¡No PASSarán - password manager and generator
Habré and Hiktaims have already written a lot about passwords. On the Internet you can find many programs and plugins / add-ons for passwords. Browsers can save passwords. It would seem that everything is already there. But no, I missed my bike, because all the old bikes have their flaws. The main drawback of all programs is their database, which can be easily killed. And I went through it. The most famous program KeePass (more precisely, its fork KeePassX) twice killed my own file itself. I don’t know how it is now, but two years ago she didn’t know how to make a backup copy of the database and if the place ended or fell, or something else - the database file easily became 0 bytes in size. The only program that I liked was Password Commander, she made a backup herself, but, unfortunately, the project died and it was only under Masday.
2-3 years ago, the idea of my bicycle, a password generator, was born and developed. Of course, the idea is not new and many of its variations have been discussed many times. On Habré, in the article " Generating xkcd passwords for PHP " I expressed my idea back in 2014 and after that, slowly began to implement it and run in it. And in mid-2015, I had a browser plugin ¡No PASSarán, which I would like to talk about in this material.
')
Who is too lazy to read the path to the success of my young, dynamic project - you can immediately switch to the online version of ¡No PASSarán or go to GitHub / Bitbucket
In addition to the above described drawback, the death of the database, all password managers have several drawbacks (I will list with excuses):
If you do not use the manager, then remembering hundreds of passwords is not an option and therefore people use, at best, a couple of passwords. Or stored in a file, which is at best a password.
I tried to avoid all these flaws in my bike. Some of the course is not yet fully resolved, and some are still in the plans. But about this near the end of the article.
Currently, there are two popular options for "generating" passwords and / or memorization. Both of these options are described in the popular online image:
The second option seems to be hacked longer, judging by the article (see link above) and comments to the article. But it seems to me that if he is alone and everywhere that many do (they use the same password everywhere), then once he steals it, you can hack and steal many accounts. And according to my observations (I do not pretend to the truth), it is easier to hack, because you can put together a base of frequently used words (especially in languages without suffixes and endings) and pick up their pairs, because the majority will use from 2 to 4 words, this is about how to twist 2-4 character passwords, but only on a slightly larger base, because with special characters the number of “words” is also rather big. And here you can also add a restriction of services - some services allow only a limited number of characters, which further reduces the search. And for the user another difficulty - you need to remember or invent a new password, or use a shorter version everywhere. And in this case, without taking into account that other services ask for at least 1 digit or special symbol.
In my bike, I tried to combine and improve, to take the best of these options. From the second option, it is necessary to have 3 words (I called them salt, algorithm and master password), and from the first - the final version of the password is obtained in MD5, and in fact it is often in MD5 that the password is stored on the server.
Initially, I came up with and used a simple algorithm for sites like this:
This option is easy to memorize, no need to carry a base with you and meets both of the requirements described in the picture. But it has bottlenecks:
Because of what I improved the algorithm. Since all passwords are stored on servers in encrypted form, namely, often in MD5 (with salt), it was decided to go the same way and add encryption to this algorithm. But this caused another complication - constantly opening a console or an MD5 generator and driving data there, so I started writing passwords in a file, which threw my idea into the Stone Age, returning it to the narrowest point - a password database that can be stolen or a file can be damaged and with him you will not take (only if specifically). Of course, if you can protect against theft with another password, which you can use to close the database, then no one is insured against file corruption, which can happen quite easily on an encrypted file. And I decided, I got to the postponed project.
Suppose you come up with three parts, for example: Master password, as before quaka42eqava, salt - the name of the pet "Kuzya" and the algorithm - your phone number (Password - case sensitive, and salt and algorithm are case insensitive). We drive in salt and the password in settings of a plug-in and they will remain there. Then go to the site we are interested in, where we want to register / login, put the cursor on the field with a password and press the button of the plugin on the browser panel, then in the appeared window we enter the master password and press the OK or Enter button. The password will be automatically generated and inserted into the field where the cursor was.
This plugin and online version can be used not only for sites. If you need a password for a third-party program, it is necessary in the online version or in the guest mode of the plug-in to put a tick on “Forget about the domain”.
Additionally, 4 buttons are available (in online version 3):
Buttons-icons ¡No PASSarán
Algorithms are constructed as follows. For example, we specified the phone 88005555555, salt Kuzya and the master password quaka42eqava, for example.com. Next, there will be three stages of automatic generation based on the algorithm:
Algorithms can be built in two ways - basic and advanced.
