Auditing passwords with "pass oldest" | Northern.tech

pass oldest

I and my colleagues at Northern.tech use pass to store and share passwords in a secure way. Pass uses git and gpg to secure and keep track of changes. Each password is just a gpg file in a special directory, by default ~/.password-store.

I wanted to help myself automate and refresh passwords when appropriate. After doing some research, see References below, I found that likely the best reason to change your passwords are:

• the site has been compromised This can be dealt with by visiting https://haveibeenpwned.com/ periodically

• your password is rather old, say 1-2 years, especially if you can't setup multi-factor auth for that site I wrote some small scripts and eventually a pass extension!

The other recommendations about passwords can generally be handled by letting a password manager like pass handle the generation of the passwords. Problem solved!

First I wrote a script to show me the oldest gpg file recursively from the current location:

~/bin/oldestfile:

find -type f -name '*.gpg' -printf '%T+ %p\n' | sort | head -n 1

Then I used that to find the oldest file in my password database

~/bin/oldestpassword:

(cd ~/.password-store; oldestfile)

And now comes the hard part, logging in to whatever that is and choosing to delete the account or generating a new password. Would be nice if pass tracked when the last time I accessed the password but that will have to wait until another time. ;)

Password entries can contain more than just a first line with the password, such as account id, recovery secrets, meta information so when you regenerate a new password make sure you use the -i (in place edit) option

pass generate -i sample-pass-entry-path

To make this easier and more sharable I created a pass extension called "oldest".

Get at https://gitlab.com/craigcomstock/pass-oldest, install, and then you can type

pass oldest

And get back similar info as my simpler scripts.

Further Ideas

• base oldest on git commit timestamp instead of filesystem
• find some way to mark an old password as "fine" so "pass oldest" doesn't report it again for a while
• add workflow to oldest to include deciding to refresh/delete/defer a password

References (with TL;DR summaries aka LMGTFY ;)

• 2018: https://www.us-cert.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
  • multi-factor auth
  • unique password for each site
  • no personal information
  • longest password or passphrase permissible
  • no words from a dictionary? (Hmm...) (password manager takes care of this one!)
  • Supplementing passwords (2010, revised 2019) https://www.us-cert.gov/ncas/tips/ST05-012
  • Choosing and Protecting Passwords (2009, revised 2019) https://www.us-cert.gov/ncas/tips/ST04-002
• 2018: https://blog.lastpass.com/2018/08/often-change-password
  • Nice article. Would be amazing if a tool could monitor for website changes and breaches automagically!? Does last pass do this?
  • They have a nice list:
  • After a service discloses a security incident.
  • There is evidence of unauthorized access to your account.
  • There is evidence of malware or other compromise of your device.
  • You shared access to an account with someone else and they no longer use the login.
  • You logged in to the account on a shared or public computer (such as at a library or hotel).
  • It's been a year or more since you last changed the password, especially if you don't have multi-factor authentication enabled.
• 2017: https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
  • use pass phrases
  • only change passwords if there is a compromise
  • use password managers
• 2017: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
  • woah. Way too deep there.
• 2017: https://www.npr.org/sections/alltechconsidered/2017/08/14/543434808/forget-tough-passwords-new-guidelines-make-it-simple
  • phrases, lowercase letters and typical english words work well
  • no special chars or mix of upper/lower
  • passwords never need to expire
• 2017: https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
• 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
  • time to rethink mandatory password changes
  • change them if they might have been compromised: stolen, shared with a friend, looking over your shoulder, phishing, weak?
• 2016: https://www.microsoft.com/en-us/research/publication/password-guidance/
  • 8 char minimum
  • eliminate char-composition requirements
  • eliminate mandatory periodic password resets
  • ban common passwords
  • educate not to re-use passwords
  • enforce registration for multi-factor auth
  • enable risk based multi-factor auth challenges
• 2016: https://jumpcloud.com/blog/best-practices-password-management/
  • greater than 18 chars
  • if shorter, increase entropy with random-ness
  • each password unique, not reused
  • leverage password manager
  • multi-factor auth, mandatory for email
• 2016: wired says don't change passwords so often https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/
• 2011: https://xkcd.com/936/
  • use four common random words, increases entropy from 28 bits -> 44 bits
• 2002: https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
  • no dictionary words, proper nouns or foreign words
  • no personal information
  • length, width and depth
  • extra protection - password manager
  • changing passwords, once per fiscal year, once per fiscal quarter