akuchling: Sherlock Hemlock (Default)
We're supposed to use long and random-looking passwords instead of short memorable ones. Sharing the same passwords across multiple sites is also bad. There are a variety of password management programs such as KeePassX that will keep an encrypted database of passwords for you, but I'm a command-line person. Here's what I do.

First, I installed the EasyPG mode for Emacs that allows transparently editing GPG-encrypted files. Emacs will prompt you for the encryption passphrase when you open a file named something.gpg, and prompt for a new passphrase when you save the file. Enabling it is easy once the necessary Elisp files have been installed; just add (require 'epa-file) (epa-file-enable) to your ~/.emacs file.

Second, create an encrypted password file in this format:

Site   user id    password
MyBank.com    joeuser    password
Facebook   joe.user    password2

The only requirement is that the information for each site is kept on one line, because we'll be grepping it later. You can also add headers, additional info such as security questions, or whatever. Mine is grouped into sections for financial accounts, social accounts, shopping accounts, etc.

Third, add this to your ~/.bashrc:

function readpass ()
  # Change the file path in the next line to match your location.
  GPGCMD="gpg -o - --no-mdc-warning ${HOME}/.PASSWORD.gpg"
  if [ "$1" ] ; then
    output=`$GPGCMD | grep -i "$1"`
    echo "$output"
    # Output the first password and paste it into the clipboard.
    echo "$output" | head -1 | awk '{print $2}' | pbcopy
    $GPGCMD | less

This makes a 'readpass' function that will invoke GPG to decrypt the file, and GPG will prompt you for the passphrase. If you just do 'readpass' in your shell, the entire file is piped to 'less' and you can page through it and search. If you do 'readpass mybank', the file is searched case-insensitively for the string and only the first matching line is output; generally it's pretty easy to get the right search substring for the password you want. The last field of the line is piped into 'pbcopy', which is a MacOS tool that puts stdin into the system clipboard. (For Linux, consult this list of alternatives to pbcopy.)

I haven't yet gotten annoyed enough to automate the generation of random passwords. Probably I'd write a make-random-password Elisp function and then just invoke it with M-x make-random-password.

I also don't mind retyping my GPG password; I could probably reduce the frequency by generating a new public key for myself and then using public-key instead of symmetric encryption. That way only opening the file would need the passphrase and saving the file would just use my public key.


akuchling: Sherlock Hemlock (Default)

September 2016

2526272829 30 


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 25th, 2017 01:32 pm
Powered by Dreamwidth Studios