Passwords have always been one of the weakest links in information security. Good passwords are hard to generate and remember. Added to that it’s not good practice to use the same password for multiple sites. So one has to use completely random, reasonably long, password that contains upper and lowercase letters, numbers and special characters (phew). As if all this is not enough, several sites – like those of financial institutions – require you to change your password regularly.
All this can make it very difficult to generate, remember and maintain passwords and store passwords in a secure fashion. In this article, let’s tackle the problems with passwords one after the other.
Hopefully, I’ll cover everything that needs to be covered. If I’ve left off something, kindly point it out and I’ll edit the article to fix it as quickly as possible
Passwords need to be reasonably long and complex. By this, I mean it should be infeasible to brute force a password by trying out all possible combinations of alphabets, numbers and special symbols in any reasonable time span. Also, passwords need to be sufficiently random to be resilient against dictionary attacks. It goes without saying that you shouldn’t use phrases that are related to you like your birth-year or the name of your pet.
To generate random pronounceable passwords on my Linux machine, I use a program called
apg like so:
$ apg Please enter some random data (only first 16 are significant) (eg. your old password):> ivDeufVeyt2 (iv-Deuf-Veyt-TWO) EkKocIn4 (Ek-Koc-In-FOUR) priWawEj2 (pri-Waw-Ej-TWO) FoytjiUd1Ot (Foyt-ji-Ud-ONE-Ot) CevTelUdtem2 (Cev-Tel-Ud-tem-TWO) IlmASloth6 (Ilm-A-Sloth-SIX)
apg is really good at generating pronounceable passwords. You can use the
-M switch to choose what characters must be present in your password. Here’s how I generate passwords that contain symbols, capital letters and numbers that are at a minimum 24 characters long:
$ apg -m 24 -s -M CNSL Please enter some random data (only first 16 are significant) (eg. your old password):> arcUnnar2ovoshUchisUkOd) Dyfrejfi,blioslodPajBev7 wawnUloiskomnurj*Teehyt1 PridWas3otagCidtachdyif@ WedchewhegIgEtyig2Frilk@ TynRifunVeltevReoj~wruj3
Pick one of these for your system passwords. Don’t whine about typing these in during SSH sessions because you really shouldn’t be using password-based logins via SSH. Use SSH keys instead.
Another neat way of generating passwords is
diceware that lets you generate long, easy to remember pass-phrases: http://world.std.com/~reinhold/diceware.html
Remembering passwords (and securing)
Our brains are not designed for remembering arbitrary, long, complex strings. We only remember what is absolutely necessary and our brain actively erases memories that it thinks are to be purged (http://www.iflscience.com/brain/scientists-discover-process-regulates-forgetting). So we need to use a tool that can securely store our passwords and we secure the tool itself with one giant master password.
I have two tools to discuss in this regard, one is
KeePassX and the other is
KeePassX is a multi-platform graphical tool that lets us store and organize passwords in an encrypted database. You can install it using your systems package manager from the repositories or use the official installer files at https://www.keepassx.org/.
Using KeePassX – (OpSec)
Step 0: If you haven’t already, install KeePassX (duh)
Step 1: Select a file to be used as a key. This could be a photo or any random file. One way is to create a file containing a hash of a passphrase. Something like this:
$ echo "Darth Vader was a good guy" | sha256sum > grumpy.kitteh $ cat grumpy.kitteh c1338b1f64c634afbea0ffda3c7d01410e60b5930e3514fff487de64c6def439 -
$ echo "Darth Vader was a good guy" | sha256sum | hexdump > grumpy.kitteh $ cat grumpy.kitteh 0000000 3163 3333 6238 6631 3436 3663 3433 6661 0000010 6562 3061 6666 6164 6333 6437 3130 3134 0000020 6530 3036 3562 3339 6530 3533 3431 6666 0000030 3466 3738 6564 3436 3663 6564 3466 3933 0000040 2020 0a2d 0000044
There are other, more secure ways of creating a key like
dd (highly recommended) since they don’t rely on phrases containing “Darth Vader” or meaningful shit like that.
$ dd if=/dev/urandom of=./grumpy.kitteh bs=512 count=10
Pick filenames that are completely boring. A file named KEEPASS.KEY or SECRET.KEY would only speak badly about your sense of security. grumpy.kitteh is bad too, btw.
Now that you have a file, let’s move on.
