Sam Trenholme's webpage
Support this website

Password security

 

August 4 2018

This blog is about making secure password for websites.

==The problem with website passwords==

Let me start up with a well-known webcomic about password security: https://xkcd.com/936/

Making people have mixed case or punctuation in their password does not increase password security that much. However, it makes password management a pain. For example: While most sites accept the underscore (_ symbol) as a “punctuation” character, allowing a suffix like _Aa9 to work with most password site rules, some do not. Southwest, for example, does not even allow a _ in a password, so we need special “for Southwest, use : instead of _ for punctuation” rule.

The password hlrehcv5kn4o545v has (or had, until I posted this) a good deal more security than Password1! (the first has 80 bits of entropy; the largest attacks I have seen, requiring entire datacenters filled with computers, can crack 64 bits; the second has at best 28 bits of security), but many sites consider the first password insecure and the second password secure.

==My solution: PassGen==

My solution to the issue of countless sites, each with their own password rules, is to have a single password manager. This password manager uses a secure hash and stream cipher to, based on the contents of a secret master password, generate a unique password for each site one has to log in to.

I have a GitHub repo of the code, available for either browsing online or downloading. The entire system, including the small (obfuscated) C program that runs the underlying cryptographic algorithm, is in a single two page shell script.

I have been using a form of this tool for well over a decade and it has protected me from having my password compromised on one site (Hello, LinkedIn!) affecting passwords on other sites.

The main problem with this system is that one needs to know how to write a UNIX Shell script (Bash script, as it’s commonly called these days) to edit the code to work with arbitrary password rules. But, for shell script coders, it’s an simple standalone tool for password management.

Comments are closed.