I Wear Pants
Now with Stuff and Things!
A blog by Peter Fein.
Follow @wearpants
The views expressed here do not represent my past, present or future employers, collectives, family, nation-state or houseplants. They are mine alone. Who's else would they be?
Better Passwords in Under 200 Characters
February 08, 2011 at 11:15 AM | Tags: python, oneliner, security, password, hashThis post was import from an earlier version of this blog. Original here.
Good password security is a pain in the neck. Done properly, it requires a different password for every site. Good passwords are basically impossible to remember - simply subsituting a few numbers or symbols l337-speak style isn't enough (in other words, tw1tt3r will fool no one). The traditional approach is to use a well-guarded text file (hard to secure) or password manager, such as OS X's Keychain, Gnome's Keyring or Firefox's Master Password (hard to synchronize across machines/platforms).
The solution? Hashed passwords. Remember a single master password, hash it with a per-site identifier and... that's it. The idea's not new, and there are several browser based implementations (including one I can't find right now but had you type (but not submit) your master password into login forms to be replaced by Javascript - which should send you running). Most use MD5 or SHA-1 (both with known weakness). I just can't feel great about doing this in my browser using some random dude's JS implementation of crypto, so I whipped up this one liner:
python -c "import hashlib,getpass,hmac,os;os.popen('xclip -selection c','w').write(hmac.new(getpass.getpass('Password: '),raw_input('Token: '),hashlib.sha256).digest().encode('base64')[:10])"
192 characters, including overly verbose prompts. It takes a master password and a token - a mnemonic you'll associate with the site where you use the generated password. Runs a SHA-256 HMAC, base-64 encodes it and sticks the first ten characters in your clipboard. Done. As the saying goes, "Don't invent your own crypto", so I'd love feedback on whether this contains any errors.
There's definitely room for featurification here: the app could store the master password in memory, allowing you to enter multiple tokens. A prettier GUI and cross-platform support would be nice too. There's also no way to guarrantee that the generated password contains a letter or symbol (some sites require this). But good enough for now.
After writing this, I found a commandline version using openssl/bash. Shrug.
OS X version:
python -c "import hashlib,getpass,hmac,os;os.popen('pbcopy','w').write(hmac.new(getpass.getpass('Password: '),raw_input('Token: '),hashlib.sha256).digest().encode('base64')[:10])"
These comments were imported from an earlier version of this blog.
Nick Coghlan 2011/02/08 14:16:21 -0800
For this use case, the collision weaknesses in MD5 aren't really a factor. See Brett Cannon's explanation at http://code.google.com/p/oplop/wiki/HowItWorks.
Wyatt 2011/02/08 15:28:57 -0800
The problem I have with this is that I don't want to have to remember all those tokens. I used to use a similar scheme and always used a site's domain name as the token, which has obvious problems if the master password is compromised.
Currently, I use KeePassX, since it's cross platform (Linux, Mac, and Windows) and can generate passwords according to different rules (length, certain character sets, etc).
I haven't worked out the sync issue yet. I've been thinking that I could put the key database in version control, but I'm not sure how secure that would be if someone should happen to get a hold of the database. Given that you can set a master password *and* require a key file to unlock the database, maybe it would be OK.
jokey2k 2011/02/08 15:54:04 -0800
What about LastPass? They securely encrypt the passwordfile and store it for you. You can even have a walkthrough to see how that works. Also has cross-browser support.
Falcolas 2011/02/08 18:12:29 -0800
supergenpass does the same thing for the web, minus the need for a bash terminal (it's just a bookmarklet) http://supergenpass.com/
Otherwise, LastPass and KeePass are simpler solutions.
None 2011/02/09 04:11:23 -0800
I use 1Password and love it. Until someone comes out with a better universal solution for this stuff (bank-issued cellphone/hardware token + PIN/pass + ubiquitous three-legged online auth), I'm in the "one basket and guard the basket" approach. A nice feature of 1Password is that it also lets me store CC numbers and other useful information that I want to have in electronic format on my computer. It also has support for folders and tags, so I can separate my work-related logins from personal sites and services.
aigarius 2011/02/16 03:56:27 -0800
I use the SuperGenPass. I like the ability to run it from any computer with a browser (including on a phone) and they also have something similar to your implementation for Android, for example.
One thing you could improve would be to take the token from the clipboard, so the workflow could become: select the domain name of the web site, hit a hotkey bound to this script, a xmessage or ssh-ask-pass clone pops up to ask for the master password and the result is put back into the clipboard.
(SuperGenPass goes even further - you can just enter your master password into the web form, hit a hotkey or click a bookmarklet and the master password will be replaced with the site-specific password instantly)