Toward standard automated password and key changes

Automating password change and the rotation of SSH keys is a need that uber-programmer Eric S. Raymond is addressing (re the latter case) with “a script wrapper… using a Python expect engine to login into remote sites and install (or remove) ssh public keys.” I’d like to see a more general solution, one that might require less programming and (or fussing around when users want to change things password manually.) Pardon, if it’s all been thought of before and sheer laziness or some other factor has prevented implementation.

I’ll state the case for passwords.

The simple way is to move to a standard method of password change — just enter your present password, a space, and then your desired new password instead of only entering just your present password. (Of course, this means passwords can’t include spaces.) Only if your password is correct is the change implemented, of course (and extra verification steps such as text messages still happen as they do now.) A pop up window can then ask users to enter the password again, if desired, to prevent an unnoticed typo from locking you out; but password managers can ignore that window, and the change will go through.

Just for completeness, I’ll add a second implementation (all sorts of variations are possible):

Passwords aren’t allowed to start with “0” or “00.” Your password manager has the option of entering “16brandnewpasswordcrustyoldpassword” which logs you in with your previous pw (“crustyoldpassword”) but it does more than just that: it also and also changes your password for to “brandnewpassword” which happens to be 16 characters long. You or your password manager can enter your password as usual if you don’t want to change it.

When a user wants to manually make a change, this string concatenation can be hidden from the user entirely, if desired: the website or service can create this string from the usual user inputs in the usual places, and send it along to the server.

Note that passwords can’t be shorter than 10 characters long or longer than 100 characters for this method — however websites and services are free to insist on more than 10 digits for security purposes, or insist on some limit on size that’s less than 100, for convenience. (A length-standard for all sites and services might be nice, however!) Also the service must accept strings in the password field twice-as-long-plus-2 as the longest password they will accept (which might well be less than 100.)

Note that this implementation, too, is fail-safe not fail-unsafe. If you mistakenly enter the wrong number of digits for the new password, then the string you just entered will be rejected because of a password mismatch on the (lengthened or truncated) old password, and nothing happens except an error message.

Both methods automate the process of changing passwords in a way that is uniform across all websites and services. Your password management software, if it wishes, can change the password every single time it logs in anywhere, which is an obvious advantage. But, particularly with the first method any user can do so, too, without much thought or fuss, in a standard way.