For the basic algorithm, all letters (Russian and English) and numbers are available, they must be indicated with a single “word”.
Of course, they can and should be used with numbers from the basic algorithm.
For the advanced method, it is necessary to use numbers separated by any character, except numbers and letters. These algorithms will be supplemented.
That is, for example, 8-8-0-0-163-10-13
It is recommended to use the algorithm element with the domain - 0, 2, 3, etc.
On some sites, such as Yandex, you need to set one password for all subdomains. To do this, you need to activate the setting “Disable subdomains”, after this, the generation will ignore the subdomains and use only the domain. Attention! If you have already created a password on the subdomain, then it will no longer work, you will need to uncheck that subdomain.
There are sites that prohibit the use of more than a certain number of characters in the password. On such sites, you can enable the setting of circumcision. ¡No PASSarán uses the standard javascript function substr, so details on how to trim a string can be found in the documentation for this function. Usage example:
Suppose we have generated the string “abvgdeezhzi”, then typing in the “Crop” field of the number, we will have the following
All these settings are stored in the browser. In future versions, it will be possible to save advanced settings to a file, for transfer between browsers and computers.
Advantages and disadvantages
Now you do not need to store hundreds of passwords on your computer, or in your head, or in a notebook. All passwords are unique and almost impossible to crack or steal. Password consists of two parts (three elements): Master password and algorithm with salt, which are separated from each other. The algorithm and the salt are stored in the browser and can be stolen, taking possession of your computer, but attackers still will not be able to get your passwords. If a master password is stolen, for example using a keylogger, then without knowing the algorithm and the salt, they will not be able to access the passwords.
Exception: online version, which is recommended to be used only as a last resort and when you are sure that there are no keyloggers and other living creatures on the computer. In this case, it is generally better not to use passwords, no matter how strong they are.
These passwords are difficult to socially engineer.
Passwords can be transmitted over an unprotected (http) connection. Even if the password is intercepted for the current site, passwords from other sites will remain secure.
Of the disadvantages:
The latest version adds the ability to generate a password in guest mode. Due to this, it is possible to have several accounts with different generated passwords on the same site. To do this, for example, in the “Salt” field, register the current login and using this salt-login a unique password will be generated. Knowing the next login - it will not be necessary to remember the password, because everything else (algorithm and master password) is used as before.
I have been using this plugin since April 2015. All the beauty and convenience experienced. I invite you to use this plugin for free, without registration and SMS.
Online ¡No PASSarán. Mirror 1
Online ¡No PASSarán. Mirror 2
Online ¡No PASSarán. Mirror 3
Github and bitbucket
PS Do not swear strongly on the code.
People are divided into those who do not make backups and those who already do.
2-3 years ago, the idea of my bicycle, a password generator, was born and developed. Of course, the idea is not new and many of its variations have been discussed many times. On Habré, in the article " Generating xkcd passwords for PHP " I expressed my idea back in 2014 and after that, slowly began to implement it and run in it. And in mid-2015, I had a browser plugin ¡No PASSarán, which I would like to talk about in this material.
')
Who is too lazy to read the path to the success of my young, dynamic project - you can immediately switch to the online version of ¡No PASSarán or go to GitHub / Bitbucket
In addition to the above described drawback, the death of the database, all password managers have several drawbacks (I will list with excuses):
- The inability to always and everywhere carry a base. Of course, in the age of the Internet and the clouds - this is not a serious drawback and, in principle, you can always have a copy on your phone or in the cloud;
- This is a set of passwords, it is necessary to search through the database, that is, slow access to data. Of course, many managers have already learned how to integrate into browsers and into applications and automatically drive data;
- For example, in browsers, storage reliability is not very good. Of course, you can put the master password, but it can also be intercepted by a keylogger.
- No one manager can not recover the password.
If you do not use the manager, then remembering hundreds of passwords is not an option and therefore people use, at best, a couple of passwords. Or stored in a file, which is at best a password.
I tried to avoid all these flaws in my bike. Some of the course is not yet fully resolved, and some are still in the plans. But about this near the end of the article.
