[JAVA] Hash password generator

A story about how to securely manage complex passwords for various sites.

There are various password management software and apps, and many people will manage them with them. However, relying on a particular piece of software raises concerns about whether the software developer can be trusted, whether the password is secure, or whether the software suddenly becomes unusable and the password cannot be accessed.

Some would say that they create a list of passwords and store the file encrypted.

Hash password generation

Here, I will write about the method of saving the "site-specific password seed" in a file and generating the site password each time from the hash algorithm determined as the "remembered master password".

C(H(M + S)) = P

H: Hash function C: A function that converts a hash to a password string M: Remembered master password S: Site-specific password seed P: Site password

This method is more resistant to brute force attacks than the "encrypt and store password" method. This is because when you enter an appropriate master password for an attempt, you cannot tell whether the generated password is correct or not unless you actually try to log in to the site.

Python 3 version of the program

I have published such a program written in Python 3.

Password Generator

Write and use the "site-specific password seed" directly in the program. As a sample, "site-specific password seeds" of google, amazon, and twitter are included.

Save this program as password in a path where you can

password google

When started as

Please enter the master password.

Is displayed, so enter the master password you have decided there, and the password will be displayed. You can also set it to copy to the clipboard (see source code).

Information for each site is used as a dictionary object at the beginning of the program.

sitekey = {
    "google" : ["sha512", "an", 16, "kKkMqYDUIivWLi3WSt3VndHci"], 
    "amazon" : ["sha3_384", "an", 16, "stBuQIQgT9Yp84RBK3HdllnUK"],
    "twitter" : ["sha3_512", "an", 14, "UmhvSHT72smO4aI1LMYt7H2el"]
}

Since it is defined as, rewrite here. Here, not only the site-specific password type, but also the hash algorithm, password character type (an is an alphabet and a number), and password length are specified. Also, if you add an element, that information will be displayed, so you can write information such as the user ID for each site, the registered e-mail address, and the phone number set for two-step verification. See the source code comments for more details.

If you can program with much effort, it is better to create such a program in your favorite language and manage it to your liking. I manage all my own scripts in a private Git repository and use them through a path to that directory, but I also manage these my own password generation scripts there.

JavaScript version of the program

I created the JavaScript version of this program. When you enter the master password in "Master", the password is generated in real time and copied to the clipboard by "Copy". I am using jsSHA to calculate SHA. The same password is generated from the same master password in the Python version and the JavaScript version. The JavaScript version uses associative arrays

var sitekey = new Object({
    "google" : ["sha512", "an", 16, "kKkMqYDUIivWLi3WSt3VndHci", "https://www.google.co.jp/",  "User ID: xxx", "Two-step certification: "], 
    "amazon" : ["sha3_384", "an", 16, "stBuQIQgT9Yp84RBK3HdllnUK", "https://www.amazon.co.jp/", "Email: xxx"],
    "twitter" : ["sha3_512", "an", 14, "UmhvSHT72smO4aI1LMYt7H2el", "https://twitter.com", "https://twitter.com/seki/"]
});

Since the definition is as follows, the information for each site can be used by copying the Python definition as it is. For passwords that need to be accessed from mobile, it is convenient to be able to generate passwords even in the JavaScript version.

I wrote this article for programmers, but I wrote it for the general public a little more in About password management.

Recommended Posts

Hash password generator
Patterned password generator
Password generator creation notes
generator
Generator
hashlib hash
Generator memo.