How many passwords do you need to keep up with? Even if you’re not working in IT, with accounts on many systems, you might be surprised if you count them all up. You probably (at least) have passwords for your home, laptop, and work computers, email, banking, another one each for the bills you pay online. Then, most people will have a lot more: instant messaging accounts, web-based email, forums, social networking sites, online shopping, etc.
Along with this, we have what is considered to be good password policy, which most will agree goes something like “at least 8 characters, mixed case, digits, special characters”. If you have, say, ten different systems that you sign into, this becomes a burden. Memorizing one secure password isn’t so bad, but each additional one becomes more difficult to the point of being nearly impossible. A few things happen at this point for most people:
- One strong password for everything – Obviously a bad idea, no matter how great of a password it is. Your security would rely on the weakest link of all the places you use that password. A compromise of a forum you read in your spare time’s user database winds up giving attackers the root password for mission critical servers.
- Tiered passwords – One strong password for things that “matter” to you, and weaker “throwaways” for everything else. This isn’t so bad, but you still have containment issues if any of the important systems are compromised. The weaker passwords are easier to break, and the attacker may still be able to give you a bad day with just the “unimportant” sites.
- Writing down passwords – A lot of people are going to tell you that this is a huge mistake. Realistically, this depends on your situation. Sticky notes on your monitor may be a bad idea if you’re in a large, open-plan office with easy access for the public. It might not be as bad if you work at home, assuming your monitor doesn’t face a window directly. Then you only have to worry about family and friends. In either case, an eastern European script kiddie isn’t going to be able to see them (unless, of course, you live in eastern Europe). Perhaps keep them in your wallet. Then you’ve narrowed it down to people who mug you.
In this post, I’m going to be discussing a way you can manage your passwords in a list, encrypted, and protected by a single master password that you must remember. With such a list, you’ll be able to use longer, more complex, and unique passwords for each of your accounts. The trade-off is that you will have put all of your eggs into one basket. Assuming your master password is strong enough, the attacker will need to compromise the system you store all of this on, and log you typing it in (at which point, you’re pretty much sunk anyway). This isn’t such a bad tradeoff.
In a discussion on the McGrew Security BBS the other day, a friend recommended “pwman” as a great application for this purpose. Pwman has recently undergone a Python-rewrite, and is actually very easy to use and tweak for your individual needs. I’ll discuss how to install pwman3 (the new python version) on Ubuntu Feisty 7.04, as well as the packages it depends on. I’ll also discuss a small modification I’ve made to pwman3 to make it generate more secure passwords.
The Ubuntu repositories have pwman3 v0.0.5, so if you’re not up for a bit of tinkering, you can go ahead and “sudo aptitude install pwman3″ and be in pretty good shape. The latest version, which I’ll be using here, is 0.0.6, and is available here.
To get things ready, you’ll need a few dependencies. The pwman3 documentation says it needs “python-celementtree”, “python-crypto”, and “python-pysqlite2″. The first two are in the Ubuntu repositories, so you can go ahead and install them. “python-pysqlite2″ isn’t there, so download the latest 2.x.x release of pysqlite from here (2.3.3 as of now).
To install pysqlite 2.3.3, you’ll need to install “build-essential”, “libsqlite0-dev”, and “libsqlite3-dev” from the Ubuntu repositories. Once you have these dependencies, you can extract the pysqlite .tar.gz, and run the following in the directory that it creates:
sudo python setup.py install
Now, you should be all set to install Pwman3 0.0.6. You can extract it and install it the same way as you installed pysqlite:
sudo python setup.py install
Before we start using it, there’s something I’d like to change about pwman3. When you set it up to store a password, it gives you the option of generating a new password. This is a great feature, as you can potentially have some very secure passwords for each account you store in it. Unfortunately, by default, the password generation will only generate passwords that contain upper and lower-case characters. We can dramatically increase the difficulty of cracking these passwords if we add digits.
Take a look at /usr/lib/python2.5/site-packages/pwman/util/generator.py , which contains the password generation code. It’s well written and fairly complex. It seems there’s some functionality for “leetify”‘ing the passwords it generates with symbols, however I believe that I would prefer to have my passwords generated with “pwgen”, which is available in the Ubuntu repositories. Install pwgen and take a look at its man page to see how it works.
To make pwman3 use pwgen for password generation, make the following change to the generate_password function, which starts at line 40 of /usr/lib/python2.5/site-packages/pwman/util/generator.py :
def generate_password(minlen, maxlen, capitals = True, symbols = True):
#(password, hyphenated) = generate_password_shazel(minlen, maxlen)
# password = randomly_capitalize(password)
# password = leetify(password)
p = subprocess.Popen(['pwgen','-scn',str(minlen)], shell=False, bufsize=0, stdin=subprocess.PIPE, stdout=subprocess.PIPE, close_fds=True)
password = p.stdout.read()
password = password[:minlen]
hyphenated = password
return (password, hyphenated)
As you can see, I’ve commented out the existing generate_password code. First, I start a new pwgen process with arguments for “secure” password creation, mixed case, numerals, and a minimum length. I then read the generated password from pwgen’s standard output, and remove the newline character. The “hyphenated” value that was generated by generator.py’s code doesn’t seem to be used by the rest of pwman3′s code, so I simply copied password into it, where it will be thrown away upon return.
By default, pwman3 supports a command history, which it keeps in ~/.pwman/history . This is probably a bad idea, as this plaintext file might reveal information about your accounts and activity, so open up ~/.pwman/config and change the “[Readline]” section to look like this:
history = /dev/null
You can now remove ~/.pwman/history
It’s very easy to use! It has a simple readline-based console interface, with help that displays a list of commands that are valid:
Please enter your new password:
Please enter your new password again:
Pwman3 0.0.6 (c) Ivan Kelly <email@example.com>
Documented commands (type help <topic>):
EOF delete exit filter help list new print save tags
clear edit export forget import ls passwd rm set
pwman> help tags
Displays all tags in used in the database.
pwman> help filter
Usage: filter <tag> ...
Filters nodes on tag. Arguments can be zero or more tags. Displays current tags if called without arguments.
When you first use pwman3, it will have you chose a password to protect its password database. Make this password strong and memorable. From there, you can add accounts to the database with “new”, “edit” them, “filter” on tags, and “list” all accounts that match the current filter. To view more information on an account, you can “print” its number.
Thanks to all of the participants in the BBS for spurring discussion that can lead to posts like this!