About Archive Tags RSS Feed

 

Rotating passwords

24 February 2017 21:50

Like many people I use a password-manage to record logins to websites. I previously used a tool called pwsafe, but these days I switched to using pass.

Although I don't like the fact the meta-data is exposed the tool is very useful, and its integration with git is both simple and reliable.

Reading about the security issue that recently affected cloudflare made me consider rotating some passwords. Using git I figured I could look at the last update-time of my passwords. Indeed that was pretty simple:

git ls-tree -r --name-only HEAD | while read filename; do
  echo "$(git log -1 --format="%ad" -- $filename) $filename"
done

Of course that's not quite enough because we want it sorted, and to do that using the seconds-since-epoch is neater. All together I wrote this:

#!/bin/sh
#
# Show password age - should be useful for rotation - we first of all
# format the timestamp of every *.gpg file, as both unix+relative time,
# then we sort, and finally we output that sorted data - but we skip
# the first field which is the unix-epoch time.
#
( git ls-tree -r --name-only HEAD | grep '\.gpg$' | while read filename; do \
      echo "$(git log -1 --format="%at %ar" -- $filename) $filename" ; done ) \
        | sort | awk '{for (i=2; i<NF; i++) printf $i " "; print $NF}'

Not the cleanest script I've ever hacked together, but the output is nice:

 steve@ssh ~ $ cd ~/Repos/personal/pass/
 steve@ssh ~/Repos/personal/pass $ ./password-age | head -n 5
 1 year, 10 months ago GPG/root@localhost.gpg
 1 year, 10 months ago GPG/steve@steve.org.uk.OLD.gpg
 1 year, 10 months ago GPG/steve@steve.org.uk.NEW.gpg
 1 year, 10 months ago Git/git.steve.org.uk/root.gpg
 1 year, 10 months ago Git/git.steve.org.uk/skx.gpg

Now I need to pick the sites that are more than a year old and rotate credentials. Or delete accounts, as appropriate.

| 4 comments

 

Comments on this entry

icon Ivan at 22:45 on 3 March 2017
https://www.tomica.me

I've come up with following, "almost oneliner" script after looking at your article:

#!/bin/bash

HOMEDIR="/home/$(whoami)/.password-store/"

find "$HOMEDIR" -type f -iname "*.gpg" -mtime +180 -printf "%TY-%Tm-%Td %P\n" | sed 's/.gpg$//g' | sort -nr

Reason for using it instead of git is that some folks aren't necessarily using Git integration of password store.

icon SteveKemp at 04:41 on 25 February 2017
https://steve.fi/

anarcat that's a great idea. It seems that moving the script to .extensions/age.bash is sufficient to make it work.

The only downside is that the upstream git-repository seems to have no included examples, so I'm not sure that submissions are accepted.

icon anarcat at 01:17 on 25 February 2017
https://anarc.at/

pass now supports extensions. you should submit this as a "age" subcommand! :)

icon Stig Sandbeck Mathisen at 19:22 on 24 February 2017
https://fnord.no

Nice, that goes right into the toolbox. :)

I like that the output is nice and readable.

For some reason I had pass files with spaces in them, so I made a few changes to make it handle that:

git ls-files '*.gpg' | while read filename; do
  changed_at=$(git log -1 --format="%at %ar" -- "$filename")
  printf "%s %s\n" "$changed_at" "$filename"
done | sort -n | cut -f 2- -d ' '