Skip to content

Instantly share code, notes, and snippets.

@jaseg

jaseg/gist:3334991

Created August 12, 2012 22:32
Show Gist options
  • Star 31 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save jaseg/3334991 to your computer and use it in GitHub Desktop.
Save jaseg/3334991 to your computer and use it in GitHub Desktop.
Download ZIP
Password manager without a password manager
Raw
gistfile1.md

Prelude

Since password managers are big and complicated and I currently am pretty bored since I am sitting in a car for a few hours, here is a simple algorithm to generate resource-specific, unique passwords using a master password and no password database.

WARNING

As pointed out here: http://news.ycombinator.com/item?id=4374888 this method is broken.

Usage

Simply paste the following line into a shell, type your master password (correctly, please, for there are no safeguards in place to protect you from typos) and press [enter] [ctrl-d] and you will be provided with a secure password specific for www.example.com.

(sha512sum ~/.salt -<<<www.example.com;sha512sum -)|cut -d\  -f1|sha512sum|cut -c-32

Please not that this line will produce the same password every time you invoke it, provided that nobody messed around in your .salt file and you still remember your master password.

The salt can be pretty much any immutable file (i.e. .jpg and other files which tend to be modified by programs because of stored metadata are a really bad idea), as long as it is more or less unique. I generated mine with the following command line:

(dmesg;env;head -c16 /dev/random)|sha512sum>>~/.salt; chmod 400 ~/.salt

Under certain circumstances, this line may take a few seconds while /dev/random gathers entropy.

Principle of operation

The password generate takes hex sha512-hashes of your salt file, your master password and the resource name you wish to generate a password for (i.e. e.g. a domain name), concatenates them one per line, hashes the result and takes the first 32 characters of the result's hex value. The resulting value is dependant on each of the three variables and no one of the variables can be computed from it (these are properties of cryptographic hashes as sha-512 is one). Obviously, the process could be improved if you would find a portable way to encode the resulting hash in a charset consisting of more than 16 digits, for then the resulting password could be made significantly shorter than 32 characters without loosing any entropy compared to now.

The salt file generation takes your dmesg (system-specific), your env (user specific) and a few random bytes (random), concatenates and hashes them, and puts the hash's hex string into the salt file.

@eric-brechemier
Copy link

I created an open-source project using a somewhat similar approach, using different hash algorithms for passwords with different sizes and ranges of characters:
http://enlargeyourpassword.com

GitHub Project:
https://github.com/eric-brechemier/enlargeyourpassword

@Friz-zy
Copy link

Friz-zy commented Nov 4, 2012

Hi, the python version of sha512(sha512("salt" XOR "nick : site") XOR "pass")[:32] algoritm now in https://github.com/Friz-zy/pass_etalon and https://github.com/Friz-zy/passGui

@jkanev
Copy link

jkanev commented Jul 31, 2018

There is also this method:
https://github.com/jkanev/password-manager
https://rawgit.com/jkanev/password-manager/master/password-manager.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment