pass oldest
I and my colleagues at Northern.tech use pass to store and share passwords in a secure way. Pass uses git and gpg to secure and keep track of changes. Each password is just a gpg file in a special directory, by default ~/.password-store.
I wanted to help myself automate and refresh passwords when appropriate. After doing some research, see References below, I found that likely the best reason to change your passwords are:
-
the site has been compromised This can be dealt with by visiting https://haveibeenpwned.com/ periodically
-
your password is rather old, say 1-2 years, especially if you can't setup multi-factor auth for that site I wrote some small scripts and eventually a pass extension!
The other recommendations about passwords can generally be handled by letting a password manager like pass handle the generation of the passwords. Problem solved!
First I wrote a script to show me the oldest gpg file recursively from the current location:
~/bin/oldestfile:
find -type f -name '*.gpg' -printf '%T+ %p\n' | sort | head -n 1
Then I used that to find the oldest file in my password database
~/bin/oldestpassword:
(cd ~/.password-store; oldestfile)
And now comes the hard part, logging in to whatever that is and choosing to delete the account or generating a new password. Would be nice if pass tracked when the last time I accessed the password but that will have to wait until another time. ;)
Password entries can contain more than just a first line with the password, such as account id, recovery secrets, meta information so when you regenerate a new password make sure you use the -i (in place edit) option
pass generate -i sample-pass-entry-path
To make this easier and more sharable I created a pass extension called "oldest".
Get at https://gitlab.com/craigcomstock/pass-oldest, install, and then you can type
pass oldest
And get back similar info as my simpler scripts.
Further Ideas
- base oldest on git commit timestamp instead of filesystem
- find some way to mark an old password as "fine" so "pass oldest" doesn't report it again for a while
- add workflow to oldest to include deciding to refresh/delete/defer a password
References (with TL;DR summaries aka LMGTFY ;)
- 2018: https://www.us-cert.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
- multi-factor auth
- unique password for each site
- no personal information
- longest password or passphrase permissible
- no words from a dictionary? (Hmm...) (password manager takes care of this one!)
- Supplementing passwords (2010, revised 2019) https://www.us-cert.gov/ncas/tips/ST05-012
- Choosing and Protecting Passwords (2009, revised 2019) https://www.us-cert.gov/ncas/tips/ST04-002
- 2018: https://blog.lastpass.com/2018/08/often-change-password
- Nice article. Would be amazing if a tool could monitor for website changes and breaches automagically!? Does last pass do this?
- They have a nice list:
- After a service discloses a security incident.
- There is evidence of unauthorized access to your account.
- There is evidence of malware or other compromise of your device.
- You shared access to an account with someone else and they no longer use the login.
- You logged in to the account on a shared or public computer (such as at a library or hotel).
- It's been a year or more since you last changed the password, especially if you don't have multi-factor authentication enabled.
- 2017: https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
- use pass phrases
- only change passwords if there is a compromise
- use password managers
- 2017: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
- woah. Way too deep there.
- 2017: https://www.npr.org/sections/alltechconsidered/2017/08/14/543434808/forget-tough-passwords-new-guidelines-make-it-simple
- phrases, lowercase letters and typical english words work well
- no special chars or mix of upper/lower
- passwords never need to expire
- 2017: https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
- 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
- time to rethink mandatory password changes
- change them if they might have been compromised: stolen, shared with a friend, looking over your shoulder, phishing, weak?
- 2016: https://www.microsoft.com/en-us/research/publication/password-guidance/
- 8 char minimum
- eliminate char-composition requirements
- eliminate mandatory periodic password resets
- ban common passwords
- educate not to re-use passwords
- enforce registration for multi-factor auth
- enable risk based multi-factor auth challenges
- 2016: https://jumpcloud.com/blog/best-practices-password-management/
- greater than 18 chars
- if shorter, increase entropy with random-ness
- each password unique, not reused
- leverage password manager
- multi-factor auth, mandatory for email
- 2016: wired says don't change passwords so often https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
- 2011: https://xkcd.com/936/
- use four common random words, increases entropy from 28 bits -> 44 bits
- 2002: https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
- no dictionary words, proper nouns or foreign words
- no personal information
- length, width and depth
- extra protection - password manager
- changing passwords, once per fiscal year, once per fiscal quarter
