mwgg / passera Goto Github PK

Just upgraded an old notebook which runs 32-bit Win7 Pro, and installed Passera.

The default is supposed to generate a code word of 16 characters w/ special characters.

As installed, my 32-bit Passera generates 12-character only.

Unlike the Firefox app (which no longer works in FFox Quantum), there seems to be no easy way for a user to change the settings through the CMD window.

Passera is not more available on the Firefox ad-ons store !

I no more see passera app in the FDROID what happened?

Result of command line tool windows (x64 & x86) differs to Android app & linux command line tool (x64), used passphrase: 1234567890
BUT: the problem does not exist if the passphrase is shorter, here: 12345

Examples:

Passphrase: 4
Password length: 16
Use special characters: off
Hash: QkKLrjSvjLtv++s1

Passphrase: c
Password length: 16
Use special characters: off
Hash: 0DBALChmpf/Zfgal

Hi!

Thanks for this great app! I'm using now pwdhash and I consider your app a promising future drop in for the latter.

I have some suggestions to do, but I prefer to open a separate issue for each one. At this moment I'd like to ask you for a good documentation about the hash & encoding procedures. This is important if sometime in the future your app dissapear and people want to recover their passwords.

A small fingerprint can be shown on screen after pw entry. It should depend on all parameters: special chars yes/no, length of digested pw, etc.

I propose something like sha512(orig pw | digested pw in ascii form) and take the lowest bits encoded, for example, as base32 (see Crockford's alfabet as reference). 6 characters (= 30 bits) may be a good compromise among collision resistance and quick visibilty (for example, when checking it in a list).

This can be a safe method to quick check if the pw was correctly typed. The user may maintain a list with all sites/services where he/she applies passera with each fingerprint besides each entry.

Hello, Im not sure how this works but it is probably vulnerable to reversed engineering attack. Someone just could figure out how this works and possibly get our passwords if we type website name or similar..
I was thinking It would help if we could have our unique system by modifing algorithm. There is milion possibilities out there so we could affect how script will create passwords so reverse engeneering is out of business. Just consider my idea please and if I am wrong please explain why is that. I dont really understand your script but I do use it and I like it but once someone find out I am using this, attacker is free to study code....

I'd like to get this on my headless server running ubuntu 14.04. How do I install this software? I've gotten it working on windows, and in Firefox (both of which work well.) But my core system is a headless server, and I'd like to get it running on that.

I've tried going to my git directory, and doing git clone https://github.com/mwgg/passera which installed the folder structure and I can get to /src but how do I run passera.go?

I also did the standard ./configure route. Nothing.

I downloaded go and tried to run go build passera.go it fails.
So I tried go run passera.go & got:
passera.go:5:2: cannot find package "github.com/atotto/clipboard" in any of:
/usr/src/pkg/github.com/atotto/clipboard (from $GOROOT)
($GOPATH not set)
passera.go:4:2: cannot find package "github.com/howeyc/gopass" in any of:
/usr/src/pkg/github.com/howeyc/gopass (from $GOROOT)
($GOPATH not set)

Now I can certainly run that error chain to the end and see where I get but I assume your code is fairly easy to use because it was so simple in Firefox and Windows. Which makes me think I'm going about this all wrong.

Thank you in advance.

Hello dear sir or madam,
thank your for reading in advance.

Although Palemoon is a browser which is on par with FF or Waterfox, I think, I sadly can not use your wonderful addon on it. Due to the thing, that it isn't available for "FF 24.9".
Sadly Palemoon has this Version number and sends it somehow; I am not sure whether Palemoon should fix this for better compatibility or you could add sum' exception to your addon to let it work with Palemoon and maybe other forks of FF, which work with diff. version numbers but same functionality... if it is in your interest and/or are in the mood for it.
Thanks again.

Regards,
uz~

From the Readme:

A simple tool that allows users to have strong unique passwords for each website, without the need to store them either locally or with an online service.

Because a deterministic SHA-512-based approach is utilized by Passera, two users who use the same password, when using Passera, will also generate the same exact password.

PoC:

1. Enter githubPasswd123
2. Enable special characters
3. Get the same output as on the readme (dpu7{Lrby(vQLd8m).

While it is debatable that the outputs are secure against a naive attacker, with the knowledge that two users with the same input will receive the same output, they are certainly not unique.

When an attacker who is aware of the existence of this tool enters this threat model, the security of the entire app comes into question.

Recommendations:

• Implement a nonce/salt for each user; e.g. an SHA-256 hash of their email address (or other appropriate identity selector) -- this won't stop targeted brute forcing, but it will prevent mapping plaintext inputs to deterministic outputs. This also does not require local or remote storage to work properly.

Further reading: http://www.cryptofails.com/

Any chance that you can please upload this app to Google Play?

1. Please update your versionCode when bumping versionName. The versionCode is used to actual check for updates.

2. Does the gradle build (not executed from a IDE) work for you?

Are you planning to conform to the new firefox rules in order to get passera back to the browser?

./gradlew task-name resulted into

FAILURE: Build failed with an exception.

* Where:
Build file '/home/suhaib/Desktop/passera-master/android/app/build.gradle' line: 17

* What went wrong:
A problem occurred evaluating project ':app'.
> Ambiguous method overloading for method java.io.File#<init>.
  Cannot resolve which method to invoke for [null, class java.lang.String] due to overlapping prototypes between:
  	[class java.lang.String, class java.lang.String]
  	[class java.io.File, class java.lang.String]

Hello. I've found a small quirk that I think should be fixed. Whenever generating a password in Firefox, the dialog never hides the generated password--it's something you have to manually hide. This sounds somewhat insecure.

I'm really enjoying Passera on all my devices. Thanks!