Currently, there are two popular options for "generating" passwords and / or memorization. Both of these options are described in the popular online image:
The second option seems to be hacked longer, judging by the article (see link above) and comments to the article. But it seems to me that if he is alone and everywhere that many do (they use the same password everywhere), then once he steals it, you can hack and steal many accounts. And according to my observations (I do not pretend to the truth), it is easier to hack, because you can put together a base of frequently used words (especially in languages without suffixes and endings) and pick up their pairs, because the majority will use from 2 to 4 words, this is about how to twist 2-4 character passwords, but only on a slightly larger base, because with special characters the number of “words” is also rather big. And here you can also add a restriction of services - some services allow only a limited number of characters, which further reduces the search. And for the user another difficulty - you need to remember or invent a new password, or use a shorter version everywhere. And in this case, without taking into account that other services ask for at least 1 digit or special symbol.
In my bike, I tried to combine and improve, to take the best of these options. From the second option, it is necessary to have 3 words (I called them salt, algorithm and master password), and from the first - the final version of the password is obtained in MD5, and in fact it is often in MD5 that the password is stored on the server.
Initially, I came up with and used a simple algorithm for sites like this:
- There was a master password, say quaka42eqava
- Then I took a website, for example, example.com , and got other parts from it, for example: example , 7 , com , moc , 3 ; I think it is clear what is coming from?
- The third step was getting a new password moc3quaka42eqava7example
This option is easy to memorize, no need to carry a base with you and meets both of the requirements described in the picture. But it has bottlenecks:
- for example, I would have gotten on the attacker's website and entered my password there, created for his website, the attacker.rf => fr2quaka42eqava18 attacker’s website . Looking at the password - he could understand his algorithm and hijack some of my accounts
- constantly breaking up a domain and counting characters bothers
Because of what I improved the algorithm. Since all passwords are stored on servers in encrypted form, namely, often in MD5 (with salt), it was decided to go the same way and add encryption to this algorithm. But this caused another complication - constantly opening a console or an MD5 generator and driving data there, so I started writing passwords in a file, which threw my idea into the Stone Age, returning it to the narrowest point - a password database that can be stolen or a file can be damaged and with him you will not take (only if specifically). Of course, if you can protect against theft with another password, which you can use to close the database, then no one is insured against file corruption, which can happen quite easily on an encrypted file. And I decided, I got to the postponed project.
So, imagine that your personal project was abandoned (sorry, of course, it was postponed to return when there will be time!)
Dreddik
( in the article and somewhere in the comments on Habrahabr)
How to use
Suppose you come up with three parts, for example: Master password, as before quaka42eqava, salt - the name of the pet "Kuzya" and the algorithm - your phone number (Password - case sensitive, and salt and algorithm are case insensitive). We drive in salt and the password in settings of a plug-in and they will remain there. Then go to the site we are interested in, where we want to register / login, put the cursor on the field with a password and press the button of the plugin on the browser panel, then in the appeared window we enter the master password and press the OK or Enter button. The password will be automatically generated and inserted into the field where the cursor was.
This plugin and online version can be used not only for sites. If you need a password for a third-party program, it is necessary in the online version or in the guest mode of the plug-in to put a tick on “Forget about the domain”.
Additionally, 4 buttons are available (in online version 3):
Buttons-icons ¡No PASSarán
- Copy password to clipboard
- Show generated password
- Advanced password generation settings
- Guest mode (not available in the online version, because the online version initially reproduces the guest mode)
Generation Algorithms
Algorithms are constructed as follows. For example, we specified the phone 88005555555, salt Kuzya and the master password quaka42eqava, for example.com. Next, there will be three stages of automatic generation based on the algorithm:
- We get all the parts (I will not duplicate the parts):
- 8 - The first half of the master password is quaka4
- 0 - The entire domain name is example
- 5 - The number of characters in a zone is a COM zone, and therefore 3
- The resulting is added to the string, but at the beginning of the master password must be added, this is an extra precaution: quaka42eqavaquaka4quaka4exampleexample3333333 . A good length is a password, yes? Who can figure out how many years you need to fit?
- The last step is to reduce the number of years for selection, namely, we overtake this line in MD5 => md5 (quaka42eqavaquaka4quaka4exampleexample3333333) => f837bab2e4d20aa30e884a42e9473708a
Algorithms can be built in two ways - basic and advanced.
Basic method for constructing an algorithm
For the basic algorithm, all letters (Russian and English) and numbers are available, they must be indicated with a single “word”.