Step 3: Open
KeePassX and hit
Ctrl+N for a new database. Under Password, type a secure password like this (or better, use
OgVuzHyeHod3knetmajErrocIcAcKud]. Do not forget this.
Select Key File and give the path to the key file you generated. Then hit OK.
Step 4: Select File –> Database Settings and select an algorithm of preference from the drop-down for encrypting your database with. Both
Twofish are very secure, time-tested algorithms with no demonstrated attacks. I personally prefer
Twofish (successor to Bruce Schneier’s
Blowfish) since it makes brute-forcing very expensive and slow. But that’s me.
Step 5: We need to increase the count for the number of rounds (the number of times the algorithm scrambles the original string) for the algorithm so that it takes around one second to decrypt the database. Simply click on the clock symbol to the right of
Encryption Rounds and the number of rounds for the algorithm to take one second to decrypt the DB will automatically be calculated for your system.
Note: As the database grows, decryption gets slower and slower. Sometimes as slow as three seconds or even more. You can live with it.
Step 6: Save the database by hitting
Ctrl+S. Again, give a nondescript, non-interesting name for the database. Like
kdb part kinda gives it away that it’s a
KeePassX database. So you can leave that out if you choose to.
Step 7: Go to Extras –> Settings. Then choose
Security on the left selection pane.
Choose a conveniently small number of seconds for the clipboard to be wiped. So once you copy a password, you have to paste it within 15 seconds of copying in the above example. The database will be locked after 30 seconds of inactivity and you will have to supply the master password again to unlock it. This is good operational security when using
KeePassX. Save the database again (CTRL+S)
You can use Extras –> Password generator to generate secure long passwords.
Using KeePassX – (General)
Let us now create a password for Facebook and use it.
Step 1: Under Groups, select a group. Then press
CTRL+Y or Entries –> Add New Entry
Step 2: Give an identifier title and supply the user-name
Step 3: Click on
Gen button to generate a password. In the password generator window, adjust the length (32 characters minimum recommended) and the character groups allowed, then click Generate button. Then click OK.
The little eye button displays your password in plain-text if you want to verify it.
Step 4: Click OK then save the DB.
Let us now use the credentials on Facebook.
Step 1: Open Facebook login page while KeePassX is open.
Step 2: Click on the correct password entry. Click
CTRL+B to copy the user-name or
CTRL+C to copy the password
Step 3: Paste the copied entity into the appropriate input box and login.
More advanced usage like browser auto-fill are also available. Refer the documentation. Also refer: https://ssd.eff.org/en/module/how-use-keepassx
But, but I use a headless server…?
So you might be using a headless server with no GUI or X running. How do you manage your passwords there? You keep encrypt them with symmetric key algorithms, of course!
We are going to use AES 256 bit encryption to encrypt passwords in a text file using the
ccrypt utility for headless nodes.
Using ccrypt to encrypt a password text file:
Step 1: Put all your passwords in a text file on an air-gapped machine.
$ cat gooby.txt Facebook | robertdjr | wyabbacvipabKakk)QuaidIpsIjVivab9 Google | robejr334 | ReenMatyincutbetjewujbyg-Gryawg7 Mail | robbiej88 | dasOwapGhoGropwityinIjyayk1oksh@
Step 2: Install ccrypt
apt-get install ccrypt or similar
Step 3: Encrypt your password database text file using
ccrypt. Use a strong encryption key (duh).
$ ccencrypt gooby.txt Enter encryption key: Enter encryption key: (repeat)
You will be left with a file that has
cpt extension. This is your encrypted data file.
$ file gooby.txt.cpt gooby.txt.cpt: data
Step 4: To decrypt use,
ccdecrypt command which will leave you with the text file again.
$ ccdecrypt gooby.txt.cpt Enter decryption key:
But you don’t have to decrypt the whole file and encrypt it each time. You can use the
ccat command to just show the decrypted contents of the DB without decrypting the file for good. You can even grep through this to find what you want.
$ ccat gooby.txt.cpt | grep Google Enter decryption key: Google | robejr334 | ReenMatyincutbetjewujbyg-Gryawg7
You can choose whatever text format is suitable for your scripting needs if you want to automatically copy passwords to the clipboard without using a mouse.
Note: Beware of the special symbols in the password that might be messing up with your script like pipe, ampersand and parantheses.
So, there you have it. Basic password management. Let us know your questions, comments and feedback in the comment section. Ciao!