Reusing passwords or using the same same set of passwords across websites/systems is a really bad idea.
Any website that does not hash their users passwords will be able to see your password in the clear and could try logging in as you on other websites.
Therefore you should always have a different password for each website/system you log in to.
Storing passwords in a secure way is an important part of any password management solution which I will discuss here.
On Windows or Mac you have products like Lastpass or 1Password where you login into their product with one password to access all others.
But what if you don’t have a UI interface and just use a terminal window.
Here I use Password Store. There are other solutions available but I find this one the easiest.
pass is a very simple password store that keeps passwords inside gpg2 encrypted files inside a simple directory tree
My installation examples below are for Ubuntu though pass should be the same across OS’s.
Follow the instructions on http://www.passwordstore.org
sudo apt-get install pass
sudo apt-get install gnupg2
Setup GPG2 Key
We will use a gpg key on your computer that is password protected so you only ever need to remember 1 password to access all other passwords.
(Be careful, if you forget/lose this password then this key is useless and can never be used again)
Either view your existing keys with
or setup a new one
Use the defaults unless you have a reason not to
Complete the users questions asked
Enter your passphrase twice
Keep on moving your mouse while it generates the entropy
If you are using vagrant or something that is struggling to generate enough entropy then open a second terminal and install and run the following.
apt-get install rig-tools
sudo rngd -r /dev/urandom
Find your GPG id
pub 2048R/910C0A8E 2014-11-07
is GPG id: 910C0A8E
Setup pass for gpg2
(Ctrl X, then y, enter to save)
Setup Password Store:
Setup with own GPG key
pass init 910C0A8E
910C0A8E is the ID of my GPG key
Or to add permissions to only one folder you can use -p
pass init -p Social 910C0A8E
Initialise the password store with git
pass git init
You want to do this so all change commands are committed to git so you have a historic record.
Where are they stored:
All passwords live in ~/.password-store
Using Password Store
Some options may not be available in your version
List what is currently stored
Add password (manually enter password)
pass insert Social/Facebook
Generate and save a new password with 15 characters
pass generate Social/Facebook 15
(make sure you update your password on the website with the new generated password)
Add multiline password
pass insert -m Social/Facebook
^D to finish
pass find Facebook
Copy password to keyboard for 45 seconds
pass -c Social/Facebook
pass edit Social/Facebook
Move password file
pass mv Social/Facebook Social/Facebookold
pass rm Social/Facebookold
You can use git on an external repo to keep passwords synced across different systems
pass git push
pass git pull
You can use multiple GPG keys when sharing with a team of people
You can specify which folders each user/key has access to
gpg2 encrypted files
Super simple to use
https://vaultproject.io is another interesting project to achieve a similar outcome.