Team Blog | Northern.tech

Auditing passwords with "pass oldest" | Northern.tech

Written by craigcomstock | Oct 3, 2019 4:00:00 AM

pass oldest

I and my colleagues at Northern.tech use pass to store and share passwords in a secure way. Pass uses git and gpg to secure and keep track of changes. Each password is just a gpg file in a special directory, by default ~/.password-store.

I wanted to help myself automate and refresh passwords when appropriate. After doing some research, see References below, I found that likely the best reason to change your passwords are:

  • the site has been compromised This can be dealt with by visiting https://haveibeenpwned.com/ periodically

  • your password is rather old, say 1-2 years, especially if you can't setup multi-factor auth for that site I wrote some small scripts and eventually a pass extension!

The other recommendations about passwords can generally be handled by letting a password manager like pass handle the generation of the passwords. Problem solved!

First I wrote a script to show me the oldest gpg file recursively from the current location:

~/bin/oldestfile:

find -type f -name '*.gpg' -printf '%T+ %p\n' | sort | head -n 1

Then I used that to find the oldest file in my password database

~/bin/oldestpassword:

(cd ~/.password-store; oldestfile)

And now comes the hard part, logging in to whatever that is and choosing to delete the account or generating a new password. Would be nice if pass tracked when the last time I accessed the password but that will have to wait until another time. ;)

Password entries can contain more than just a first line with the password, such as account id, recovery secrets, meta information so when you regenerate a new password make sure you use the -i (in place edit) option

pass generate -i sample-pass-entry-path

To make this easier and more sharable I created a pass extension called "oldest".

Get at https://gitlab.com/craigcomstock/pass-oldest, install, and then you can type

pass oldest

And get back similar info as my simpler scripts.

Further Ideas

  • base oldest on git commit timestamp instead of filesystem
  • find some way to mark an old password as "fine" so "pass oldest" doesn't report it again for a while
  • add workflow to oldest to include deciding to refresh/delete/defer a password

References (with TL;DR summaries aka LMGTFY ;)