The idea of generating and remembering strong passwords
I think everyone knows about the importance of using complex, selectable, different, periodically interchangeable passwords, as well as about problems with memorizing them. In principle, there is a relatively good solution to this problem - programs that store the password database in encrypted form. I want to share an alternative solution, which has some advantages over such “memories” of passwords, in particular, does not require access to a file with an encrypted password database. The basic idea is to remember one very strong master password, and to generate passwords for individual accounts from it using cryptographic functions. Who are interested in the details - I ask under the cat.
First, you need to understand what requirements a good password must meet:
At first I thought that it was possible to do this: remember one random sequence of characters and for each site attach a string specific to this site to it. For example, take every third character of the site address. The password for habr (entered on id . Tm t m. R u ) will look like this: “Q9y: y> 1W.tr”, where “Q9y: y> 1W” is the string used on all sites, and “.tr "- an additive specific to id.tmtm.ru. In fact, there are two secret components here: the generation algorithm itself and the random string. To get the password you need to know both. The password is quite resistant to busting, you can periodically change the random flow - the requirements (1) and (3) are met. The problem is that it is relatively easy to guess about both components, knowing the passwords from a pair of sites.
The next step is the use of irreversible cryptographic functions. Only a random string, the master password, will be secret here.
The initial data for generating a password will be:
This data is fed into the hash function, the output is considered as a long integer, we encode it in the 95th number system, we get a pseudo-random string 25 characters long for a 160-bit hash function. It is better to fold the older symbol, since it can take far from all values (more precisely, only 5 values). We get 24 pseudo-random symbols.
Here lies a simple console program in Python3, which thus generates passwords.
You can specify one of the parameters:
-m - generate many passwords from one master password (in order not to enter the master password several times);
-r - generate a random password (the source of randomness is the system generators of random sequences and the string entered from the keyboard);
without parameters - generate one password and exit.
Immediately after entering the master password, the program displays a 2-byte hash from the master password. It is necessary to control the correctness of the input. If the hash seems unfamiliar, then the master password is entered incorrectly.
This program uses 2 different hash functions (ripemd160 and sha512) and a slightly more complicated order of feeding the source data than simply concatenating strings. Using two functions - a move for paranoids - allows (as far as I can see) to keep the algorithm's robustness even if a very serious vulnerability is detected in one of them (it is clear that this is almost unbelievable, but the overhead of such “paranoia” is also minimal).
')
Some services have restrictions on the set of characters that can be included in the password. If there are forbidden characters in the generated password, you have to skip them. Accordingly, the subsequent use of the service has to remember which characters were skipped.
The advantages of this algorithm compared with the "remembering" passwords:
Advantages of "memorization":
I also want to add an account base here. So that it was necessary to enter only the master password and, optionally, the password to decrypt the database; the site name, login, version number, password length and list of characters to be skipped could be taken from the database.
The comments suggested that there is more:
MasterPassword - Habravchanin FanKiLL
pwdhash.com is the same on JavaScript from the team at Stanford University. There are browser plugins. After hashing, the password is supplemented so that it passes the standard test for complexity.
Password Requirements
First, you need to understand what requirements a good password must meet:
- Must be hard to pick. It must be long enough and contain characters of different types (capital / small letters, numbers, special characters), so that you can not find a full brute force. Must be selectable by dictionary, dictionary with combinations and mutations.
- It must be unique for each account, so that the compromise of a password from one account will not lead to unauthorized access to other accounts.
- Should change periodically.
At first I thought that it was possible to do this: remember one random sequence of characters and for each site attach a string specific to this site to it. For example, take every third character of the site address. The password for habr (entered on id . Tm t m. R u ) will look like this: “Q9y: y> 1W.tr”, where “Q9y: y> 1W” is the string used on all sites, and “.tr "- an additive specific to id.tmtm.ru. In fact, there are two secret components here: the generation algorithm itself and the random string. To get the password you need to know both. The password is quite resistant to busting, you can periodically change the random flow - the requirements (1) and (3) are met. The problem is that it is relatively easy to guess about both components, knowing the passwords from a pair of sites.
General algorithm
The next step is the use of irreversible cryptographic functions. Only a random string, the master password, will be secret here.
The initial data for generating a password will be:
- The master password is a secret string of long-term use; it must be difficult enough to withstand brute force on any cluster ;-)
- Site - site address / computer name - where do we log in?
- The version number of the password for this site is needed if you need to change the password for this particular site.
- Login - can be useful if there are several accounts on the same site / computer (so that passwords from different accounts will not match). Also, the login works as a salt to protect against brute force on rainbow tables.
About tables
This means an attack, when an offender in any way (phishing, social engineering, site vulnerability, ...) can get passwords from any popular site. In this case, to obtain the master passwords of those users who use such a password generator, but do not fill out the login field, it can generate rainbow tables and iterate over them. Of course, such an attack makes sense only with the widespread use of this password generator.
