For the past few years, the list of passwords I use for all the various websites, servers, and applications has been growing ever longer. Some people limit themselves to 3-4 passwords, or a handful of formulas for password generation. I used to do that, but it's insecure, and when you control the fate of numerous servers, it's irresponsible. These day, I generally create new passwords at random, and replace them every 3-4 months.
Every flavour of linux has its own system for managing passwords; for example, KDE has KWallet; Gnome has Keyring. Tuesday I started playing with Fedora for the first time in years, and discovered yet another way:
System > Preferences > System > Authorizations (polkit-gnome-authorization). And, of course, even Mozilla (Firefox, Thunderbird) handles password management like this... but each application has its own repository, and each one will get out of sync in time.
So, for a password management system that doesn't care about window manager, application, or even OS (this works with under cygwin on Windows, too), I've designed my own method.
How do you remember 100s of passwords which have nothing in common? Store them in a database, encrypted by a passphrase/password, then use a simple query engine to retrieve them.
Here's how it works, and how you can set up something similar.
First, define these 3 scripts.
#!/bin/bash dir=/home/user/passwds; mkdir -p $dir; echo -n "Retrieve latest? [y/N] "; read yn; if [[ $yn == "y" ]]; then scp user@home-server:$dir/passwds.cpt $dir fi
#!/bin/bash file="/home/user/passwds/passwds.cpt"; ccrypt -c $file | grep -i "$1";
#!/bin/bash file="/home/user/passwds/passwds"; ccrypt -d $file.cpt; vi $file; ccrypt -e $file
Next, define 2 aliases -- one for password lookup, and one to modify the encrypted password file. I use ~/.alias, which I load as part of my ~/.bashrc file.
alias PW='/home/user/passwds/PWsearch.sh $1' alias PWE='~/PWDs/PWedit.sh'
Now, on the home server, I can run `PW eclipse` to decrypt the file, look up any lines in the password file with "eclipse" in them, and return those entries to me. Or, I can run `PW | more` by itself to display the entire file (paged with `more`). To modify the file, I use `PWE` to decrypt, edit, and re-encrypt the file. I also periodically save this file into my CVS repository (
cvs add -kb passwds.cpt; cvs ci -m "" passwds.cpt) so I can track changes.
Well, you think, that's great for a single system, but I need my passwords on 3 or 4 different systems. Plus, my home server may or may not always be accessible (eg., only when I'm on my home network).
So, once again, we start with the same three bash scripts.
Next, define a different version of the `PW` alias:
alias PW='/home/user/passwds/PWget.sh;/home/user/passwds/PWsearch.sh $1'
Now, on any other server which can reach the home server over ssh, `PW eclipse` can be used to (optionally) retrieve the latest version of the password file, then search it as in the example above. Can't reach the home server? That's fine, we keep a local cache of the encrypted password file -- good enough until the next synch.
Voila! Centralized encrypted password management for Windows & Linux clients!
So, what handles the encryption, and how secure is it?
ccrypt is based on the Rijndael block cipher, which was also chosen by the U.S. government as the Advanced Encryption Standard (AES, see http://www.nist.gov/aes/). This cipher is believed to provide very strong cryptographic security.
If your linux or cygwin distro doesn't include ccrypt in its repositories, here are a couple places you can find it: