many years ago which create insane passwords from any string. Even a single change of character in a string creates wildly different output. So instead of passing a plain easy-to-guess password, I give them to fireword and use its output.
Android Password Store - Android app for accessing pass
Password store on android allows using the passwords I create/edit on my desktop on my mobile and tablet. I use syncthing to sync my password store to my mobile devices.
Add/edit/delete a password
For all these operations, I use the
pass cli. It is simple and intuitive, and
mostly just delegates to other Linux utilities. For example, deleting a password
for my-acc account in example.com is
pass rm example.com/my-acc; and
deleting all accounts in example.com is
pass rm -r example.com.
I used to use
pass generate for creating new passwords, which creates cryptic
hard (impossible?) to crack strings. Over time however, I have come to prefer
password phrases which are easy to type by hand. I pick 3-4 words that come to
my mind at a time, and make a loose sentence out of them to create a new
password. For example
Using a password
pass CLI for using a password gets tedious quickly. Using a password is
much more common than adding/editing/deleting one. So I use rofi-pass.
It gives me a nice prompt to search and select the credentials I want, and autofills them. It is smart enough to recognize that credentials are more than just a password; so if you edit your password file to look like:
mypassword user: myuser some-other-key: some-val
rofi-pass will allow you to select the key and auto-type its value. It
recognizes first line as the password, and a value with
user key to autotype
both username and password in forms which ask for first username and then
password (on the same form).
I don't "install" fireword since it is just a self-contained python script. But because throwaway passwords, although temporary, tend to be entered frequently (private browsing), I have created a small command in my stumpwm configuration to make it easy.
(defvar spook/fireword-bin "~/Documents/work/fireword/fireword") (defcommand fireword (pass len) ((:password "Password: ") (:password "Length: ")) (run-shell-command (format nil "~a ~a ~a | xclip -sel clip" spook/fireword-bin pass len))) (define-key *top-map* (kbd "s-P") "fireword")
In the end I get a nice prompt on pressing
C-P to enter my password and
desired length, get the fireword copied to clipboard which I then paste in a
private browser window.