.Dd February 20, 2021
.Dt UNPASSWORDS 7
.Os "Causal Agency"
.
.Sh NAME
.Nm Unpasswords
.Nd password anti-management
.
.Sh DESCRIPTION
Right away I want to say
that I'm not trying to tell anyone
how to manage their online authentication.
This is just how I do it,
and I haven't seen anyone else write about it.
.
.Pp
I don't use a password manager.
It's not a type of software
I want to deal with.
For the small handful of sites
that I use regularly
and that actually matter,
I use strong passwords
(stored in my noggin)
and TOTP.
For everything else,
I simply do not know the password,
and neither does any software.
.
.Pp
I think I started doing this one time
when I had legitimately forgotten
the password to some old account.
I clicked on
.Dq forgot my password
and opened the email,
but I didn't want to
come up with a new password
I would just forget again.
Instead I set a random one
.Po
I usually use
.Ql openssl rand -base64 33
for this
.Pc
and immediately used that to log in
while it was still in my clipboard.
Next time I wanted to log in,
I could use
.Dq forgot my password
again.
.
.Pp
Thinking about it,
I realized that any web authentication
with an email password reset flow
is only ever as strong as
the authentication for your email account.
So what is the point of having
all these passwords set on different sites?
They all answer to your email account,
and storing them in a password manager
seems to add another potential point of failure.
May as well have no other passwords at all,
or as close as possible.
.Po
Shout out to sites like Liberapay
and asciienema
which let me not set a password at all.
.Pc
.
.Pp
So I started doing that for any site
that I don't regularly log in to.
Going through the password reset flow
can be a bit slow,
but it doesn't need to be done often.
And I can do it from anywhere
I have access to my email,
which I feel is more easily reliable
than syncing password management databases.
It's quite stress-free.
.
.Pp
After doing this manually for years,
this week I finally got around to
writing some automation for it.
A while ago I had written
.Xr imbox 1 ,
a tool to directly export mail
in mboxrd format from IMAP,
along with
.Xr git-fetch-email 1 ,
a wrapper which offloads configuration to
.Xr git-config 1 .
It can match emails by
Subject, From, To and Cc.
This week I added a flag
to use IMAP IDLE
to wait for a matching message
if there isn't one already,
and a flag to move matching messages
(for example to Trash)
after exporting them.
.
.Pp
With those two new flags,
I started writing some shell scripts
to automate the password reset flow
using
.Xr curl 1
to submit forms and
.Xr git-fetch-email 1
with
.Xr sed 1
to pull the reset tokens
from my inbox.
At the end of the script,
the random password it set
is copied to the clipboard
and the login page for the site is opened.
So now logging in is as simple
as running a command,
waiting for the login page to open,
and pasting.
.
.Pp
The script isn't sophisticated,
but I don't think it needs to be.
I've written functions
for a couple different sites already,
and they all work in mostly the same way.
Writing a new one is just a matter
of identifying the form URLs and fields
along with where the token is in the email.
I'm not going to turn this automation
into any kind of generally usable project,
because I don't want to have to
maintain functions for tonnes of different services.
If you're interested in this idea,
I encourage you to use my script as a template
and implement the functions for services you use.
.
.Sh SEE ALSO
.Bl -item -compact
.It
.Lk https://git.causal.agency/imbox
.It
.Lk https://causal.agency/bin/sup.html
.El
.
.Sh AUTHORS
.An june Aq Mt june@causal.agency