[Nottingham] The pipe dream of Password Managers

Martin martin at ml1.co.uk
Fri Jul 24 19:12:43 UTC 2015 

Folks,

A slightly curious article but with a very good comment...

The Register:

Choc Factory research shows users just don't get security
http://www.theregister.co.uk/2015/07/24/noone_can_hack_my_mind_google_experts_paper/



>From the comments, try this for taste for all those multiple pesky
websites that demand that you must give them your login:


Re: Password managers
http://forums.theregister.co.uk/forum/containing/2581282

#####
"Password managers don't have to be run 'in the cloud' - they can be
standalone applications running on your computer, and which should
therefore continue running long after the developers have gone." -- VinceH

Here's mine:

echo -n 'mymainpassword myusernameforthewebsite thewebsitename' |
sha256sum - | xxd -r -p | base64 | tr 'a-m' '!--' | cut -c -20 | xclip

When my browser can't remember a password, I just run that script in a
terminal, then middle key click the password input field to paste a
twenty character password, with 6 bits of entropy per character. If you
used the literal values in the case above it would be: 3"'MnsKA-&t74GD&,GxE

For stupid accounts that insist on alphanumeric only, replace the 'tr'
command (with something like sed "s/[+/=]//g"). The script works with
very little modification on windows too. I also have a version that does
a non-echoing prompt for the main password, but I tend not to bother
with that now unless I'm aware I may be overlooked (but it's also good
if you don't want it to end up in your shell history):

read -s -p "Password:" PASSWORD && echo -n "$PASSWORD
myusernameforthewebsite thewebsitename" | sha256sum - | xxd -r -p |
base64 | cut -c -20 | xclip
#####


Note the clever use of a password salt for the generated site specific
password...



There must be an easier way to all these pesky logins!

Cheers,
Martin


(OK, so bad pun on *nix process pipes :-P )



-- 
- ╔═══════════════════╦══════════════════════════════════════════╗
- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝

More information about the Nottingham mailing list