Rotating passwords in bulk in the wake of security events

Published 2017-05-11 on Drew DeVault's blog

I’ve been putting this post off for a while. Do you remember the CloudFlare security problem that happened a few months ago? This is the one that disclosed huge amounts of sensitive information for huge numbers websites. When this happened, your accounts on thousands of websites were potentially compromised.

Updating passwords for all of these services at once was a major source of frustration for users. Updating a single password can take 5 minutes, and changing dozens of them might take hours. I decided that I wanted to make this process easier.

$ ./pass-rotate github.com linode.com news.ycombinator.com twitter.com
Rotating github.com... 
  Enter your two factor (TOTP) code:
OK
Rotating linode.com... 
  Enter your two-factor (TOTP) code:
OK
Rotating news.ycombinator.com... OK
Rotating twitter.com... 
  Enter your SMS authorization code:
OK

I just changed 4 passwords in about 20 seconds. This is pass-rotate, which is basically youtube-dl for rotating passwords. It integrates with your password manager to make it easy to change your password. pass-rotate is also provided in the form of a library that password managers can directly integrate with to provide first-class support for password rotation with a shared implementation of various websites. Not only can it help you rotate passwords after security events, but it can be used for periodic password rotation to keep your accounts safer in general.

How this was basically done is by reverse engineering the password change flow of each of the websites it supports. Each provider’s backend submits HTTP requests that simulates logging into the website and interacting with the password reset form. This is often quite simple, like github.py, but can sometimes be quite complex, like namecheap.py.

The current list of supported services is available here. There’s also an issue to discuss making a standardized mechanism for automated password rotation here. At the time of writing, the list of supported services is:

  • Cloudflare ✗ TOTP
  • Digital Ocean ✗ TOTP
  • Discord ✓ TOTP
  • GitHub ✓ TOTP ✗ U2F
  • Linode ✓ TOTP
  • NameCheap ✓ SMS
  • Pixiv
  • Twitter ✓ SMS ✓ TOTP
  • YCombinator

Adding new services is easy - check out the guide. I would be happy to merge your pull requests. Please add websites you use and websites you maintain!

I also set up a Patreon campaign today. If you’d like to contribute to my work, please visit the Patreon page. This supports all of my open source projects, but if you want to support pass-rotate in particular feel free to let me know when you make your contribution. This kind of project needs long term maintenance to support countless providers and keep up with changes to them. Feel free to let me know what service providers you want me to add support for when you make your pledge!

I write software. Occasionally, I will compose a post for this blog.

~sircmpwn

SirCmpwn

@sir@cmpwn.com

sir@cmpwn.com

Public key: 7BC79407090047CA

Recent Posts

2018-06-05
Should you move from GitHub to sr.ht
2018-06-01
How I maintain FOSS projects
2018-05-29
Embedding files in C programs with koio

My Work

A few interesting projects:

Sway, an i3-compatible tiling Wayland compositor
KnightOS, a Unix-like operating system for calculators
TrueCraft, a Minecraft beta 1.7.3-compatible game
aerc, a hackable asyncronous email client for your terminal
pass-rotate, the youtube-dl of automated password rotation

Consulting

Click here to learn about my consulting services.

Donate

Click here for information about donating to support my work.

License

The content for this site is CC-BY-SA. The code for this site is MIT.