summary refs log tree commit diff
path: root/www/text.causal.agency/017-unpasswords.7
blob: f9643f2faafffa419723fe2b94c8ffd7c34499c9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
.Dd February 20, 2021
.Dt UNPASSWORDS 7
.Os "Causal Agency"
.
.Sh NAME
.Nm Unpasswords
.Nd password anti-management
.
.Sh DESCRIPTION
Right away I want to say
that I'm not trying to tell anyone
how to manage their online authentication.
This is just how I do it,
and I haven't seen anyone else write about it.
.
.Pp
I don't use a password manager.
It's not a type of software
I want to deal with.
For the small handful of sites
that I use regularly
and that actually matter,
I use strong passwords
(stored in my noggin)
and TOTP.
For everything else,
I simply do not know the password,
and neither does any software.
.
.Pp
I think I started doing this one time
when I had legitimately forgotten
the password to some old account.
I clicked on
.Dq forgot my password
and opened the email,
but I didn't want to
come up with a new password
I would just forget again.
Instead I set a random one
.Po
I usually use
.Ql openssl rand -base64 33
for this
.Pc
and immediately used that to log in
while it was still in my clipboard.
Next time I wanted to log in,
I could use
.Dq forgot my password
again.
.
.Pp
Thinking about it,
I realized that any web authentication
with an email password reset flow
is only ever as strong as
the authentication for your email account.
So what is the point of having
all these passwords set on different sites?
They all answer to your email account,
and storing them in a password manager
seems to add another potential point of failure.
May as well have no other passwords at all,
or as close as possible.
.Po
Shout out to sites like Liberapay
and asciienema
which let me not set a password at all.
.Pc
.
.Pp
So I started doing that for any site
that I don't regularly log in to.
Going through the password reset flow
can be a bit slow,
but it doesn't need to be done often.
And I can do it from anywhere
I have access to my email,
which I feel is more easily reliable
than syncing password management databases.
It's quite stress-free.
.
.Pp
After doing this manually for years,
this week I finally got around to
writing some automation for it.
A while ago I had written
.Xr imbox 1 ,
a tool to directly export mail
in mboxrd format from IMAP,
along with
.Xr git-fetch-email 1 ,
a wrapper which offloads configuration to
.Xr git-config 1 .
It can match emails by
Subject, From, To and Cc.
This week I added a flag
to use IMAP IDLE
to wait for a matching message
if there isn't one already,
and a flag to move matching messages
(for example to Trash)
after exporting them.
.
.Pp
With those two new flags,
I started writing some shell scripts
to automate the password reset flow
using
.Xr curl 1
to submit forms and
.Xr git-fetch-email 1
with
.Xr sed 1
to pull the reset tokens
from my inbox.
At the end of the script,
the random password it set
is copied to the clipboard
and the login page for the site is opened.
So now logging in is as simple
as running a command,
waiting for the login page to open,
and pasting.
.
.Pp
The script isn't sophisticated,
but I don't think it needs to be.
I've written functions
for a couple different sites already,
and they all work in mostly the same way.
Writing a new one is just a matter
of identifying the form URLs and fields
along with where the token is in the email.
I'm not going to turn this automation
into any kind of generally usable project,
because I don't want to have to
maintain functions for tonnes of different services.
If you're interested in this idea,
I encourage you to use my script as a template
and implement the functions for services you use.
.
.Sh SEE ALSO
.Bl -item -compact
.It
.Lk https://git.causal.agency/imbox
.It
.Lk https://causal.agency/bin/sup.html
.El
.
.Sh AUTHORS
.An june Aq Mt june@causal.agency
> 2019-09-05Add titleJune McEnroe 2019-09-04Add Avorter n'est pas tuerJune McEnroe 2019-08-29Unset executable on shell scriptsJune McEnroe 2019-08-29Add long-missing setopt to bin.7June McEnroe 2019-08-29Add editJune McEnroe'nohover-highlight'> Hack: output an extra <td> after rendering mdoc so that line numbers can be hidden based on there being three. This required splitting source-filter and about-filter since on about pages there is no table. 2019-12-18Customize cgit CSSJune McEnroe 2019-12-18Use :target rather than :focus pseudo-classJune McEnroe :target persists after you click on something else. 2019-12-18Copy cgit auxiliary binaries properlyJune McEnroe 2019-12-18Add git.causal.agency cgit configJune McEnroe 2019-12-18Bail from hi if input is binaryJune McEnroe NULs in the input cause an infinite loop in htmlEscape, not to mention regexes obviously not working, etc. 2019-12-16Post "cgit setup"June McEnroe