End of Passwords

They're watching. All the time. Everywhere.

Topic/Postby Tormeron » 24 Jun 2015, 17:13

End of Passwords

Greetings friends,

I am proud and honored to share with you my own program by design and coding:
http://www.jwhostings.net/passgen

It's your way of saying goodbye to thinking about passwords or using database stored password generators, this program requires no database, no internet connection and will generate your passwords each time the same for the same credentials entered!

Enjoy!
Lilandris wrote:Liandrix' words not mine, but Tormeron is a god apparently. Probably a bit like Loki.

serendipity wrote:Reason: Potato.

Events stories, Torm's events thread Suggestion box
User avatar
Tormeron
The soup master
 
Posts: 4186
Location: In a cookie jar
WWW

Topic/Postby Erethas » 25 Jun 2015, 15:31

I appreciate the idea behind this, but seems difficult to scale. Different websites have different requirements (ie at least one symbol, low max number of characters etc) that the hashing algorithm you are using does not account for.

Also, for this kind of thing it would be good to provide the source code as well. I trust you, of course, for someone who really cares about the things you solve (ie no database), then being able to compile it yourself it's almost a requirement.
You are now breathing manually.
Erethas
Rhymer
 
Posts: 1735

Topic/Postby Tormeron » 25 Jun 2015, 16:17

A source code is not supplied for the exact same reasons.

I have no problem with someone checking the truth behind my words by checking connections to the internet through fiddler 4 or any other packets listening software, You can scan your computer for changes in files by creating a sandbox and check if it saves your passwords somewhere, which i assure you it doesn't.

While there are some sites that need special chars for them, I don't know of many yet that do,
There will be an additional version of this program released soonish with more complex passwords.

If I had supplied the code behind this, people would use that code to build an easy to use hacking tool, while decryption of an EXE is possible, by what I know, decryption of this EXE isn't easy (while still possible)

I'd rather people will wonder what algorythm i used so it won't be easy to hack into people's passwords.

I do understand your stand point and I shall rethink mine but, for now, the base code shall remain hidden.
Lilandris wrote:Liandrix' words not mine, but Tormeron is a god apparently. Probably a bit like Loki.

serendipity wrote:Reason: Potato.

Events stories, Torm's events thread Suggestion box
User avatar
Tormeron
The soup master
 
Posts: 4186
Location: In a cookie jar
WWW

Topic/Postby Erethas » 25 Jun 2015, 17:15

Protection by closed source code, even if you use obfuscation, is futile. The best security is using either non-reversible hashing, or strong enough encryption that will take a lot of time to crack.

I use KeePassX for this exact reason: I have faith in running a security-related software that is audited by many people not related to each other and I can build myself. To use anything less for storing my passwords would feel very weird to me.
You are now breathing manually.
Erethas
Rhymer
 
Posts: 1735

Topic/Postby Gergel » 25 Jun 2015, 19:24

The idea is nice, but I think I will stick with my KeePassX. Erethas has pretty much stated both issues I also have with this program.

It generates only four passwords for me. I just checked my KeePassX container, it has about one hundred entries in it, give or take a few, each of them different. Plus there are quite a few different passwords/passphrases I keep only in my memory. Having your program provide only four pre-labeled passwords (one of them for a Facebook account which I do not even have) is somewhat... insufficient.

Your program generates four passwords based on two other passwords that I would need to remember. I might as well just remember four separate passwords. What's the point of those two separate passwords anyway? I can't imagine how it makes the encryption or hashing process any more secure compared to only one password (which you could split in half to get two parts, if you really need them).

My KeePassX container sits in my DropBox, where I can open it under any operating system I use (Windows, Linux, Android, Windows RT) and could potentially open in just about any other operating system I can conceive of (OSX, IOS, WinPhone, BSD, ad infinitum). Yours is, it would seem, Windows-only.

And of course I, like Erethas, think that its closed-source, security-through-obscurity nature doesn't really help very much. If a bad guy were to take any serious interest in it, he would most likely have it cracked faster than you can say "Blorgh". (Assuming you draw the word out really long, "Bllllllllooooooooooorrrrrrrrrrggggggggghhhhhhhhhhhhhhh".)




