Coder Social home page Coder Social logo

stepchowfun / hashpass Goto Github PK

View Code? Open in Web Editor NEW
115.0 7.0 19.0 1.51 MB

A simple password manager with a twist.

Home Page: https://stepchowfun.github.io/hashpass/

License: Other

JavaScript 21.43% HTML 0.97% TypeScript 77.59%
password-manager security-tools password security

hashpass's Introduction

Hashpass: a simple password manager with a twist

Build status

Hashpass is a password manager which doesn't store any passwords. Instead, it generates passwords on the fly using a cryptographic hash function of the domain of the website you're visiting and a single universal password that you memorize. This gives you:

  • the security of having a unique password for each website,
  • the convenience of only having to memorize one password,
  • the comfort of knowing that neither you nor any third party can lose or leak your passwords.

Screenshot

How it works

First, you decide on a universal password. That's the only password you need to memorize, so make it a good one.

Suppose your universal password is correcthorsebatterystaple, and you want to sign up for or log into example.com. Hashpass combines your universal password with the website domain as follows: example.com/correcthorsebatterystaple. It then computes the SHA-256 hash of that string. It hashes it again and again, 2^16 times in total. Finally, it outputs the first 96 bits of the result, encoded as 16 characters in Base64. For this example, the final output is CqYHklMMg9/GTL0g. That's your password for example.com.

For people who know how to read computer code, the following Python script implements the Hashpass algorithm:

import base64
import getpass
import hashlib

domain = input('Domain: ').strip().lower()
universal_password = getpass.getpass('Universal password: ')

bits = (domain + '/' + universal_password).encode()
for i in range(2 ** 16):
    bits = hashlib.sha256(bits).digest()
generated_password = base64.b64encode(bits).decode()[:16]

print('Domain-specific password: ' + generated_password)

Installation instructions

You can install Hashpass from the Chrome Web Store here. Then you can find the Hashpass button next to your address bar or in the extensions dropdown. By default, you can also open Hashpass with Ctrl+Shift+P (Cmd+Shift+P on macOS).

Website

Hashpass is also available on the web at stepchowfun.github.io/hashpass, although the Chrome extension is generally more ergonomic to use since it can interact with the page you're logging into.

hashpass's People

Contributors

adm244 avatar dependabot[bot] avatar nkanaev avatar stepchowfun avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

kwadwo siddharthmalhotra yantene quiark adm244 raskepil orchestor kitchoi ryought svobodajakub utpalbora codeshane lightsaber6000 tomflannaghan anonymousdevteam dengwangxi lzy-v mratok1 yd-915

hashpass's Issues

Save username and password generation date

Hello,

I really like the idea of a stateless password manager but who do I know my username then?
I could of course choose the same user for every page, but might not want to do that. On some sites it also might already be taken.

After reading this advice:

If a generated password is ever compromised, you don't need to memorize a whole new secret key and update all of your passwords. For that service only, just add an incrementing index to your secret key. Such a tiny change in your secret key results in a completely new password for that service. For example, if your key was bananas, just use bananas2. If you can't remember which iteration of your secret key you used for a particular service, simply try them all in order.

I think this is not very practical nor elegant. On some sites I only have a few tries and if I change my password on a regular basis (which is advised in some cases) the account might get frozen before you reach the correct iteration.

For this both problems a simple solution would be to save the user and the creation date in some kind of database. This might contradict the principle of hashpass in a way, but keep in mind only non-critical information would be saved. A possible attacer that gets the database wouldn't be able to do much with it still without the master password.

Instead of:

Hashpass combines the current domain name and your secret key with a / as follows:
www.facebook.com/bananas. It then computes the SHA-256 hash of that string

It would include the creation date in the hashing input:

www.facebook.com/bananas/2017-05-14

I supposed you have already thought through this problems and might have come up with conclusions/solutions. Let me know what you think.

Question: How does it work in case domain name changes?

Hi,
My question is how does it work if the service domain name changes from www.facebook.com to login.facebook.com ?

In case it is using the domain name of the password box as-is, it may fail to produce the same password.

Can't modify domain

I think it would be nice if you can easily change domain field. For example if you want to use your password to access subdomain of website.

Link compatible client

Hi,

first of all, great project, I really like your idea!
So much in fact, that I implemented a compatible client for the command line over here: https://github.com/binaryplease/go-hashpass

I hope that is okay, I don't want to steal any of work and ideas. You link a compatible python script at the bottom of your repo, I wrote my app in Go because it allows me to run the binary on any system without having to install python.

Just wanted to leave a comment in case you want to link to the project in the README.
Cheers!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.