Password Management

For the past 10 years I’ve been having a headache managing passwords for websites. I had about 7 levels of passwords and I could never decide which one to use on a website. And even once I decided, I would usually type them all trying to log in. If they logged my password attempts now they can go edit my Facebook profile, watch my Hulu shows, and buy stuff with my PayPal account (true story).

So, I’ve decided to generate a new random password per website and put all my usernames and passwords into an encrypted file on my hard drive. My process was

# gpg passwords.gpg
# vim passwords
# gpg -c passwords
# rm passwords

This works fine, but sometimes I forget the last 2 steps and have a fully decrypted file sitting there… yeah… and the gpg -c would ask for my password 2 times in addition to the first gpg, so I end up typing it 3 times in total.

Enter gpg-encrypt. It’s just a simple shell script that reads in an encrypted file, edits it, then saves it back in an encrypted format.

Every time I have to register for a new website I:

  1. Get a good random password
  2. Run ./gpg-encrypt
  3. Add the new information. I keep my file in YAML format incase I want to read it with a program later. Example: : {
    username : ptarjan,
    password : WqgyzN9bJ6Pm

  4. Leave the editor and it goes back to being encrypted.

If I have to log in, I just do the same steps as above, but don’t add anything. I can search using my editor for the domain of the site I’m looking for.

I backup my passwords.gpg file every time I add a new password, to another computer incase my linux box dies.

So, I hope this new password management works better for me than the last system. Anyone have any better solutions to this painful problem? And don’t say openid, until 80% of the sites I visit support it πŸ™‚

Posted in geek, linux. 6 Comments »

6 Responses to “Password Management”

  1. Aaron Says:

    Nicely done.
    You don’t want to know my previous password system.

  2. Ziga Says:

    That’s a pretty good system. I use Keychain Access on the Mac, which does a similar thing (only with a nice UI and Safari integration). I also used Revelation on Gnome:

    You have a bug in line 41 where you exit before removing the tmp file. And to be extra safe, you should use wipe instead of rm πŸ™‚

  3. Paul Tarjan Says:

    GUIs scare me πŸ™‚

    Thanks for the bug. I noticed the same thing and updated the code on github. Sadly I can’t figure out how to embed that on my site, so I’ll mirror it back to the gist. Good call.

    As for “wipe”, do you mean “shred”? If so, it seems to not work well on a journaled filesystem. Is that true? Or is it at least better than rm?

  4. Ziga Says:

    shred does the same as wipe (, yes — override the file instead of unlink.
    You’re right in that it might not work reliably on some journaled file systems, but it seems ext3 by default is safe (since it only writes metadata to the journal).

  5. drock Says:

    Cool hack. PwdHash is a firefox extension that does something similar. Check it out.

  6. Paul Tarjan Says:

    Thanks drock. I had heard of this when I was at Stanford. Looks interesting, but I don’t like the “secret hashing algo” that might change.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: