Rotating passwords

Friday, 24 February 2017

Like many people I use a password-manage to record logins to websites. I previously used a tool called pwsafe, but these days I switched to using pass.

Although I don't like the fact the meta-data is exposed the tool is very useful, and its integration with git is both simple and reliable.

Reading about the security issue that recently affected cloudflare made me consider rotating some passwords. Using git I figured I could look at the last update-time of my passwords. Indeed that was pretty simple:

git ls-tree -r --name-only HEAD | while read filename; do
  echo "$(git log -1 --format="%ad" -- $filename) $filename"

Of course that's not quite enough because we want it sorted, and to do that using the seconds-since-epoch is neater. All together I wrote this:

# Show password age - should be useful for rotation - we first of all
# format the timestamp of every *.gpg file, as both unix+relative time,
# then we sort, and finally we output that sorted data - but we skip
# the first field which is the unix-epoch time.
( git ls-tree -r --name-only HEAD | grep '\.gpg$' | while read filename; do \
      echo "$(git log -1 --format="%at %ar" -- $filename) $filename" ; done ) \
        | sort | awk '{for (i=2; i<NF; i++) printf $i " "; print $NF}'

Not the cleanest script I've ever hacked together, but the output is nice:

 steve@ssh ~ $ cd ~/Repos/personal/pass/
 steve@ssh ~/Repos/personal/pass $ ./password-age | head -n 5
 1 year, 10 months ago GPG/root@localhost.gpg
 1 year, 10 months ago GPG/
 1 year, 10 months ago GPG/
 1 year, 10 months ago Git/
 1 year, 10 months ago Git/

Now I need to pick the sites that are more than a year old and rotate credentials. Or delete accounts, as appropriate.



Comments On This Entry

[gravitar] Stig Sandbeck Mathisen

Submitted at 19:22:41 on 24 february 2017

Nice, that goes right into the toolbox. :)

I like that the output is nice and readable.

For some reason I had pass files with spaces in them, so I made a few changes to make it handle that:

git ls-files '*.gpg' | while read filename; do
  changed_at=$(git log -1 --format="%at %ar" -- "$filename")
  printf "%s %s\n" "$changed_at" "$filename"
done | sort -n | cut -f 2- -d ' '

[gravitar] anarcat

Submitted at 01:17:11 on 25 february 2017

pass now supports extensions. you should submit this as a "age" subcommand! :)

[author] SteveKemp

Submitted at 04:41:15 on 25 february 2017

anarcat that's a great idea. It seems that moving the script to .extensions/age.bash is sufficient to make it work.

The only downside is that the upstream git-repository seems to have no included examples, so I'm not sure that submissions are accepted.

[gravitar] Ivan

Submitted at 22:45:13 on 3 march 2017

I've come up with following, "almost oneliner" script after looking at your article:



find "$HOMEDIR" -type f -iname "*.gpg" -mtime +180 -printf "%TY-%Tm-%Td %P\n" | sed 's/.gpg$//g' | sort -nr

Reason for using it instead of git is that some folks aren't necessarily using Git integration of password store.


Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags