The Gorilla and the Wallet

I try very hard to be careful with passwords, and to follow modern best practices: I use an encrypted password safe, with a master password known only to me.  I memorize only my login passwords and my master password.  I allow my browser to remember web passwords for me, also protected with my master password.  I use RSA keys with ssh-agent for remote access to my servers.  Everything else gets looked up manually when needed.

First, let me answer “Why do this?”.  The general public is constantly bombarded with advice on security.  A lot of it is focused on the use of passwords.  It is difficult, if not impossible, to follow it all.  “Memorize your passwords!”  “Don’t write them down!”  “Don’t use names or birth dates!”  “Don’t use dictionary words!”  “Mix letters and digits!” “… and symbols!”  “Upper and lower case, too!”  “Make a different password for every website or program!”

As Charlie Brown would say, Aaaaauuuuugggggghhhhhh!

Because I’m obsessive, I’ve been following all of the above advice for several years.  Well, actually, with one adjustment:  I can’t memorize them all.  I don’t even try.  I get my computer to memorize them for me.  As I mentioned above, my browser’s password manager takes care of the daily grind.  But not everything is in the web, and there are web sites (banks, usually) that deliberately defeat the browser’s tool.  To cover the rest of the bases, and keep a permanent record of my scattered web accounts, I use the Password Gorilla.  I store its encrypted archive in my Windows “My Documents” folder, so I can get to it whether I boot Windows or Linux.

To follow the rest of the “best practices” for passwords, I let the Password Gorilla create nice, long, random strings for me.  If I’m not going to bother memorizing them, and I’ll be copying and pasting when needed, they might as well be unmemorizable.

Until this week, my daily routine went like so:  1) log in to Windows or KDE with user name and memorized password.  2)   Give ssh-agent my memorized RSA passphrase.  3) Start Mozilla Thunderbird and give it my memorized master password.  4) Start Mozilla Firefox and give it my memorized master password.  Repeat for Firefox and Thunderbird any time they are restarted.

This week, I discovered two tools that dramatically simplifies my KDE experience.  The KDE desktop environment has its own password manager, called KWallet.  It takes care of this task for all standard KDE applications, like the Konqueror web browser, and the KMail e-mail client.  Since I don’t use these, I hadn’t paid much attention to KWallet.  My new tools are: ksshaskpass, the KDE alternative to x11-ssh-askpass; and the Firefox add-on named “KDE Wallet password integration“.  Both of these tools look in KWallet for their pass phrases and passwords, and put new ones there as appropriate.  On a hunch, I successfully hacked the Firefox add-on’s install package to install it in Thunderbird.

My daily routine is now:  1) log in to KDE with user name and memorized password.  2)   Open KWallet with my memorized master password when ssh-agent asks for my RSA passphrase.  That’s it.  As long as KWallet remains open, both Thunderbird and Firefox have immediate access to their passwords.

Password Gorilla is still my fallback, and my permanent archive of account information, but KWallet can now handle the daily grind.

Leave a Reply