Bilal's Blog

Home - Blog - Updates

How I Manage My Passwords

About 3 years ago, when I still had social media, I got an email from Instagram saying my account got logged into from Thailand. It had the IP Address of the device and some other information. I remember freaking out and logging out that sesssion in the options. I also changed my password really quickly. But that incident was a wake up call for me. Because I realized I did not have many passwords. I only used 3 or 4 passwords for pretty much all my online accounts, with some iterations here and there. But I mean with brute force, and with only knowing one version of an iteration, the rest can easily be figured out. About a month later, the same thing happened again. This time it was my Uber account. It was really frustrating, and I had to put an end to it. I ended up signing up with LastPass, a password manager service. So what I ended up doing is going through all my accounts and generating passwords for each one. I also turned on Two Factor Authentication for the services that allowed it. And that was a big relief, as I was in a much safer place than before, and if any of my passwords got leaked, there is no single point of failure. As time went by, I grew to like LastPass more and more, because it had a cli version, which made the application and its usability a lot more extensible. But I still had some reservations with LastPass. The biggest one is that it's not open source. Now that might not sound like a big deal to most people, but having your passwords stored at some server, while being managed by an application that is closed source is a bit scary. I did however overlook that for sometime just for the sake of convenience that LastPass has provided, and I got pretty proficient at using its cli version. After a year of using it, they came out with a new policy restricting access to a number of devices. That wasn't really a big deal to me, as I only used the cli version of the app on my computer, and did not have the android app. Because to be honest, I'd rather use my phone to call and text than manage my financing on there.

After LastPass put out that policy, I decided to look for a new password manager alternative. My top three requirements for the password manager is that it has to be free and opensource, completely offline, and has a cli version. This is when I came accross Pass, the standard unix password manager. It's so simple, a monkey can use it. It's completely offline, it uses gpg keys to encrypt and decrypt passwords, and it has a cli version. In fact, it is made to be used in the commandline. What it does it basically create text files to put in the password (but you can also add notes and other information in that text file). To call a password, Pass decrypts the text file with password and copies it to the clipboard for 45 seconds. It then encrypts the file again. To add a password

$ pass add Test

Enter password for Test:
Retype password for Test:

$ pass show Test

hellotherepassword

You can read Pass's other functionalities by going through and reading the man page. A couple more things I want to add is that pass handles 2FA and generates 5 or 6 or however many numbers are usually there. It can also help migrate your passwords from pretty much any password manager service you use, something I did not know about untill I migrated everything manually. Although Pass has the ability to generate passwords, I use pwgen for that, a much better password generator utility in my opinion. To use it, I strongly recommend you always use it with the --capitalize --numerals --symbols --secure --ambiguous flags.

--------------------------------------------------------