History

I stopped using the browser to store my passwords about 8 years ago after I discovered that Firefox stored them in a plain text file on the file system. Even with a master password in place the file was completely unencrypted. That discovery prompted me to find another solution. Only at the time there really wasn’t any other option. A few years latter Firefox started offering to sync passwords and other settings, as well did a few third party services and related extensions. I didn’t try any of the third party ones, but I did allow Firefox to sync some things for me. The automatic syncing was nice for a while. Until the fact that it was all unencrypted started to really get to me. It got to me to the point that I stopped syncing and removed my account. I needed some other way to manage my passwords. I dumped what I had in Firefox to a local file and managed them locally. I figured I couldn’t do worse than what the browser was going but I still wanted some way to encrypt them.

The current strategy

Then I encrypted the file with gpg and told vim to open .gpg files with gnupg. I love the simplicity and control it gives me. I use pwgen to generate really gnarly passwords and save them to the gpg protected file. I’ve been doing it this way for years now. It is very secure and private, but it isn’t very convenient. The inconvenience becomes apparent when using multiple computers and I need access to one of the passwords stored in said file. The problem arises when I try to figure out a way to access the file while away from my primary machine. My options are:

  • SSH to the other machine (Sure if I want to store the file on a publicly accessible machine or open ports to a private machine).
  • Rsync the file? (There has to be a copy on a public server somewhere. Also if I forget to rsync after making a change, and I then make another addition elsewhere, how do I reconcile the difference?)
  • Use dropbox (I’m not a fan, and I’m paranoid about having a file called passwords.gpg in my dropbox with visible file names to dropbox employees)
  • Carry it around on a USB stick (sure, except I’m not a huge fan of this method either. They get lost. I’d need backups. Which is the latest copy? You get the idea.)
  • Roll my own password syncing service (interesting, but I have 2 kids now. Time is of short supply. Possible to do with fsync or some type of distributed file system)

I’ve tried each of these methods. None of them work for me the way I’d like them to. Out of the list the one I used most often and for the longest period of time is SSH’ing to the machine with the password file on it. It has the advantage that I only have to maintain one copy and there’s nothing to sync to other computers. But I have to open my machine to the internet. Of course I use denyhosts and adding fwknop or some other port knocker would limit my exposure, but this seems like overkill just to access one file. And then I’m back to carrying around some tool that would allow me to knock and open ports.

Rsyncing never really worked because I actually do work on multiple machines at the same time at times. I frequently have to have my password file open on both machines, and yes I have made additions to the password file from either machine. If I’m particularly busy I don’t always take the time to rsync them. It’s an extra step. And how do I rsync them without stomping on each other’s additions? What I need is a system that does versioning and syncing automatically in a smart way. Better yet would be a system that is transparent to me.

Using dropbox is okay. I know it’s a popular option for a lot of people for a lot of things. I’ve never really cared much for it. The primary issue in this case, though I’ll admit isn’t a huge one, is that since file names are visible to the fine folks at dropbox, it becomes obvious what is contained in the file. They won’t be able to view the contents, but still the context is there. I could, and have, overcome this issue by overlaying my dropbox with ecryptfs. Ecryptfs allows me to have an encrypted file system with optional filename encryption as well. The downside here is again the fact that this set us is not automatic nor transparent. I could make it automount my ecypptfs shares, but that password would have to be stored somewhere and I simply don’t care to have to do that. Seems like doing so kind of misses the point. I also realize that I could simply rename the file, you know a little security through obscurity. That’s always seem kind of lame to me. I mean really.

USB stick? No thanks. Loosing it isn’t so much a problem in that I’m worried someone would find it and open my password store. Though they could attempt a brute force attack. But here again, if I haven’t been making regular and frequent backups and I loose the stick, I’ve lost all my passwords since the last backup. I am prone to loose little things and I’m lazy and don’t always backup like I should.

