Is it secure?
The hash generated gives you up to 160bit password strength,
depending on the passphrase.
Passwords are unique for every website,
since the domain is hashed.
When you create an account at a malicious service,
it is not able to login into any of your other accounts.
You could have multiple pass phrases,
e.g. one for all work related, one for social media and one for remaining accounts.
NOTE: some website have a max length on a password,
this means a lower strenght,
especially since the hash part is
hexadecimal.
But the requirement of max length already indicates that such a service
has bad security.
How does it work?
Found out later that
lesspass
does the same thing.
But requires more parameters and does not come preinstalled (shasum
).
It is inspired by
Stanford PwdHash
and works by doing
echo -n 'apex.tldPASSPHRASE' | shasum
(to avoid storing history
, prepend a space to echo
)
It is a concatenation of the domain you want a password for,
together with a phrase that you use.
This string is then used to calculate a hash,
which is your password.
To allow for specific password requirements,
we prefix the hash with a capital letter and a special character.
We picked 'R' since it is the
18th letter of the alphabet
and we changed the password of this website in 2018.
(the prefilled prefix on the password generator is updated each year to promote password rotation,
please also update your secret phrase)
Update: base64
Since multiple websites have a upperlimit of 32 characters for a password,
the default feature now produces 28 chars with the same strength.
But how did we do this?
We just convert the SHA1 sum output (hex) to base64.
echo -n 'apex.tldPASSPHRASE'|shasum|cut -f1 -d" "|xxd -r -p|base64
echo -n 'apex.tldPASSPHRASE'|shasum|awk '{print $1}'|xxd -r -p|base64
This provides us with 28 chars of which the last one is a special char ('=').
We tested this with 1M records
for i in {1..1000000};do echo -n $i|shasum|xxd -r -p|base64;done
and found out that 9858 have no number [0-9],
0 have no letter [a-z]
and 2 have no capital letter [A-Z].
To be sure that all three type of characters are present,
we append
|grep [0-9]|grep [A-Z]|grep [a-z]
to our initial command.
If we now get no output (probability of 1%),
we just preform a second shasum:
echo -n 360351|shasum|cut -f1 -d\ |tr -d $'\n'|shasum|cut -f1 -d\ |
xxd -r -p|base64|grep [0-9]|grep [A-Z]|grep [a-z]
Note that we need to remove the newline (tr) after the first round,
or you can manually use the output of the first round with
echo -n
.
But don't worry, the tool above does this for you,
it's just to explain the inner working of this tool.
What about a password manager?
The motivation for this password manager was the backup requirement
of normal password managers.
This is the main advantage of this solution.
Disadvantages compared to password manager;
- Less bits per char, resulting in weaker passwords when truncated
(max length on password input field)
- When your secret sentence is compromised,
one could generate all your passwords
(the same goes for your password on your online password manager)
- Your sentence unlocks the power to generate all your passwords,
also the passwords for not yet existing services,
while a password manager only stores the passwords that are actually used
- This password mechanism allows one to generate them on the terminal
and other insecure places, which could be a risk
- Just like a regular password manager with random passwords,
the password cannot be memorized
- This system allows you to use multiple master passwords (e.g. social, work, finance, developers etc.)
however, for teams, this would result in more password rotations.
Other disadvantages;
- A key based hash (HMAC) or slow hash (Argon2, [S|B]crypt, PBKDF2)
would make this system more secure,
however,
shasum
was chosen,
since it comes pre-installed on most machines