This data is fed into the hash function, the output is considered as a long integer, we encode it in the 95th number system, we get a pseudo-random string 25 characters long for a 160-bit hash function. It is better to fold the older symbol, since it can take far from all values (more precisely, only 5 values). We get 24 pseudo-random symbols.
More precisely about the distribution of characters
In fact, the probability distribution of the possible values of the characters there will not be quite uniform due to the fact that 2 ^ 160 is not a power of 95. It turns out that some of the characters will appear more likely than others. But this unevenness will very quickly (exponentially) decrease from the higher digits to the younger ones. So (assuming that the hash function is perfect and all values of its output are equiprobable) in the 24th (highest) position, the characters will appear with probabilities 1. 1 58011% and 1. 0 51510%. On the 23rd position - with probabilities 1.05 3 724%, 1.05 1 753% and 1.05 1 510%. On the 22nd position - with probabilities 1.0526 5 2%, 1.0526 3 9% and 1.0526 2 9%. Further the difference will be even smaller. For passwords, such deviations from the uniform distribution are practically irrelevant.
Concrete implementation
Here lies a simple console program in Python3, which thus generates passwords.
You can specify one of the parameters:
-m - generate many passwords from one master password (in order not to enter the master password several times);
-r - generate a random password (the source of randomness is the system generators of random sequences and the string entered from the keyboard);
without parameters - generate one password and exit.
Immediately after entering the master password, the program displays a 2-byte hash from the master password. It is necessary to control the correctness of the input. If the hash seems unfamiliar, then the master password is entered incorrectly.
This program uses 2 different hash functions (ripemd160 and sha512) and a slightly more complicated order of feeding the source data than simply concatenating strings. Using two functions - a move for paranoids - allows (as far as I can see) to keep the algorithm's robustness even if a very serious vulnerability is detected in one of them (it is clear that this is almost unbelievable, but the overhead of such “paranoia” is also minimal).
Exact algorithm
SitePwd = ripemd160 (ver2str (version) + sha512_hex (ver2str (version) + master_password + site + login) + site)
All text strings are UTF-8 encoded; '+' means string concatenation.
The function ver2str (n) returns a string consisting of written in succession n + 1 consecutive numbers from n to 0, for example:
ver2str (0) = '0'
ver2str (4) = '43210'
ver2str (12) = '1211109876543210'
SitePwd is then converted to a long integer, which is recorded in the 95-notation. The characters from the chars array (95 characters in total) are used as 95 digits:
The 24 least significant digits of the record received, displayed in order from left to right from the least significant to the most significant, are the generated password.
All text strings are UTF-8 encoded; '+' means string concatenation.
The function ver2str (n) returns a string consisting of written in succession n + 1 consecutive numbers from n to 0, for example:
ver2str (0) = '0'
ver2str (4) = '43210'
ver2str (12) = '1211109876543210'
SitePwd is then converted to a long integer, which is recorded in the 95-notation. The characters from the chars array (95 characters in total) are used as 95 digits:
chars = "`1234567890-=\~!@#$%^&*()_+|qwertyuiop[]QWERTYUIOP{}asdfghjkl;'ASDFGHJKL:"zxcvbnm,./ZXCVBNM<>? " The 24 least significant digits of the record received, displayed in order from left to right from the least significant to the most significant, are the generated password.
')
Practically problems when using such passwords.
Some services have restrictions on the set of characters that can be included in the password. If there are forbidden characters in the generated password, you have to skip them. Accordingly, the subsequent use of the service has to remember which characters were skipped.
Comparison with passwords
The advantages of this algorithm compared with the "remembering" passwords:
- No need to have a password database at hand. It took the other computer to get the password - just downloaded the program from the github, drove your master password - and the entire database of passwords with you.
- There is no file that an attacker can steal and try to decrypt. The truth is, in a good memory with a good master password, decrypting the password database is also almost unbelievable.
- Even if you get full access to your computer (with reading all the files and installing keyloggers), the attacker still has to guess the data of your accounts (especially those that are not logged in from this computer)
- Ensures the use of different and random passwords. And you do not need to invent a password every time.
Advantages of "memorization":
- If the master password is compromised, in order to gain access to accounts, the hacker still needs to retrieve an encrypted file. In the case of a password generator, he will only have to find out the data of the accounts on which the generated passwords are used. True, IMHO, if the attacker was able to get the master password, then getting the encrypted password database would also be easy for him.
- You can use existing passwords.
- Allow to remember the password of any structure from any set of characters, there is no problem with restrictions on the password on specific sites.
What's next
I also want to add an account base here. So that it was necessary to enter only the master password and, optionally, the password to decrypt the database; the site name, login, version number, password length and list of characters to be skipped could be taken from the database.
Similar programs
The comments suggested that there is more:
MasterPassword - Habravchanin FanKiLL
pwdhash.com is the same on JavaScript from the team at Stanford University. There are browser plugins. After hashing, the password is supplemented so that it passes the standard test for complexity.
Source: https://habr.com/ru/post/233411/
All Articles