Storing passwords without saving them
Hello. About two years ago in Habrahabr I got acquainted with an interesting way to store passwords without saving them from a certain comment. The phrase looks strange, but I did not succeed in more accurately describing the genus of this program. The method consists in that in order to obtain a password for a specific account on a specific site, it is necessary to drive into the hash function a string “glued together” from the master password, the site address, and login on the site.
keyword + sitename + login
In this line, keyword is the master password used to “store” passwords for all sites. Next is the address of the site, then login. Having driven this string into the hash function, we will get a string of characters at the output, which we can fully or partially use as a password for this account on this site. The keyword at the beginning of the line makes it impossible to know the password if the website address and login are known. The length of the result hash function is more than enough for a password. But the reliability of the password still leaves much to be desired. Each character of such a password can take only one 16-value, since the result of the hash function is a string of numbers in hexadecimal representation.
I tried to correct this flaw. Next, tell you how.
The result of the hash function is a hexadecimal string, consisting of hexadecimal characters "0123456789ABCDEF".
For example, from the string “keyword + sitename + login” after running through the sha256 hash function, you get the hash:
Each character is half a byte (notebook). The combination of two adjacent characters can take 256 values, since it is a character representation of a byte. The program processes the hash string in groups of two characters.
Each group translates the program into a numerical representation. Get a number from 0 to 255. Values ​​are more than enough to encode a single character of the password. In the program for generating a password, I used lowercase and uppercase Latin characters and numbers, for a total of 63 possible characters. Further, the set of possible characters of the password I will call the alphabet. The alphabet can be made at will, depending on whether a complex password is needed or simple. To do this, just need to change one line of the program. The program is written in C ++.
Next, the program finds the remainder of the division of a byte by the number of characters in the alphabet (63). The remainder of division by 63 can take values ​​from 0 to 62. This remainder will be the index of the character in the string alphabet.
I post the part of the program responsible for processing the hash. At the end of the article there is a link to the full source of the program.
Using the program is simple. Enter the master password, site address, login. Press enter. All the necessary information (website address, login) can be stored in your head or somewhere written. This information is not secret. But the master password will have to remember.
For example, enter the line in the console:
keyword + sitename + login
Press enter, get the password:
nEWWzxS7bwDW7lxyNI8f7mC4M4zEckYI
The password consists of 32 characters and looks quite secure.
')
Now I will tell about a small minus of such a way of turning a byte into one of 72 symbols of the alphabet. The minus is that when using the remainder of the division as an index of a character in the alphabet, a part of the alphabet with indices from 0 to 255% 63 has a better chance of getting into the password. For clarity, I will give an example of dividing a “toy” 3-bit number by 3. A 3-bit number can take values ​​from 0 to 7. By “percent” I denoted the operation of finding the remainder of division. Higher mathematics will not, sorry.
We see that the two as a result of finding the remainder of the division comes across less often than zero and one. A similar situation will be with the division of bytes by the number of characters in the alphabet. This problem can be solved by using the remainder of the division not words, but words (ie, two bytes). Then hitting all the characters in the password will become more equiprobable. However, the password length is reduced by another two, i.e. will be equal to 16 characters. Such a password in some cases will be considered too short. This problem can be solved by running the hash again through a hash function. We see that this minus is completely correctable.
I wanted to tell about this program in Habré and read the comments. It was interesting to work with this program, because the idea is quite simple and promising, and it was not possible to find analogues on the Internet. If you know programs similar to those described above, please write a name in the comments. I also ask you not to kick too hard for the fact that the program does not have a presentation. The program should be considered as educational.
The archive by reference contains the compiled program and source: Everything is distributed under the GPL license. =)
rusfolder.com/31528284
keyword + sitename + login
In this line, keyword is the master password used to “store” passwords for all sites. Next is the address of the site, then login. Having driven this string into the hash function, we will get a string of characters at the output, which we can fully or partially use as a password for this account on this site. The keyword at the beginning of the line makes it impossible to know the password if the website address and login are known. The length of the result hash function is more than enough for a password. But the reliability of the password still leaves much to be desired. Each character of such a password can take only one 16-value, since the result of the hash function is a string of numbers in hexadecimal representation.
I tried to correct this flaw. Next, tell you how.
How the program works
The result of the hash function is a hexadecimal string, consisting of hexadecimal characters "0123456789ABCDEF".
