A story about how to securely manage complex passwords for various sites.
There are various password management software and apps, and many people will manage them with them. However, relying on a particular piece of software raises concerns about whether the software developer can be trusted, whether the password is secure, or whether the software suddenly becomes unusable and the password cannot be accessed.
Some would say that they create a list of passwords and store the file encrypted.
Here, I will write about the method of saving the "site-specific password seed" in a file and generating the site password each time from the hash algorithm determined as the "remembered master password".
C(H(M + S)) = P
H: Hash function C: A function that converts a hash to a password string M: Remembered master password S: Site-specific password seed P: Site password
This method is more resistant to brute force attacks than the "encrypt and store password" method. This is because when you enter an appropriate master password for an attempt, you cannot tell whether the generated password is correct or not unless you actually try to log in to the site.
I have published such a program written in Python 3.
Write and use the "site-specific password seed" directly in the program. As a sample, "site-specific password seeds" of google, amazon, and twitter are included.
Save this program as password in a path where you can
password google
When started as
Please enter the master password.
Is displayed, so enter the master password you have decided there, and the password will be displayed. You can also set it to copy to the clipboard (see source code).
Information for each site is used as a dictionary object at the beginning of the program.
sitekey = {
"google" : ["sha512", "an", 16, "kKkMqYDUIivWLi3WSt3VndHci"],
"amazon" : ["sha3_384", "an", 16, "stBuQIQgT9Yp84RBK3HdllnUK"],
"twitter" : ["sha3_512", "an", 14, "UmhvSHT72smO4aI1LMYt7H2el"]
}
Since it is defined as, rewrite here. Here, not only the site-specific password type, but also the hash algorithm, password character type (an is an alphabet and a number), and password length are specified. Also, if you add an element, that information will be displayed, so you can write information such as the user ID for each site, the registered e-mail address, and the phone number set for two-step verification. See the source code comments for more details.
If you can program with much effort, it is better to create such a program in your favorite language and manage it to your liking. I manage all my own scripts in a private Git repository and use them through a path to that directory, but I also manage these my own password generation scripts there.
I created the JavaScript version of this program. When you enter the master password in "Master", the password is generated in real time and copied to the clipboard by "Copy". I am using jsSHA to calculate SHA. The same password is generated from the same master password in the Python version and the JavaScript version. The JavaScript version uses associative arrays
var sitekey = new Object({
"google" : ["sha512", "an", 16, "kKkMqYDUIivWLi3WSt3VndHci", "https://www.google.co.jp/", "User ID: xxx", "Two-step certification: "],
"amazon" : ["sha3_384", "an", 16, "stBuQIQgT9Yp84RBK3HdllnUK", "https://www.amazon.co.jp/", "Email: xxx"],
"twitter" : ["sha3_512", "an", 14, "UmhvSHT72smO4aI1LMYt7H2el", "https://twitter.com", "https://twitter.com/seki/"]
});
Since the definition is as follows, the information for each site can be used by copying the Python definition as it is. For passwords that need to be accessed from mobile, it is convenient to be able to generate passwords even in the JavaScript version.
I wrote this article for programmers, but I wrote it for the general public a little more in About password management.