I seriously looked at rolling my own password syncing service. Using something like fsync makes this a real possibility. It would take care of the rsyncing automatically anytime I made an edit to which ever copy I was currently working on. The one issue I couldn’t work out was notifying a client that the server contains changes that need to be pulled down. I suppose I could use a hashsum and a cron job. It’s on the back burner for now. Perhaps I’ll get around to it one of these days. It does seem like a cool thing to try and do.

So for the most part I make all edits and lookups from one machine that isn’t internet accessible. I’ve been doing this for years now and even with the total lack in convenience I’ve kept using it as it offers maximum privacy and security. Privacy and security are high up on my list of important things. One thing this system lacks is the browser integration. I’ll admit that it is very nice to have the browser offer to store passwords and fill them in for me automatically. No matter how insecure the implementations have been. I do miss this, but not enough to cause me to abandon my system just to have this feature.

Ideal Password Management System

My idea password management system would provide these features in the order of importance:

  • Maintain my privacy through the use of encryption or by not storing my data
  • Maintain the integrity of my passwords again through the use of real encryption or by not storing my data
  • Allows me to choose the pass phrase protecting the encryption key
  • Automatically sync my passwords between multiple machines, in a secure and encrypted fashion of course
  • Has browser integration ie. auto form filling and offer to store username/password combos
  • Offers a way to generate randomly long passwords that utilize all the character sets, bonus for being able to specify length

So with these things in mind I decided it might be time to start looking for some other option.

About the same I heard about LastPass so I started to check them out a little bit. I was skeptical though because it’s a service that essentially hosts my data on their servers. I created an account and stored a few passwords in it just to get my feet wet. But I didn’t really understand how their system worked. I forgot about them and moved on.

Sometime later LastPass had the network anomaly. I was not worried as I did have a decently complex pass phrase and I only had a few sites stored.

Password Maker

Password Maker works by hashing several pieces of information about a site. In it’s simplest form it takes a password you provide and the hostname of the site your on and hashes that into an md5 string. You can limit the length of the output string and presto, you have a decently hard to guess password. You then use this as the password for the site. If you do this for every site you log into you’ll have a unique password for each and every site you visit and you can continue to remember only one password. Since giving the same inputs to a hashing algorithm will always result in the same output you will always get back the password for each site.

It comes as a browser extension for Firefox, Chromium, and Opera so you can have access to your site’s password across browsers. There are various applications for desktop and mobile phones as well. A command line client and an html/js only version that you can throw on a usb stick and off you go. There’s even a version for my outdated n900.

I very much liked the idea of not having passwords stored any where at all. There are no servers to get compromised. There’s nothing I have to share with companies that I don’t fully trust. And it doesn’t cost anything. That’s always icing on the cake. It’s open-source too!

So I decided to give it a spin. It worked and it worked well. I was quickly falling in love with the simplicity of password maker and could soon see the end of my gpg protected container. It offered maximum privacy, maximum security, and a decent amount of convenience in the form of portability.

I tried it for a 3 months. I gave it a fair go. But I found an issue that I couldn’t easily resolve. The problem I ran into is that I didn’t leave it set at it’s default hashing options. This caused problems when I was on other machines and was trying to recreate the password that I had set a site to. Particularly when I tried use it on my n900 I had trouble reproducing the hashed password. I had so much trouble in fact that I was locked out of one very important account. The issue was that the gui for the n900 didn’t provide all the options as the Chromium extension and the command line version on the phone. The gui was just a wrapper around the command line version. I had so much trouble reliably producing results on my phone that I resorted to using the command line version. Due to the fact that I was using a bunch of non-default options and more than just the host name part of the url it quickly became a real pita as I had to type a lot of command just to get a password. Sure I could write a quick bash script and maybe I will. There were other issues with the hashing of passwords. For what ever reason, some sites reject passwords that contain special characters. They only allow alpha-numeric characters to be used in the password. In order to get Passwordmaker to do this you must change the hashing options for this one particular site. This becomes problematic again to recall and reproduce for the specific sites across devices and platforms. All of this still left me unsatisfied and wanting more from my password management strategy.

