Thursday, 29 December 2011

Passwords; Where do you stick yours?

If you have multiple machines in multiple counties with multiple operating-systems with multiple account  and multiple backups - how to do you sync passwords?

Over the years I have tried perl: { stenography, openssl, Shamir's Secret Sharing}, Password Gorilla and GPG, KeyPass, (both versions and various ports), and even CSV.

A large percentage of my passwords are for sites that I hardly every visit; All these web passwords seem VERY VERY WRONG when I look at how I access hundreds of servers using openssh. I should have just one key that I would keep on some USB stick. The browser would request the public key and an "access" version of the private one. The public one would be stored as a cookie and then any site that wanted to authenticate me would be able to use my public key and the browser would use the access key to prove who I was. Close the browser and the access key is either encrypted or deleted.

I used to just remembered every password and phone number that I needed. Then at the end of the 90ies I got my first mobile phone. I entered every phone number and from then on, (I think it was an Ericsonn GH337.) Then, in 1997, I got a Psion 5. This became the central repository for all of my data and thoughts, (backed up on my PC). I also had various shell account round the Internet, ( one was a solaris computer called monica.mailbox.net.uk), that I used to upload data to as a remote backup.

Then in 1998 I started to use whisper32, (I think that Shish, one of my colleagues at the time, suggested this) so I ported all of my passwords from my password-protected Psion 5 sheet.

At this point, (2011) for windows I use KeyPass and for Linux I use a vim plug-in that I have hacked about to store passwords in a p^3.s.v. (pipe-percent-pipe separated values) encrypted using openssl -e -a aes-256-cbc (all triggered by a bash alias so that in just 5 keystrokes, (Ctrl+Alt+T,p) plus the master password, gets me access to my password list from any of my linux desktops. If I'm already in a shell then it is just 2. )

When I was on mac I used a database driven AES-in-javascript PERL CGI::Application that encrypts the password client side and then sends it to be stored in my database. (Notice::Email::Alias_details) This was an extension to my (exim/dovecot) email management system, (I was creating a new address for each site/sign-up/contact and naturally I needed, for each one, to record a website URL; username; password; random notes for password recovery, (why would you EVER tell a website your dogs name? - my pet is always called apg -n1 -cyn1 12 14)
Once I started storing passwords with websites my password back-up solutions grew to include all of my vital-data backup.

So I have three systems and would like them to automatically synchronise.
Keypass understands CSV but when it imports it does not know the categories, (because it deals with all CSV as if it were keypass version 1.x). So much as it pains me XML seems to be the system that is going to be compatible with keypass 2.x.

Hacking a perl script to export my linux database into XML is trivial, but I want this to be automatic, (crontab/rsync) but would never leave the master password on any system unencrypted.

Because each password stored in Notice has an independent AES key that is not stored anywhere, automatically exporting passwords in plain text is impossible. (Actually the key is optional, so it is possible that the password is in plain text and as Notice also generates random passwords that resemble encrypted strings, and makes no record of the key or every if there is a key, it is not possible to tell if the password is already encrypted.)

This means that the system with the most complexity determines the extent to with my script has to understand without losing data, and the system with the highest granularity of security, (not necessarily the highest encryption security) is going to be the central database. This means that by forcing these three systems to play together I would be sacrificing complexity, (functionality) and possibly security, (though having a {possible and optional} separate key for each password does mean that if one key is compromised the others are still secure.)

So pushing keypass into Notice is possible with a single export, (I can upload the .xml to Notice and it can import the details.)
openssl.vim into Notice is done using a single perlscript.

Just because you can, doesn't mean you should

I decided that firefox sync was the answer. Not the '42' but the 'for-now'. Despite digging through their code to check that it was not doing anything naughty, (it wasn't) I set up my own server, (just because AES cracking using quantum computers don't exist yet, does not mean that they never will; Once they do I expect it will be a short-lived party trick, to decrypt publicly available files and all the other things that will be stored in the various clouds for a very long time. )
 This would let me store my passwords in the browser, (where I needed most of them anyway.) This just meant that I had to find some way to store my ssh-key passwords, my (operating-system_username+password)s and $(everything else that was not a website.)
I had tried openID, and though I can see where it would be useful, (I even set up my own server) I still felt that it was making some of the sites that visited second-class citizens. I found that I would only use openID on sites where I did not mind if my account was compromised, (well I would mind, but it did not matter.)

...then my server got DoSed, (I still visualise this as little blue-UDP packets singing, "laaa laaa la-la-la laaa"). I needed a password that I had encoded using
echo "Password"|openssl enc -aes-256-cbc -a -pass pass:verysecret
(and I get it back using
echo "U2FsdGVkX19Hu9wSFkTBY6UNl/oZQkvYRF7ZJiIDuRM="|openssl enc -d -aes-256-cbc -a -pass pass:verysecret
)
and had stored as a comment for a bookmark, (this was my hack to store additional data using firefox sync.

The Sun went into the Cloud

So back to the drawing board. During 2010 I hacked together two BATCH.bat files that could use a PortableApps openssl to decrypt and encrypt my original p^3sv file.
 This meant that if I could seperate the data-storage from the encryption then I could use any online data-storage service. I looked at the most popular and Ububtu-One, but in the end I decided to go for SpiderOak.
(I already have my public code in github/CPAN.)

So what do we really need? Passwords, Contacts, Bookmarks, private data, (the last being 'other', but in my case it is { agenda/calendar, (of things that are going to happen, like meetings and flight details); (non-)fiction/poems; notes/ref; diary, (things that have happened.) }

So how do I maximise portability and minimise keystrokes-to-access-a-password?

I thought about putting the data into a truecrypt file and keeping that on SpiderOak, but that required me to install truecrypt - which failed the Internet-cafe-no-install situation. If the data can be read and decrypted using javascript then a tiny jQuery page seemed to be the answer that I was looking for.

1. Log into SpiderOak
2. Download the encrypted file and the single html page, (Notice::Passwords)
3. Opening Notice::Passwords in a web browser and read the datafile.


Step 2. could be "download paswd.7z" which would include the two files.

Alternatively, thanks to Mark Percival and Vincent Cheung you can just store all of your passwords encoded in your blog.



No comments:

Post a Comment

About this blog

Sort of a test blog... until it isn't