Edit: I must admit that saying "Blorgh" lasted quite a few minutes in my case. Well, at least you're using AES256 and are not inventing your own crypto algorithm... Although the password generator routine could be probably be defined more easily as a separate function instead of doing the same thing four times. If you ever decide to add more generated passwords, you may run into a problem with minimum length of _stringtohex(_crypt_encryptdata()) return value, assuming both $num and $pass1 are only one character long.
What kind of sick individual burns a book full of perfectly good dark arts?!
- Darkscryer Raastok
2 people like this post.
User avatar
Gergel
Gergel Cosmic Smash!
 
Posts: 1995
Location: Estonia

Topic/Postby Tormeron » 25 Jun 2015, 21:43

once again, I didn't say I will not consider making it open source, just give me time to think about it a bit.

Also, the passgen is different from keepassx by not possessing a storage,

the 2 keys password generator is that so there is no predefined key by which to rotate the passwords, they are rotated by your own key.

the idea of the words on the side are just suggestions to what you can use that password for.

let's give the following example:

My password is: password (since im dumb)
and my key is: gmail (since i want to use it for gmail)

it will give me 4 diffferent keys to use for gmail

now say i want a password for facebook that is unique, i shall use my same password "password"
but change the word to "facebook" this way, i won't have to recall 2 passwords, but just the service it is for and the password i can remember.

Using keepassx uses a storage system which in the end is it's weakness, having a database (whether encrypted or not) can be hacked, having none removes the chance of your database being hacked.

it's like saying i'll buy a safe to hold my precious keys for all kinds of doors, now i'll place all the keys in the same safe hoping that the security of that safe is strong enough

with my program i don't rely on a safe to hold it, I've hidden each key behind a different safe, meaning someone will have to guess where your safe is and then also guess the combination you used (ofcourse there are no actual database files saved, but it's just for the demonstration)

-- 25 Jun 2015 22:43 --

Also, Gergel I'd love it if you would explain what you meant by the short passwords thing, I could perhaps solve the issue you are referring to, but i can't quite understand what you meant, the program is not supposed to create more than 4 passwords.

If you'd like i could create you a container for your keys in a 4096 encrypted database, though theoretically takes forever to crack, all you need is to know the one password that person uses, I really don't think building stronger walls for the safe is the way to go with protection of my passwords.
Lilandris wrote:Liandrix' words not mine, but Tormeron is a god apparently. Probably a bit like Loki.

serendipity wrote:Reason: Potato.

Events stories, Torm's events thread Suggestion box
User avatar
Tormeron
The soup master
 
Posts: 4186
Location: In a cookie jar
WWW

Topic/Postby Gergel » 26 Jun 2015, 09:45

Tormeron on 25 Jun 2015 23:43 wrote:once again, I didn't say I will not consider making it open source


It already is open-source. Unpacking the .exe (which is just an interpreter wrapper around the plain script) was trivially easy once I realized the language the program was written in.

the 2 keys password generator is that so there is no predefined key by which to rotate the passwords, they are rotated by your own key.

the idea of the words on the side are just suggestions to what you can use that password for.


OK, I think I now understand what you are trying to provide. It's just that the program's labels make it counterintuitive. When I look at it, here's how I think: "It asks two passwords from me. Why two passwords? Why not just one? And then it generates only four application/website passwords. I need far more than that, I need hundreds of passwords. And I don't even use FaceBook, although I guess I could use the FaceBook password for, Idunno, RnP forum. But then I'd have to remember that 'FaceBook' == 'RnP' and that's annoying." I didn't even think of running the program several times for each website I use.

The predefined labels are confusing if the whole idea is to have a separate "Word / Number" for each target website.

it will give me 4 diffferent keys to use for gmail


Why would I want 4 keys for GMail? I can only use one. What's the point of the other 3? And why are they labeled "FaceBook", "Microsoft account" and so on? I was generating a key for GMail. Or Steam. Or RnP forum.

now say i want a password for facebook that is unique, i shall use my same password "password"
but change the word to "facebook" this way, i won't have to recall 2 passwords, but just the service it is for and the password i can remember.


Your program needs some sort of "go back" logic to return to the previous page to enter a new password or application name. It'll be horribly annoying to have to close and re-open it for every site.

Using keepassx uses a storage system which in the end is it's weakness, having a database (whether encrypted or not) can be hacked, having none removes the chance of your database being hacked.