One last issue I ran into was how to go about changing a password for a site that periodically requires you to change your password. If the same inputs always produce the same output how does one create a new password for a given site? At the time I was unable to find a solution. Turns out though that they have already worked on out and they make it available on their Wiki. However, I think this is describing the Firefox extension’s usage only. I’m using the Chromium extension. I have not tried this.

LastPass

I decided it was time to give LastPass another look. Since there was an unexplained anomaly that adds validity to my concern over giving anyone a copy of my data I started with their extensive documentation instead of their marketing. I wanted to get my head around how the system really works and weather or not it measures up to their claims. LastPass stated after the anomaly that if you had a decently strong password you had nothing to worry about. They forced everyone to change their master password and recommended that you change the passwords on your stored accounts. Personally I think this was the responsible thing to do. I wonder how many companies would not have said anything at all. Now, if I didn’t act upon their recommendation and the accounts I had stored in their system were compromised who do I have to blame? Myself really, if I didn’t heed the warning. It isn’t fair to expect that their system will never be compromised. Even Google has experienced breeches.

What I found out is that the design of the system is very secure and similar to the geek trusted online backup system of SpiderOak. I’ll write in more detail about the design of the system in a future post, but for now go read their extensive documentation.

It is secure. It encrypts everything on the client side with a pass phrase that I’ve selected and is only known to me. It’s convenient as it offers to populate sign-in forms for me and it notices logins and offers to store those passwords for future use. If even notices password changes and offers to update previously stored passwords. It syncs across platforms, devices, browsers, and operating systems.

Let’s see if it meets the criteria I set above.

  • It maintains my privacy in the sense that the data is encrypted client-side using a pass phrase chosen and known only to me.
  • They do store my data on their servers but never in an unencrypted form. Everything is encrypted/decrypted locally. So this point is a yes/no. Yes it’s secured by properly using encryption, but it is stored on servers I don’t control.
  • Obviously and as already mentioned I not only can, but am required to choose my own pass phrase that is used to encrypt the data.
  • Automatically syncing my passwords between systems, browsers, and devices is the primary benefit LastPass has to offer over the other password management strategies I’ve tried.
  • Again, here is one of the primary features of LastPass. It has tight integration into the browser. It offers to fill login forms with known username/password combinations and to store any new ones. This allows for easy management of multiple logins to the same site. Especially useful for Twitter ;-).

I’ve been using LastPass for several months now and I have made significant productivity gains as all the issues I experienced with my gpg method have disappeared. My passwords are automatically synced between browsers and any additions I make on one system are available within minutes on another. Currently, I’m in love with this product and I can’t recommend it enough, I have no idea how I got along without it before. One feature that caused me to take another look at LastPass was the password sharing feature. I needed to share a password with my wife. LastPass allowed me to do this very easily and securely. Anytime I update the password she’ll get the latest copy.

The one and only down-side to LastPass is that my data is stored on their servers. I’m comforted by the fact that all encryption/decryption happens locally with my pass phrase, and the fact that they offer many two-factor and one time password options.

One other thing worth mentioning here is that LastPass’s real strength comes from the fact that it will generate complex passwords for you. You specify the requirements (length and character sets) and it will generate one for you. Using this feature makes it possible to have different passwords for every single site you log into. If one of your accounts is compromised the chances that others will get pwnd as well diminishes. Unless of course the account getting compromised is your LastPass account.

If you have previously written off LastPass because of the anomaly or because of your paranoid mistrust of companies I encourage you to take another look. Look deeper. Try to understand the design goals. Test out the system. Study it, Share what you find. Then let me know where you have posted your findings as I’m really interested in knowing more. I plan to do more study and I will share what I find out in the future. For now LastPass has greatly simplified my password management strategy. Barring any huge hole or vulnerability in their design I’ll continue to use and endorse them.