Password Generator instead of a password manager

17 réponses [Dernière contribution]
albertoefg
Hors ligne
A rejoint: 04/21/2016

As you probably know jxself is an active user here and do a lot of work in favor of free software. I was reading his blog and I saw this interesting program:

https://jxself.org/password-generator.shtml

The idea here is to not store the passwords in a program but generate them every time you need them, I think it is a more secure aproach than storing the passwords.

Now my problem is, I have no idea how to use it /:

I think I have to copy it to a text editor and save it (no idea wich extention) and then run it from a terminal. If someone has the time to help me to use it I would be really greatful.

albertoefg
Hors ligne
A rejoint: 04/21/2016

wich...

Which.

Sorry english is my second language and my english is far from perfect :(

lembas
Hors ligne
A rejoint: 05/13/2010

You can use any extension you wish or none. In UNIX-like systems file type is decided by magic number instead of filename extension. Here the magic number is the hash bang. (Apparently some desktop environments use a mixed approach, so...)

https://en.wikipedia.org/wiki/File_format#Magic_number

Your English is fine, I didn't even notice the mistake until you pointed it out!

loldier
Hors ligne
A rejoint: 02/17/2016

Your English is pitch-perfect for the occasion. Everybody makes typos. The forum software doesn't allow editing the first post.

Binh-Khoi Nguyen
Hors ligne
A rejoint: 01/22/2015

>Now my problem is, I have no idea how to use it /:
>
>I think I have to copy it to a text editor and save it (no idea wich
>extention) and then run it from a terminal. If someone has the time to
>help me to use it I would be really greatful.
Hi,

Hope I can help with this one. You can save it with any extension, but
then you need to change the permissions of the file so that you can
execute it. I think you can do it with a graphical interface with a
right click, properties, and if I remember well, there should be a
permission tab.

Otherwise, in the terminal, type `chmod +x `.

You might want to consider using pass, which is more secure and probably
is in the password manager. The ArchLinux wiki describes how to use it.

https://wiki.archlinux.org/index.php/Pass

Pass is under GPLV2+.

--
Khoi

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

alberto: that's a bash script. You just paste it in an editor (gedit, mousepad etc..) and you save it into a folder. Then you give it executable permission with chmod and you run it.

http://www.cyberciti.biz/faq/howto-run-a-script-in-linux/

onpon4
Hors ligne
A rejoint: 05/30/2012

I'm not entirely convinced that a password generator is a better or more secure approach. Some considerations to keep in mind:

* There is a limitation to what characters you can use for the "salt", at least the way that script does it.

* It doesn't account for different password length limitations and special character requirements that some services have. Now, these requirements and limitations are stupid, but it's something we have to deal with if we wish to use these services.

* It's not random. I don't know of a way to do this, but if someone figured out a lot of your passwords and gained access to your script, it might theoretically be possible to find patterns and crack your "salt" that way. Of course, the possibility of such an attack is pretty remote, and this method might be perfectly safe from such an attack, but this approach is not very popular, so it hasn't had much of a chance to be properly audited for such a vulnerability. I'm not saying it's insecure, but we have no reason to believe that it's more secure.

* This is the most important part, and the main reason I stopped using this method: if any of your passwords is compromised and has to be changed, like back when various servers were affected by the "heartbleed" bug, you have to update all of your passwords to fit your new "salt". With a regular password manager, this would only be necessary if the password database itself were compromised; otherwise you can just change your passwords on affected services. What's more, with this password generation method, you don't have a list of all the passwords you need to change, so you need to continue to remember your old "salt" just in case you missed something.

Binh-Khoi Nguyen
Hors ligne
A rejoint: 01/22/2015

Hi!

On Sun, May 15, 2016 at 03:34:07PM +0200, name at domain wrote:
>I'm not entirely convinced that a password generator is a better or
>more secure approach. Some considerations to keep in mind:
>
>* There is a limitation to what characters you can use for the "salt",
>at least the way that script does it.
>
>* It doesn't account for different password length limitations and
>special character requirements that some services have. Now, these
>requirements and limitations are stupid, but it's something we have to
>deal with if we wish to use these services.
>
>* It's not random. I don't know of a way to do this, but if someone
>figured out a lot of your passwords and gained access to your script,
>it might theoretically be possible to find patterns and crack your
>"salt" that way. Of course, the possibility of such an attack is
>pretty remote, and this method might be perfectly safe from such an
>attack, but this approach is not very popular, so it hasn't had much
>of a chance to be properly audited for such a vulnerability. I'm not
>saying it's insecure, but we have no reason to believe that it's more
>secure.
>
>* This is the most important part, and the main reason I stopped using
>this method: if any of your passwords is compromised and has to be
>changed, like back when various servers were affected by the
>"heartbleed" bug, you have to update all of your passwords to fit your
>new "salt". With a regular password manager, this would only be
>necessary if the password database itself were compromised. What's
>more, with this method, you don't have a list of all the passwords you
>need to change, so you need to continue to remember your old "salt"
>just in case you missed something.