- 0 - Entire domain name (alias: a, k, u, a, nd, y, e)
- 1 - Entire domain zone (alias: b, l, v, b, k, f, y)
- 2 - First half of the domain (alias: c, m, w, b, l, x, i)
- 3 - The second half of the domain (alias: d, n, x, g, m, c)
- 4 - The number of characters in the domain (alias: e, o, y, d, n, h)
- 5 - The number of characters in the zone (alias: f, p, z, e, o, w)
- 6 - Whole salt (alias: g, q, , p, u)
- 7 - Master password entirely (alias: h, r, f, p, b)
- 8 - The first half of the master password (alias: i, s, s, s, s)
- 9 - The second half of the master password (alias: j, t, u, t, b)
Advanced method for constructing an algorithm
Of course, they can and should be used with numbers from the basic algorithm.
For the advanced method, it is necessary to use numbers separated by any character, except numbers and letters. These algorithms will be supplemented.
- 10 - Inverted whole domain name
- 11 - Inverted entire domain zone
- 12 - Inverted first half of the domain
- 13 - Inverted second half of the domain
- 14 - no
- 15 - no
- 16 - Inverted whole salt
- 17 - Inverted master password entirely
- 18 - Inverted first half of the master password
- 19 - Inverted second half of the master password
- 160 - First half salt
- 161 - The second half of salt
- 162 - Inverted first half of salt
- 163 - Inverted second half salt
That is, for example, 8-8-0-0-163-10-13
It is recommended to use the algorithm element with the domain - 0, 2, 3, etc.
Advanced settings
On some sites, such as Yandex, you need to set one password for all subdomains. To do this, you need to activate the setting “Disable subdomains”, after this, the generation will ignore the subdomains and use only the domain. Attention! If you have already created a password on the subdomain, then it will no longer work, you will need to uncheck that subdomain.
There are sites that prohibit the use of more than a certain number of characters in the password. On such sites, you can enable the setting of circumcision. ¡No PASSarán uses the standard javascript function substr, so details on how to trim a string can be found in the documentation for this function. Usage example:
Suppose we have generated the string “abvgdeezhzi”, then typing in the “Crop” field of the number, we will have the following
-3, 2 => -3 => 1 => -20, 2 => All these settings are stored in the browser. In future versions, it will be possible to save advanced settings to a file, for transfer between browsers and computers.
Advantages and disadvantages
Now you do not need to store hundreds of passwords on your computer, or in your head, or in a notebook. All passwords are unique and almost impossible to crack or steal. Password consists of two parts (three elements): Master password and algorithm with salt, which are separated from each other. The algorithm and the salt are stored in the browser and can be stolen, taking possession of your computer, but attackers still will not be able to get your passwords. If a master password is stolen, for example using a keylogger, then without knowing the algorithm and the salt, they will not be able to access the passwords.
Exception: online version, which is recommended to be used only as a last resort and when you are sure that there are no keyloggers and other living creatures on the computer. In this case, it is generally better not to use passwords, no matter how strong they are.
These passwords are difficult to socially engineer.
Passwords can be transmitted over an unprotected (http) connection. Even if the password is intercepted for the current site, passwords from other sites will remain secure.
Of the disadvantages:
- It is necessary to remember three key "words". Although the salt and the algorithm can not be memorized, but write on a piece of paper and hide in the safe to be restored sometime if necessary, but then the online version will not be available if you forget.
- It is necessary to have a computer with a plugin on hand or go to the online version.
- There are currently no special characters, but they are planned
A little more about ¡No PASSarán
The latest version adds the ability to generate a password in guest mode. Due to this, it is possible to have several accounts with different generated passwords on the same site. To do this, for example, in the “Salt” field, register the current login and using this salt-login a unique password will be generated. Knowing the next login - it will not be necessary to remember the password, because everything else (algorithm and master password) is used as before.
I have been using this plugin since April 2015. All the beauty and convenience experienced. I invite you to use this plugin for free, without registration and SMS.
Links and installation
Online version on GitHub mirrors:
Online ¡No PASSarán. Mirror 1
Online ¡No PASSarán. Mirror 2
Online ¡No PASSarán. Mirror 3
Repositories
Github and bitbucket
Browser extensions:
For Chrome and similar browsers
- Stable branch in Google WebStore, stable version 1.3
- Beta branch of Google WebStore, latest version 1.4.0 (beta version)
For firefox
- On the AMO website (addons.mozilla.org) you can find the stable and beta versions.
PS Do not swear strongly on the code.
Source: https://habr.com/ru/post/357172/
All Articles