Friday, February 15, 2008

sudo gem install password

password: brain-dead simple password storage
by Giles Bowkett
http://gilesbowkett.blogspot.com/2008/02/sudo-gem-install-password.html

== DESCRIPTION:

password is a simple command-line tool to store your INESSENTIAL passwords.

All passwords stored with password are stored as plain text in a file called
".they_stole_my_facebook_login_oh_noez" in your home directory.

If you store vitally essential personal information using password, you are a
dumb motherfucker. (Or, at least, much braver than smart.)

password exists because I could not give a flying fuck if somebody steals my
Twitter login and because I discovered research which indicates removing
registration requirements from online communities actually IMPROVES the
signal-to-noise ratio, consistently, by a nontrivial margin.

OpenID is not the solution. Not giving a fuck is the solution. Therefore I
present password - the crucial tool for people who don't give a fuck.

== CODE EXAMPLES:

password -g twitter
password --get twitter

Prints your Twitter username and password to the terminal.

password -a

Prints every known username/password combo to the terminal.

password -s twitter wilbur s3cr3t
password --set twitter wilbur s3cr3t

Sets your password entry for "twitter" to username "wilbur" and password
"s3cr3t".

password -G twitter wilbur
password --generating_set twitter wilbur

Sets your password entry for "twitter" to username "wilbur" and a 10-digit
autogenerated password, and prints the new username/password combo.

password -l 23 -G twitter wilbur
password --length 23 --generating_set twitter wilbur

Sets your password entry for "twitter" to username "wilbur" and a 23-digit
autogenerated password, and prints the new username/password combo.

All password really does is store a hash as YAML, so if you store a password
as "twitter" you won't be able to retrieve it as "Twitter." That's the bad
news; the good news is that if you really care about security, you can use
nicknames for sites, instead of their literal names, and combine that with
password's ability to create arbitrary-length autogenerated random passwords.

You could even do this:

password -l 235_000 -G username_for_site_joe_told_me_about_that_one_day_at_ramen_place x
password -l 235_000 -G password_for_site_joe_told_me_about_that_one_day_at_ramen_place x

The output would be:

username_for_site_joe_told_me_about_that_one_day_at_ramen_place
username: x
password: [235,000-character randomly-generated string]
password_for_site_joe_told_me_about_that_one_day_at_ramen_place
username: x
password: [235,000-character randomly-generated string]

Blam. Usernames and passwords that can stand up to rainbow hashes. Secure forever
against everybody but Joe, and whoever you guys went to the ramen place with that
one day. (And maybe your waiter or waitress, depending on the status of their
eavesdropping skills.)

== REQUIREMENTS:

* ActiveSupport
* Must not be an idiot

== INSTALL:

* sudo gem install password

== LICENSE:

(The MIT License)

Copyright (c) 2008 Giles Bowkett

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


All profanity and jokes aside, most passwords are a ridiculous waste of time. There is only one useful purpose served by putting a password on my Twitter account - it helps Twitter protect the value of their investment by dramatically reducing the risk of spam. Removing registration improves signal-to-noise ratios, Bayesian filters can make spam a nonissue, and registration doesn't prevent anyone from making spoof logins, so registration is basically just a waste of time. The only benefit here is that Twitter's engineers don't have to write a Bayesian filter and their suits don't have to grow balls. That benefit is entirely theirs, not mine - but I'm the one who has to do the remembering.

That's abusing your customers. It's abuse that everybody is used to, but it's still abuse, and I for one don't have time for it. It's like when banks shut down all their human tellers and replaced them with ATMs, and then added ATM fees - we pay for the privilege of saving them money. It's ridiculous. If some arbitrary social networking site wants me to protect the value of their investment, subsidize their managerial cowardice, and reward their engineers for not doing any heavy lifting, I think they should be paying me for that effort. It's crowdsourcing at its worst.

Password-protection on my Twitter account, or Reddit, or del.icio.us, or for the love of God instructables.com - what the hell were they thinking? - does absolutely nada for me personally, and wastes my valuable time every day, because there is always some stupid Web site demanding my password when it doesn't even need it for any useful purpose. This is especially true given that there's plenty of evidence that requiring unnecessary passwords hurts your business.

If you work in a large corporation, you're especially screwed. The password gremlins lurk everywhere, like roaches that can type - they change the network password every week, or the Exchange server password every three and a half hours except on Tuesday, etc., etc. Nobody should have to waste their time on that stuff.