What do you think of pass? It generates a password using pwgen, and
stores the result in a gpg-encrypted file. You can change the length of
the passowrds, and specify if you want symbols or not.

It's basically just a script around gpg and git.

--
Khoi

jxself
Hors ligne
A rejoint: 09/13/2010

Point 1 can be addressed by changing the script.

For point 2, while the script always outputs passwords of the same length (unless changed) that wouldn't stop someone from remembering "Oh, on this box they require the password to only be 8 characters" and so only using the first 8 characters of the script's output.

And, for special characters, it would be an easy change for the generated passwords to also contain things like !@#$%^&*()_-+={{]]||;;""<>?,/~`.

For point number 3 the hash doesn't actually contain the salt or string so there is nothing to crack that would conclusively reveal what they are/were. Attacks on cryptographic hash functions focus on finding more than one input that returns the same hash. MD5 has this problem today for example. SHA2 is safe but yes, who knows about the future? But: Even if SHA2 were as compromised in the future as MD5 is today, that is not in itself sufficient to let someone know what salt was used and begin generating their own passwords willy-nilly, even if multiple passwords were known. So they're back to guessing. But even in that event of SHA2 becoming compromised a fix is as simple as changing from a SHA2 to a SHA3 implementation once that's available (yes, that means changing passwords but see the last thing below about your last point.) And so, since they're back to guessing, passwords generated with this are subject to the same brute force problem that any (even a randomly generated) password would be. (At this time, brute forcing all possible possible combinations is easier than breaking the SHA2 cryptographic hash itself and even if that changes using a different cryptographic hash function is as easy as changing "sha512sum" to something else.)

For your last point I should point out that people should change their passwords regularly anyway.

:)

albertoefg
Hors ligne
A rejoint: 04/21/2016

Indeed we should change our passwords regularly and thats why I rather use your method.

That way I can keep my passwords with me withoud the need to store them.

Is kinda hard to change a password because I have 2 computers in my office and my laptop so it is a pain in the ass to change a password because i would have to save it somewhere, a usb or my owncloud server. And i don't really feel comfortable doing any of those.

With your password generator is safer as even if someone would gain access to my files there won't be a place where to look at for my passwords. So I can change them constantly.

onpon4
Hors ligne
A rejoint: 05/30/2012

> For your last point I should point out that people should change their passwords regularly anyway.

I disagree. The only time a password should normally changed is if it's compromised. Of course, if the password is weak, you may need to change it regularly, but weak passwords should just not be used in the first place.

albertoefg
Hors ligne
A rejoint: 04/21/2016

What change does the script needs in order for it to include things like !@#$%^&*()_-+={{]]||;;""<>?,/~`.

pragmatist

I am a member!

Hors ligne
A rejoint: 03/03/2016

Before I answer, I will tell you how I found the information.

other than echo and read and variable names and control structures like 'if', there are appear to be two programs used:

sha512sum | base64 -w 0

After reading the man page of both I saw at the end of the man page for sha512sum:
SEE ALSO
The full documentation for sha512sum is maintained as a Texinfo manual.
If the info and sha512sum programs are properly installed at your site,
the command

info coreutils 'sha512sum invocation'

should give you access to the complete manual.

so I open a terminal and type:
info coreutils 'sha512sum invocation'

From this manual I found the answer. Here is how you do that:

type ? to find out commands to navigate the manual

After you read about the sha commands you will see that they share the same syntax with md5. So go back (use ? if you don't know how) and read the md5 section and you will see this:

If FILE contains a
backslash or newline, the line is started with a backslash, and each
problematic character in the file name is escaped with a backslash,
making the output unambiguous even in the presence of arbitrary file
names.

so if I have a file name like he*llo it would be he\*llo if it was he\llo it becomes he\\llo

pragmatist

I am a member!

Hors ligne
A rejoint: 03/03/2016

I should mention that you can use this with file names containing spaces:

touch this\ is\ a\ test

creates an empty file called "this is a test" there are three spaces and there are three '\' to escape them.

In the example: he*llo you replace '*' with '\*'

In the above example a ' ' is replaced with '\ '

You can see the shell do this automatically if after you created the file "this is a test" you list it with ls using autocompletion with the TAB key:

ls this[TAB]

Assuming you don't have any other files in the directory beginning with "this" you will see:

ls this\ is\ a\ test

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

I use **keepassx**.

JadedCtrl
Hors ligne
A rejoint: 08/11/2014

Oh, that script's kind of similar to a technique I used to use.
I had a directory in ~/Documents/ called Passwords. There, I'd keep plain text files for each website. Each text file would have one line-- the line would say "Password:" and some random password I made up. I'd then check the sha256 hash of the fake password file and use the hash as my real password.
If anyone checked the ~/Documents/Passwords folder they'd have thought that the files actually listed my passwords, even though they didn't. :p

Turtleman
Hors ligne
A rejoint: 05/22/2013

That seems like it might be considered "steganography." I like the idea :)

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

Jxself: this one may be of some interest for you (if you don't mind it being written in java) ->
https://ssl.masterpasswordapp.com/