3
I use a self-made password manager that generates strong passwords based on one strong key and easily rememberable strings for each website/account. The basic principle can be most easily conveyed by pseudocode:
key = raw_input("Enter key: ")
url = raw_input("Enter URL: ") // like jons3.serverfault or something similar easily rememberable
pw = sha512(key + url)
pw = base64_encode(pw)
pw = pw[0:16]
print pw % or set the clipboard, etc., etc.
Now I am considering implementing some additional features:
- Advanced password management. I.e. I don't need to enter the key itself, it resides on the hdd in an encrypted form, so I only need to input some easier password to decrypt it. A possibility to have multiple passwords that can decrypt the same key. A possibility to have one-time passwords. A possibility to have several keys. Etc.
- Capability to run the manager as a daemon on a server.
- Multi-platform clients that can talk to the server.
Being lazy, I hope that someone has already implemented the concept and at least some of the desired features. Does anyone know such password manager?
jons34yp
Posted 2013-01-03T15:13:39.810
Reputation: 389
3What exactly is your question? Product suggestions are not on topic for Stack Exchange websites. I hope you understand the method your using to secure your password is not secure. KeePass already exists and allows the use of a key file. – Ramhound – 2013-01-03T15:32:37.347
I'm looking for an open source component of some sort. Didn't know su such were forbidden, I see quite a lot of similar posts.
Why is my method insecure? Could you elaborate?
Keepass and similar are not an option because they are susceptible to password database loss. – jons34yp – 2013-01-03T15:36:21.640
There are theoretical possible ways to attack SHA512. If you are dealing with passwords, the Blowfish password specific BCRYPT algorithm should be used on several thousand iteration cycle. As for the additional clarification I can't stop thinking asking for such a component is unlikely to be on topic for Super User. – Ramhound – 2013-01-03T15:47:56.910
Don't limit your password to 16 chars – Jan Doggen – 2013-01-07T12:32:12.733
Any password manager that doesn't require a database suffers from a severe flaw: If you want to change a single password (including the master password), you have to change all passwords. – Dennis – 2013-01-17T22:17:37.740
@Dennis With the system the OP described, you could change the "URL" to get a different password without changing anything else. Changing the master key is problematic, yes, but if you don't actually remember it and instead encrypt it with an easier password (which was the OP's plan, I believe), you could encrypt it with a different password and keep the same master key; that's how LUKS works, for example. The downside, of course, is that losing the master key on disk is like losing a database (but it's easier to back up since it never changes). – qmega – 2013-01-31T00:53:16.010
@qmega: 1. If the "URL" isn't the actual URL, you have to remember it as well to be able to derive the password. That defeats the whole purpose of this system. 2. If you're going to encrypt the master password (which means you have to store it), you might as well encrypt every single password. That makes things a lot easier. – Dennis – 2013-01-31T01:04:30.047
@Dennis 1. Given his example, it looks like OP is already not using URLs exactly, but just something he can remember more easily than the password itself. So you'd have to remember a new thing, yes, but you could just change it a little and get a completely different password. 2. It's not exactly the same. It's easier to back up a master key because it never changes, whereas a database has to be backed up every time a password is added or changed. You seem to be saying the trouble isn't worth the benefit (and I happen to agree), but I'm just addressing the system the OP asked for. – qmega – 2013-01-31T01:25:58.643