hash-based password generator

After reading about sqrl, the qr-based login system invented by Steve Gibson, I started to think about hashed password generators as a light-variant to sqrl.

What if you could have a password generator that always gives you the same output? Think about it. You use the generator that outputs the password of “1LKk23j!2323^dfD” to be used at facebook.com. One year later you forgot that password and you start the same password generator and it gives you the same password again. Great, huh?

In order for it to be secure we have a few requirements though:

  1. It needs to be unique per site. That is, I do not want to use the same password on facebook, twitter, amazon and instagram.
  2. It needs to be unique per user. I do not want to have the same facebook password as you have.

So, we take 2 inputs to the password generator:

  1. Something that is unique per site. The domain name or the site name or whatever. For simplicity say that you enter “facebook” for facebook, “twitter” for twitter and so on.
  2. Something that is unique per user. My super secret key. It might be the chassis number of my ex spouse brother´s first car, the first sentence in your favourite book or anything hat you will always remember (and write down, and store it securely!).

We also have to decide the length of the output passwords. I suggest something like 12 characters. It is long enough to not brute force.

I built the password generator as a simple bash script since I have already openssl installed. The script below will do this:

  1. ask for the site-specific parameter you want to create the password for (in our example ‘facebook)
  2. Ask for your super secret private password.
  3. Create a cryptocraphic hash digest of your site-specific password ‘facebook’ with your private key as a… eeeh… private key. 🙂
  4. Since the output is binary, all non-printable characters will be removed.
  5. The first 12 bytes of the string will be printed on the screen.

 

#!/bin/bash
export IFS=""
export LC_ALL=C
read -rp "site: " PARAMETER
read -rsp "common private key: " PASSWORD
echo "Password for site $PARAMETER:"
echo "$PARAMETER" \
| openssl dgst -sha512 -binary -hmac "$PASSWORD" \
| tr -cd '[:print:]' \
| cut -c1-12
echo

IANAC (I am not a cryptographer). Not at all. Am I doing this wrong? Can I enhance the security even further? If you have any input in the subject, please write a comment below!

As I wrote above, I did come up with the idea when reading about sqrl. And after googling around the interwebz I quickly realised that all good ideas are already had. The script above is a rip-off of the hashapass cli-version with some improvements. Since I am not using base64 but instead binary output I will get a password with more variety in characters (higher entropy). Also I raised the password length from 8 to 12 characters.

Posted in Uncategorized
11 comments on “hash-based password generator
  1. Hester says:

    The more we talk about the need for consumers your project.
    After the paint consumers is to heat a home business into a perplexing and
    frightening dilemma. As a contract for renovating you home or office.

    Feel free to visit my site; site (Hester)

  2. Pedro Gimeno says:

    Seems like the same strategy as PasswordMaker and SuperGenPass. Search for “Password Managers: encrypted database vs hashing strategy” in Stack Exchange for a list of pros and cons.

  3. Bridget says:

    I see a lot of interesting content on your website.
    You have to spend a lot of time writing, i know
    how to save you a lot of time, there is a tool that creates
    unique, SEO friendly posts in couple of minutes,
    just search in google – k2 unlimited content

  4. Moses says:

    Thank you a lot for sharing this with all folks you really recognize what you
    are speaking approximately! Bookmarked. Kindly additionally
    visit my web site =). We will have a link exchange contract among us

  5. The Market – Reach Distrubtion choice is just that – an option. Many publishers elect
    to have e – Book ISBN, mainly because it allows
    better reporting of the sales data. Let’s focus on the
    idea some people have that you can only use one publisher.

  6. This is my first time visit at here and i am really happy to read all at single place.

  7. And once you learn about the law of attraction, you will
    begin to see why this is so. You have probably heard of the
    great Law of Attraction before and how you attract into your
    life, people, circumstances and situations in proportion to the thoughts you entertain within your mind.
    We need that time to maintain some personal freedom and to
    allow our minds to take a breather, unwind, and just relax.

  8. Buford says:

    When getting rid of drain clogs, avoid using chemical cleaners.
    Their payloads are spread out over the entire dump body in order to
    maintain the weight requirements of the federal bridge laws.
    Nitrogen-deficient grass invites the growth of
    moss.

  9. Awesome! Its really remarkable paragraph, I have got much clear idea
    about from this paragraph.

Leave a Reply to Buford Cancel reply

Your email address will not be published. Required fields are marked *

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test