How I manage my passwords

My requirements

  1. No third-parties

    I don't want to put my trust in any third party. Be it Google/Mozilla (via saved passwords in browser), or some dedicated password manager like KeyPass.

  2. Simplicity

    Simple tools are easier to understand and bend to my will. It also means I'll be able to intervene when something goes wrong.

  3. Composability

    I should be able to make the tool a part of my forever changing workflow. It should play nice with presence/absence of other tools.

Tools I chose

  1. Pass - The simple password manager

    I think it is as simple as it gets. A password-store in pass is a git repo (so a directory) which contains gpg encrypted files. Each file represent one set of credentials, and can contain all the plain-text, not just password and username. E.g I often end up storing recovery codes for accounts in these.

    There are no third-parties involved, encryption happens on my machine, and I can store my password store anywhere I want (e.g a private git repo on github).

    Most pass operations are convenience wrappers on basic operations provided by other tools; e.g edit = decrypting a file + open it in an editor + re-encrypting + git-commit.

    Pass has a whole ecosystem of tools written around it, which makes it an easy choice considering how much work it saves me when integrating it in my workflow.

  2. rofi-pass - Rofi-based UI for pass for desktop

    Rofi is a lightweight popup choice-selection UI, which has so far worked out-of-the-box on all window-managers I have used. rofi-pass extends rofi with:

    1. Ability to search and select credentials stored in pass
    2. Auto-fill credentials into any GUI app

  3. fireword - Converting easy-to-remember passwords to hard-to-crack ones

    Not all credentials need to be saved. Occasionally I need to create throwaway accounts, for which I like to keep easy-to-guess (for me) passwords. But I want even these password to be opaque (so analyzing them wouldn't reveal a theme of my throwaway passwords).

    Fireword is a small script I wrote many years ago which create insane passwords from any string. Even a single change of character in a string creates wildly different output. So instead of passing a plain easy-to-guess password, I give them to fireword and use its output.

    For example, pass becomes 5B72?[30:F but passs is 3Ec012aD5(.

  4. Android Password Store - Android app for accessing pass

    Password store on android allows using the passwords I create/edit on my desktop on my mobile and tablet. I use syncthing to sync my password store to my mobile devices.

Workflow

Add/edit/delete a password

For all these operations, I use the pass cli. It is simple and intuitive, and mostly just delegates to other Linux utilities. For example, deleting a password for my-acc account in example.com is pass rm example.com/my-acc; and deleting all accounts in example.com is pass rm -r example.com.

I used to use pass generate for creating new passwords, which creates cryptic hard (impossible?) to crack strings. Over time however, I have come to prefer password phrases which are easy to type by hand. I pick 3-4 words that come to my mind at a time, and make a loose sentence out of them to create a new password. For example libauvutilcelingfan

Using a password

Using pass CLI for using a password gets tedious quickly. Using a password is much more common than adding/editing/deleting one. So I use rofi-pass.

It gives me a nice prompt to search and select the credentials I want, and autofills them. It is smart enough to recognize that credentials are more than just a password; so if you edit your password file to look like: 

mypassword

user: myuser
some-other-key: some-val

rofi-pass will allow you to select the key and auto-type its value. It recognizes first line as the password, and a value with user key to autotype both username and password in forms which ask for first username and then password (on the same form).

Throwaway passwords

I don't "install" fireword since it is just a self-contained python script. But because throwaway passwords, although temporary, tend to be entered frequently (private browsing), I have created a small command in my stumpwm configuration to make it easy. 

(defvar spook/fireword-bin "~/Documents/work/fireword/fireword")

(defcommand fireword (pass len)
  ((:password "Password: ")
   (:password "Length: "))
  (run-shell-command (format nil  "~a ~a ~a | xclip -sel clip" spook/fireword-bin pass len)))

(define-key *top-map* (kbd "s-P") "fireword")

In the end I get a nice prompt on pressing C-P to enter my password and desired length, get the fireword copied to clipboard which I then paste in a private browser window.