In this article I’ll show how to set up a secure master password list on Linux, without depending on any external services.
Due to the recent break-in at LinkedIn, with 6.5 million passwords stolen and published, everyone is now probably aware that it’s a smart idea to take your password policy a bit seriously. With recent advances in password cracking technology (two million of the LinkedIn passwords have already been cracked using clever software that mimics the way people create variations of passwords) it’s clear that passwords that are not ‘strong’ can be cracked within days, and if you’ve used that password on multiple sites you will have to change it on all of them before the hacker gets to it.
But if you use strong secure passwords, and make them different on each site, how are you going to remember them? Browsers can save passwords for you (e.g. Firefox, make sure to set the master password in the browser security preferences), but that’s probably not a complete view of all your passwords and can get lost / deleted. In short you need a safe master password list. By safe I don’t mean services like Lastpass.com. It will store all your passwords for you and type them in using a browser plug-in, which is great feature-wise but makes them a too-tempting target for hackers.
Instead in this article I show an alternative using tried and true technology that you can control yourself all the way. It consists of using ‘vi’ on your own Linux machine to transparently encrypt a text file with passwords, and a script that can generate secure passwords for you. I assume that you have a Linux server available somewhere that you can login to using ssh, and that it is backed up regularly.
The first step, then, is to get vim 7.3 installed with the encryption feature (all modern Linux distributions have vi defined as an alias for vim, a.k.a. ‘vi improved’). Try:
vi --version #
If it says 7.3 or higher you should be set already. If not, we’ll simply download the latest vim source, compile it and install in /usr/local:
su yum install mercurial # on ubuntu use sudo apt-get install mercurial, the version control system that is used by the authors of vim exit hg clone https://vim.googlecode.com/hg/ vim cd vim/src make su make install exit /usr/local/bin/vim --version # check that it's at least 7.3 export PATH=/usr/local/bin:$PATH # can be put in your .bashrc alias vi='vim' # most distributions have this set already
Now create the master password file:
vi pwfile.txt :setlocal cm=blowfish :X # Enter your master password for this file. Make sure to save/remember it, there is no way to recover it if you forget! :w
Note that this encryption feature is pretty safe; vim knows not to store the unencrypted version of the file anywhere. There is one remaining risk: if you’ve set up swap space and your machine is low on memory it may swap out the vim editor while editing your file, which would mean the contents would be stored somewhere in swap (on disk) unencrypted. There is a small risk that a hacker with root access or with physical access to the disk could recover the password file that way. To avoid this there are two main ways: disable all swap (most modern systems have ample RAM and don’t need it) or set up encrypted swap. Details are left as an exercise for the reader / for a future article.
And finally the utility to generate passwords. You could use web sites or Linux tools like apg (automatic password generator) for this, but to avoid all risks of backdoors etc. here is a simple script that you can verify yourself:
yum install sharutils # for uuencode cat /proc/sys/kernel/random/entropy_avail for ((n=0;n/dev/null | uuencode -m -| sed -ne 2p | cut -c-10 | tr abcdefgh ',.=/#!_;' ; done
Available entropy is displayed to give you an indication of how random your password will really be. As long as the displayed number is greater than about 10 you’re ok.
You can customize the script above as you want. As shown here it will print 8 possible passwords, each consisting of 10 characters. To make the passwords more secure instead of the letters ‘a’ to ‘h’ various symbols are substituted.
You could vary:
- the limit of the for loop (currently 8 ) to show more or fewer passwords
- the argument of cut to make the passwords longer or shorter
- the arguments of tr to have a different substitution of characters by symbols
Now just run the script a couple of times, pick a password for each site you use, change it on the site and record it in the vi-encrypted master password file (as well as in your browser’s password storage, which is the only way to make this a bit usable).
Of course if you’re really good you’ll remember to change these passwords at least once every quarter..