Deterministic password creation tool

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

Manabu
Posts: 30
Joined: Tue Nov 30, 2010 1:57 am UTC

Deterministic password creation tool

Postby Manabu » Fri Jun 08, 2012 8:14 pm UTC

It is impossible to have unique, secure, easy to remember passwords for each site you register. I don't like password wallets either, because I need to keep them accessible AND synchronized when I need to login outside my home. Also, you need to keep a backup at risk of losing all your passwords.

So, what about a password derived from a secure hash of: a master password + some string related to the site name that you input + number of re-hash loops/work-factor. The last is important to slowdown bruteforce attackers that know your method. It is probably a good idea to use something standard, like bcrypt or scrypt, but even sha-512 with enough loops should suffice. And it must also output in something like base 64, so that you can pack more entropy in less characters. And this has to be sufficiently simple that I don't risk loosing the ability of reproducing my password (ie: I can easily make a python script, w/o even looking back at the specification, to replicate it).

Is there something good already implemented? I didn't found anything as a Firefox extension, for example, and all my attempts at searching for it ended up in server-side password storage pages.

ferrelas
Posts: 22
Joined: Tue Apr 13, 2010 11:10 am UTC

Re: Deterministic password creation tool

Postby ferrelas » Fri Jun 08, 2012 8:28 pm UTC

What about the horse-battery-staple-correct method from this very webcomic?

Manabu
Posts: 30
Joined: Tue Nov 30, 2010 1:57 am UTC

Re: Deterministic password creation tool

Postby Manabu » Fri Jun 08, 2012 10:49 pm UTC

The problem is the "unique" of the first post. It is impossible to remember a completely different and random horsebatterystapplecorrect for each site I register. I would need to fall back to the site-specifc prefix method, or something like that, that is less secure. And many sites limit the maximum length of the password, or ask for numbers and upper case, disallowing this method. And I still need a program (a random word chooser) to create new passwords.

Well, searching outside google, I finally found some programs that do something similar to what I tought:
http://supergenpass.com/
https://www.pwdhash.com/
http://fuktommy.com/genpasswd/

Of those, the first two use MD5, and the genpasswd SHA1... Not quite up to my security standards... A comment that I leaved in SuperGenPass forum:
Manabu wrote:> The cracker must know that your resulting password was actually generated by SGP, and wasn't created
> manually and stored in something like 1Password, which you can't say only by the look of the generated
> password.
Yes, you can. An hacker with a large database of stolen passwords can identify random passwords (as opposed to those made of logical blocks, syllables, etc), and among those passwords those that abide by SGP rules. In that subset, he can then proceed to build a rainbow table and quickly reveal most MASTER passwords from SGP users, that are guaranteed to have been re-used. At billions of attempts per second, even quite strong passwords fail.

User avatar
Xanthir
My HERO!!!
Posts: 5425
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Deterministic password creation tool

Postby Xanthir » Sat Jun 09, 2012 1:19 am UTC

I use this page on my site for all my password needs, which I lightly modified from another page somewhere else (appropriate credits are in the source). It's completely self-contained and does no network communication, so feel free to save it to your desktop if you ever need a password when you don't have internet access.

This satisfies all of your basic requirements, except that it uses a simple sha1 hash, which is potentially problematic since it's fast to perform. That said, there's a lot of entropy in the string that would need to be overcome, so it's still definitely better than just choosing a "normal" password and hashing it.

The really nice thing about the page I use is that it is very customizable - it can generate a password anywhere from 4 to 26 characters long, and you can impose several useful restrictions on it to satisfy various password requirements, such as "must have a digit" or "no special characters". The two predetermined options I have on there ("Short" and "Long") correspond to sets of options that I've found are most commonly accepted by sites - the "Short" one generates an 8-char password for stupid sites that have length restriction, and the "Long" generates a 26-char password for everything else.

The nice thing about this is that, since it's online and most of your password usage will be for other sites, any time you need a password you can definitely access the password generator. I only memorize a handful of passwords - the master password for generating new ones, and then two more for unlocking my personal and work computers, because I obviously don't have internet access while unlocking them. Everything else I just generate and copy/paste as necessary.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Deterministic password creation tool

Postby Steax » Sat Jun 09, 2012 6:29 pm UTC

Just to throw it in:

My password storage scheme uses 1password, a password wallet. It's quite well-protected; I own all the data (which is then securely placed on my computer) and it's encrypted with my master key. Or a 1000-iteration PBKDF2 hash of my master key, to be exact. So even if they did get their hands on the data file, they'd still need to crack my master password to get into it. I can then upload it to dropbox, and link other devices to it; this is just dependent on dropbox's security and using an obscure email for dropbox. Other devices need my exact same master password to unlock my files.

It's worked well for me so far. I find that trying to make up my own method tends to have hidden pitfalls I'd rather avoid.
In Minecraft, I use the username Rirez.

User avatar
zed0
Posts: 179
Joined: Sun Dec 17, 2006 11:00 pm UTC

Re: Deterministic password creation tool

Postby zed0 » Mon Jun 11, 2012 10:04 am UTC

My friend wrote something that works as you describe (from what I remember): http://passhash.connorhd.co.uk/
You can read more about it on his blog or browse the source on github.


Return to “The Help Desk”

Who is online

Users browsing this forum: No registered users and 7 guests