For example, from the string “keyword + sitename + login” after running through the sha256 hash function, you get the hash:
dc6463dfd7d86d06db49ea63061c9a8bf6a7ff17fe23b5bd3dfbd7a25d1b6769Each character is half a byte (notebook). The combination of two adjacent characters can take 256 values, since it is a character representation of a byte. The program processes the hash string in groups of two characters.
dc 64 63 df d7 d8 6d 06 db 49 ea 63 06 1c 9a 8b f6 a7 ff 17 fe 23 b5 bd 3d fb d7 a2 5d 1b 67 69Each group translates the program into a numerical representation. Get a number from 0 to 255. Values ​​are more than enough to encode a single character of the password. In the program for generating a password, I used lowercase and uppercase Latin characters and numbers, for a total of 63 possible characters. Further, the set of possible characters of the password I will call the alphabet. The alphabet can be made at will, depending on whether a complex password is needed or simple. To do this, just need to change one line of the program. The program is written in C ++.
const string alphabet="1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM";Next, the program finds the remainder of the division of a byte by the number of characters in the alphabet (63). The remainder of division by 63 can take values ​​from 0 to 62. This remainder will be the index of the character in the string alphabet.
I post the part of the program responsible for processing the hash. At the end of the article there is a link to the full source of the program.
#include <cstdio> #include <cstddef> #include <string> #include <iostream> #include "sha256.h" void convert(string strIn, string &strOut) { const string alphabet="1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"; const string hex="0123456789abcdef"; unsigned char str[32]; for(int i=0; i< 32; i++) { str[i]=hex.find_first_of(strIn.at(i*2))*16+hex.find_first_of(strIn.at(i*2+1)); strOut.at(i)=alphabet.at(str[i] % alphabet.length()); } } int main() { SHA256* yourInstanceName = new SHA256(); std::string digest; string strIn, strOut="00000000000000000000000000000000"; while(true) { cin >> strIn; convert(yourInstanceName->hash(strIn), strOut); cout << strOut << endl<< endl; } return 0; } How to use the program
Using the program is simple. Enter the master password, site address, login. Press enter. All the necessary information (website address, login) can be stored in your head or somewhere written. This information is not secret. But the master password will have to remember.
For example, enter the line in the console:
keyword + sitename + login
Press enter, get the password:
nEWWzxS7bwDW7lxyNI8f7mC4M4zEckYI
The password consists of 32 characters and looks quite secure.
')
Pluses of the program
- Password database, as in the case of programs similar to KeePass, is missing. So do not need to make backups of the password database.
- Password database can not be stolen or hacked because it does not exist.
- The implementation of the program is very simple.
- Cross platform, because only standard C ++ libraries are used.
Cons of the program
- At this stage, the program is console, it is difficult to copy a password from it.
- We must remember or write down the site address and login to it.
- Change passwords is problematic.
Now I will tell about a small minus of such a way of turning a byte into one of 72 symbols of the alphabet. The minus is that when using the remainder of the division as an index of a character in the alphabet, a part of the alphabet with indices from 0 to 255% 63 has a better chance of getting into the password. For clarity, I will give an example of dividing a “toy” 3-bit number by 3. A 3-bit number can take values ​​from 0 to 7. By “percent” I denoted the operation of finding the remainder of division. Higher mathematics will not, sorry.
| 0% 3 = 0 | 3% 3 = 0 | 6% 3 = 0 |
| 1% 3 = 1 | 4% 3 = 1 | 7% 3 = 1 |
| 2% 3 = 2 | 5% 3 = 2 |
We see that the two as a result of finding the remainder of the division comes across less often than zero and one. A similar situation will be with the division of bytes by the number of characters in the alphabet. This problem can be solved by using the remainder of the division not words, but words (ie, two bytes). Then hitting all the characters in the password will become more equiprobable. However, the password length is reduced by another two, i.e. will be equal to 16 characters. Such a password in some cases will be considered too short. This problem can be solved by running the hash again through a hash function. We see that this minus is completely correctable.
Conclusion
I wanted to tell about this program in Habré and read the comments. It was interesting to work with this program, because the idea is quite simple and promising, and it was not possible to find analogues on the Internet. If you know programs similar to those described above, please write a name in the comments. I also ask you not to kick too hard for the fact that the program does not have a presentation. The program should be considered as educational.
The archive by reference contains the compiled program and source: Everything is distributed under the GPL license. =)
rusfolder.com/31528284
Source: https://habr.com/ru/post/126025/
All Articles