Simple paranoid password management method
Once and for all the problem of passwords was solved by a LinkedIn hacked story - it was very unpleasant to see my password in the list of the most frequently encountered. Nowadays, passwords need to be remembered more and more, their requirements are becoming more and more rigid, and very few people switch to OpenId.
The search for a solution will begin with an analysis of password threats and possible countermeasures.
Threat number 1 is the sites themselves, which need to send a password when registering. Administrators and technical support of these sites will be able to see your unencrypted password, which means they can also try to use it on other sites where you may have accounts.
Threat number 2 is the ability to intercept your password in the transmission channels. Very few sites use HTTPS, most simply transfer all data from forms in the clear. This means that if you decide to log in to the forum somewhere in the coffee house, anyone who sits there with a laptop and listens to the network can see your password, and then try to apply this password somewhere else.
')
To neutralize these threats it is necessary to ensure that the passwords on different sites are different. The question is how to remember them all, or where to store them?
One of the methods for generating and remembering different passwords for different sites was described in the article “ A simple method of storing passwords in the head ”. With this method, you must remember one password-mask (for example, rtYG!), And think of a way to get a variation from the site name.
For example:
The problem with this method is that the overall resistance of the method is determined by the strength of the variation part of the password. The administrator of the Flickr site can guess that “photo” or “Fr” is a variation of the password for his site, and then it will not be difficult for him to choose variations for other sites. In addition, with this method of generating a password, a problem arises with sites that require periodic password changes.
Therefore, it is highly desirable that all passwords are completely random and unrelated to each other. But then the question immediately arises: where to keep them?
I will say right away, I do not trust the services for the storage of passwords because I do not know how they work. And in the case of a paid service, there is still a danger of losing all of your passwords due to a missed payment. Therefore, it was decided to develop its own solution that would satisfy the following requirements:
Such a solution was found, it is as follows:
1. Rename passwords to sites. Tokens are randomly generated, they can be much longer than a regular password, and it is impossible to remember them when they are seen on the monitor screen.
2. We invent and remember one complex master password, we will use it to encrypt and decrypt all tokens.
3. All tokens are stored in the online storage (for example, in mail, or in Google Docs), or locally, in a text file of the following form:
4. We perform encryption and decryption using the AES-256 + Base64 algorithm using the GibberishAES JavaScript library. All calculations are conducted in the browser, no data is transferred anywhere.
A few notes on this method:
- The whole scheme requires remembering two passwords: the password from the online storage and the master password for tokens. These passwords must be different.
- When choosing an online storage, you must remember that without access to the storage you will not get access to the site, so it is desirable that the storage is as reliable as possible and with high uptime.
- It is necessary to make copies of the file with encrypted tokens, since if it is lost it will be impossible to recover passwords.
- Encrypt and decrypt in the browser can, for example, on this page . Being paranoid, I made my own minimal AES-256 Online page for myself. It consists of 3 files that can be saved and used locally.
- To encrypt or decrypt tokens from the page, if necessary, you can also on the Unix command line:
openssl enc -a -aes-256-cbc (STDIN encryption)
openssl enc -d -a -aes-256-cbc (STDIN decryption)
- You can generate random tokens online (for example, here ), offline (download index.html and 2 JavaScript files here ), or from the Unix command line:
openssl rand -base64 12
I hope this method of password management will be useful to readers.
The search for a solution will begin with an analysis of password threats and possible countermeasures.
Threat number 1 is the sites themselves, which need to send a password when registering. Administrators and technical support of these sites will be able to see your unencrypted password, which means they can also try to use it on other sites where you may have accounts.
Threat number 2 is the ability to intercept your password in the transmission channels. Very few sites use HTTPS, most simply transfer all data from forms in the clear. This means that if you decide to log in to the forum somewhere in the coffee house, anyone who sits there with a laptop and listens to the network can see your password, and then try to apply this password somewhere else.
')
To neutralize these threats it is necessary to ensure that the passwords on different sites are different. The question is how to remember them all, or where to store them?
One of the methods for generating and remembering different passwords for different sites was described in the article “ A simple method of storing passwords in the head ”. With this method, you must remember one password-mask (for example, rtYG!), And think of a way to get a variation from the site name.
For example:
| Site | Password Option 1 | Password Option 2 |
|---|---|---|
| Flickr | brtYG! 3photo | brtYG! 3Fr |
| brtYG! 3job | brtYG! 3Ln | |
| Sberbank | brtYG! 3money | brtYG! 3Sk |
The problem with this method is that the overall resistance of the method is determined by the strength of the variation part of the password. The administrator of the Flickr site can guess that “photo” or “Fr” is a variation of the password for his site, and then it will not be difficult for him to choose variations for other sites. In addition, with this method of generating a password, a problem arises with sites that require periodic password changes.
Therefore, it is highly desirable that all passwords are completely random and unrelated to each other. But then the question immediately arises: where to keep them?
I will say right away, I do not trust the services for the storage of passwords because I do not know how they work. And in the case of a paid service, there is still a danger of losing all of your passwords due to a missed payment. Therefore, it was decided to develop its own solution that would satisfy the following requirements:
- The solution should be free, and whenever possible, eternal
- The solution should exclude the transmission of passwords over the network in an unencrypted form.
- There should be no exchange of incomprehensible traffic with anyone.
- There should be no installation of additional software, only the browser
- Solution should be cross-platform
Such a solution was found, it is as follows:
1. Rename passwords to sites. Tokens are randomly generated, they can be much longer than a regular password, and it is impossible to remember them when they are seen on the monitor screen.
2. We invent and remember one complex master password, we will use it to encrypt and decrypt all tokens.
3. All tokens are stored in the online storage (for example, in mail, or in Google Docs), or locally, in a text file of the following form:
| Site | User | Encrypted Token |
|---|---|---|
| youtube.com | myytusername | U2FsdGVkX1 / cCpnVmQ1sz13pqQXJYtQ3bTjcjw / HYak = |
| livejournal.com | myljusername | U2FsdGVkX19HWMhtmjfdLagxpBfUcnJmFkezYgdnBrs = |
4. We perform encryption and decryption using the AES-256 + Base64 algorithm using the GibberishAES JavaScript library. All calculations are conducted in the browser, no data is transferred anywhere.
A few notes on this method:
- The whole scheme requires remembering two passwords: the password from the online storage and the master password for tokens. These passwords must be different.
- When choosing an online storage, you must remember that without access to the storage you will not get access to the site, so it is desirable that the storage is as reliable as possible and with high uptime.
- It is necessary to make copies of the file with encrypted tokens, since if it is lost it will be impossible to recover passwords.
- Encrypt and decrypt in the browser can, for example, on this page . Being paranoid, I made my own minimal AES-256 Online page for myself. It consists of 3 files that can be saved and used locally.
- To encrypt or decrypt tokens from the page, if necessary, you can also on the Unix command line:
openssl enc -a -aes-256-cbc (STDIN encryption)
openssl enc -d -a -aes-256-cbc (STDIN decryption)
- You can generate random tokens online (for example, here ), offline (download index.html and 2 JavaScript files here ), or from the Unix command line:
openssl rand -base64 12
I hope this method of password management will be useful to readers.
Source: https://habr.com/ru/post/146196/
All Articles