Your program can be made to regenerate all the relevant keys just by knowing the user's password, and figuring out the application naming schema they use.

it's like saying i'll buy a safe to hold my precious keys for all kinds of doors, now i'll place all the keys in the same safe hoping that the security of that safe is strong enough

with my program i don't rely on a safe to hold it, I've hidden each key behind a different safe, meaning someone will have to guess where your safe is and then also guess the combination you used (ofcourse there are no actual database files saved, but it's just for the demonstration)


On the other hand you have a device that creates a new key from a blank template, but only requires one master key to operate. If I have the master key, I can operate the machine and recreate the keys for all your safes.

Also, Gergel I'd love it if you would explain what you meant by the short passwords thing, I could perhaps solve the issue you are referring to, but i can't quite understand what you meant, the program is not supposed to create more than 4 passwords.


I was under the impression that you were planning to make the program generate more than 4 passwords.

Code: Select all
Local $p1 = _crypt_encryptdata($num, $pass1, $calg_aes_256)
$p1 = _stringtohex($p1)


Assuming both $num and $pass1 are only one character long (which is a really bad idea, but this is proof-of-concept), the length of the string returned by _stringtohex() is 68 characters. That's sufficient for 6 10-character generated passwords, but if you decide to add more generated-passwords fields, you would run out of string. Longer passwords, of course, generate longer strings. Of course now I know that you're not in fact planning to do so, so the point is moot.

If you'd like i could create you a container for your keys in a 4096 encrypted database, though theoretically takes forever to crack, all you need is to know the one password that person uses, I really don't think building stronger walls for the safe is the way to go with protection of my passwords.


Thanks, but I'm very happy with my 256bit AES container. Bottom line: I think I'll stick with it.
What kind of sick individual burns a book full of perfectly good dark arts?!
- Darkscryer Raastok
Sarawr likes this post.
User avatar
Gergel
Gergel Cosmic Smash!
 
Posts: 1995
Location: Estonia

Topic/Postby Tormeron » 26 Jun 2015, 11:09

I'm not trying to argue what you should use, I'm just trying to provide a safe alternative for all those people who want an alternative.

Code: Select all
Your program can be made to regenerate all the relevant keys just by knowing the user's password, and figuring out the application naming schema they use.


Sure but in the case of your program anyone knowing your master password would have access to your entire passwords list.

in addition I've thought of another issue some people might have with a password generator and storage, Unless you pass on your container of keys to another computer, you won't have your keys on other computers, basically if you are abroad and wish to access your facebook and it's one of those generated passwords saved on your computer, you won't be able to access it.

There is no fool proof way to do a password generator to be 100% secure, no matter how complicated you make your program, this way, even hacking into your computer won't provide you with the keys of your programs / websites.

You did provide with some good advice which one of them Shev already gave me but i forgot to change it.

1. remove the labels of the passwords and change it to "password 1" "password 2" and so on.
2. add a go back button

Just for you to know, I'm not trying to argue with you, if you like your way, stick with it, I do thank you for advice and ideas for my program. It might not be perfect, but it's way better than using the same password everywhere (for some people who do it)

Most people don't use a password manager and just use in a good case 2-3 passwords divided amongst websites. those that do use a password manager once they lose their HDD someday are stuck with not having access to their passwords. My program does provide for an alternative that doesn't depend on whether a password manager is used or not, anyone can have access to their keys whenever they want.

if you know someone's base password then they are stupid to have shared it, truly. I can't help stupidity. :Q
Lilandris wrote:Liandrix' words not mine, but Tormeron is a god apparently. Probably a bit like Loki.

serendipity wrote:Reason: Potato.

Events stories, Torm's events thread Suggestion box
User avatar
Tormeron
The soup master
 
Posts: 4186
Location: In a cookie jar
WWW

Topic/Postby Juste » 11 Jul 2015, 12:44

I put all my passwords on a txt file. Impossible really to remember everything for me.
Stand your ground, child, keep your senses. The pain is fleeting, but victory is forever.
User avatar
Juste
 
Posts: 1591

Topic/Postby Tormeron » 11 Jul 2015, 15:56

my program doesn't require you to remember much, except one password and what service you used.
and a text file ain't exactly a safe storage for passwords :Q


Passgen Ver. 2.00 in development for a single harder to hack password
Lilandris wrote:Liandrix' words not mine, but Tormeron is a god apparently. Probably a bit like Loki.

serendipity wrote:Reason: Potato.

Events stories, Torm's events thread Suggestion box
User avatar
Tormeron
The soup master
 
Posts: 4186
Location: In a cookie jar
WWW

Next

Return to Tinfoil Hat Members' Club



Who is online

Users browsing this forum: No registered users

cron