summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-02-20 22:48:55 -0500
committerJune McEnroe <june@causal.agency>2021-02-20 22:48:55 -0500
commitedea409687c78f8f9e1178bce2fb33998f04993b (patch)
treeeaf08803e1b36cd096977ed7219006f557d534c8
parentFix (hopefully) matching shell reserved words (diff)
downloadsrc-edea409687c78f8f9e1178bce2fb33998f04993b.tar.gz
src-edea409687c78f8f9e1178bce2fb33998f04993b.zip
Publish "Unpasswords"
-rw-r--r--www/text.causal.agency/017-unpasswords.7153
-rw-r--r--www/text.causal.agency/Makefile1
2 files changed, 154 insertions, 0 deletions
diff --git a/www/text.causal.agency/017-unpasswords.7 b/www/text.causal.agency/017-unpasswords.7
new file mode 100644
index 00000000..f9643f2f
--- /dev/null
+++ b/www/text.causal.agency/017-unpasswords.7
@@ -0,0 +1,153 @@
+.Dd February 20, 2021
+.Dt UNPASSWORDS 7
+.Os "Causal Agency"
+.
+.Sh NAME
+.Nm Unpasswords
+.Nd password anti-management
+.
+.Sh DESCRIPTION
+Right away I want to say
+that I'm not trying to tell anyone
+how to manage their online authentication.
+This is just how I do it,
+and I haven't seen anyone else write about it.
+.
+.Pp
+I don't use a password manager.
+It's not a type of software
+I want to deal with.
+For the small handful of sites
+that I use regularly
+and that actually matter,
+I use strong passwords
+(stored in my noggin)
+and TOTP.
+For everything else,
+I simply do not know the password,
+and neither does any software.
+.
+.Pp
+I think I started doing this one time
+when I had legitimately forgotten
+the password to some old account.
+I clicked on
+.Dq forgot my password
+and opened the email,
+but I didn't want to
+come up with a new password
+I would just forget again.
+Instead I set a random one
+.Po
+I usually use
+.Ql openssl rand -base64 33
+for this
+.Pc
+and immediately used that to log in
+while it was still in my clipboard.
+Next time I wanted to log in,
+I could use
+.Dq forgot my password
+again.
+.
+.Pp
+Thinking about it,
+I realized that any web authentication
+with an email password reset flow
+is only ever as strong as
+the authentication for your email account.
+So what is the point of having
+all these passwords set on different sites?
+They all answer to your email account,
+and storing them in a password manager
+seems to add another potential point of failure.
+May as well have no other passwords at all,
+or as close as possible.
+.Po
+Shout out to sites like Liberapay
+and asciienema
+which let me not set a password at all.
+.Pc
+.
+.Pp
+So I started doing that for any site
+that I don't regularly log in to.
+Going through the password reset flow
+can be a bit slow,
+but it doesn't need to be done often.
+And I can do it from anywhere
+I have access to my email,
+which I feel is more easily reliable
+than syncing password management databases.
+It's quite stress-free.
+.
+.Pp
+After doing this manually for years,
+this week I finally got around to
+writing some automation for it.
+A while ago I had written
+.Xr imbox 1 ,
+a tool to directly export mail
+in mboxrd format from IMAP,
+along with
+.Xr git-fetch-email 1 ,
+a wrapper which offloads configuration to
+.Xr git-config 1 .
+It can match emails by
+Subject, From, To and Cc.
+This week I added a flag
+to use IMAP IDLE
+to wait for a matching message
+if there isn't one already,
+and a flag to move matching messages
+(for example to Trash)
+after exporting them.
+.
+.Pp
+With those two new flags,
+I started writing some shell scripts
+to automate the password reset flow
+using
+.Xr curl 1
+to submit forms and
+.Xr git-fetch-email 1
+with
+.Xr sed 1
+to pull the reset tokens
+from my inbox.
+At the end of the script,
+the random password it set
+is copied to the clipboard
+and the login page for the site is opened.
+So now logging in is as simple
+as running a command,
+waiting for the login page to open,
+and pasting.
+.
+.Pp
+The script isn't sophisticated,
+but I don't think it needs to be.
+I've written functions
+for a couple different sites already,
+and they all work in mostly the same way.
+Writing a new one is just a matter
+of identifying the form URLs and fields
+along with where the token is in the email.
+I'm not going to turn this automation
+into any kind of generally usable project,
+because I don't want to have to
+maintain functions for tonnes of different services.
+If you're interested in this idea,
+I encourage you to use my script as a template
+and implement the functions for services you use.
+.
+.Sh SEE ALSO
+.Bl -item -compact
+.It
+.Lk https://git.causal.agency/imbox
+.It
+.Lk https://causal.agency/bin/sup.html
+.El
+.
+.Sh AUTHORS
+.An june Aq Mt june@causal.agency
diff --git a/www/text.causal.agency/Makefile b/www/text.causal.agency/Makefile
index 01cefa9d..6063abb1 100644
--- a/www/text.causal.agency/Makefile
+++ b/www/text.causal.agency/Makefile
@@ -19,6 +19,7 @@ TXTS += 013-hot-tips.txt
 TXTS += 014-using-vi.txt
 TXTS += 015-reusing-tags.txt
 TXTS += 016-using-openbsd.txt
+TXTS += 017-unpasswords.txt
 
 all: ${TXTS}