Passwords are the oldest method of authentication in information technology, still widely used today. Alas, it is simply impossible to keep in memory passwords for all Internet resources, provided that they are all different and complex! Here password managers come to the rescue of a person, taking this task upon themselves: a person remembers only one master password, which gives access to all the rest.
I didnβt like the existing password managers: itβs inconvenient to synchronize the password database between different devices and operating systems; moreover, manager programs are often openly poorly protected . Once I was reading articles on cryptography, and the thought came to me: why not make a password manager that, instead of storing passwords, will calculate them?
The first way to implement this idea that comes to mind is cryptographic hash functions. At first glance, everything is cool: we select a persistent function (say, SHA-3 in the 224-bit version), give it the master password qwerty and the vk account type as input , at the output we instantly get 56 characters from the set 0123456789abcdef. I immediately found two similar projects: hacked and potentially hacked... This approach has a big problem: cryptographic hash functions are designed, among other things, to be as fast and undemanding to resources as possible, and therefore it is possible to arrange a dictionary or full brute-force attack of the master password using the intercepted password for one site on the CPU (relatively slow), GPU , FPGA (much faster), ASIC (very fast). To carry out such attacks on popular hashing algorithms without using salting, rainbow tables can also be used, which greatly accelerates the hacking process on the CPU.
Fortunately, there is another implementation option - functions for obtaining keys. In a nutshell, they perform hashing, but relatively slowly (say, one second on a normal processor) and relatively high resource consumption (say, 16 megabytes of RAM) to make brute-force and brute-force attacks as difficult as possible. Among the modern functions familiar to me PBKDF2 , bcrypt and scrypt, scrypt looked best: created based on the experience of the first two, successfully opposing computing on GPUs and microcircuits (both FPGA and ASIC) and designed for flexibility in customization for any task. I thought about the implementation of this project, but for some reason pushed it into the back burner. And in vain.
Cryptographer Nadim Kobeissimade just such a password manager npwd in JavaScript (works as a desktop application through Node.JS). I installed the utility on a Linux and Windows computer, as well as a Linux laptop, started using it in combat, and I really liked it. You enter the only master password and the type of account (for example, "twitter") into the application, and after a couple of seconds your clipboard already contains a calculated complex password specifically for this account, and hack your master password (read: all your passwords) by password for one account will be very, very difficult.
But there was also a problem. The Windows version really gave out a password after a couple of seconds, but under Linux (including on the same computer!) It took 15 seconds for calculations, which was annoying. At first I just reduced one constant, making the master password less secure, but then I thought - why not rewrite the application in C, because it will probably work much faster! I was especially encouraged by the thought that I had a plan for this project for a long time, but I was slow, and someone had implemented it before me.
After a few days of leisurely work, I made my own password manager cpwdfully compatible with the original. It was fun! After a little optimization, I managed to achieve the desired high speed. I haven't tried porting cpwd to Windows, but it should be easy. On the project's GitHub page, I collected a collection of links to similar projects in the academic world and beyond - it turned out that the idea is actually quite old.
Surely not a silver bullet, but it works for me. In the process of using, I came across a problem: some sites have interesting requirements for passwords such as "no more than 20 characters", "there must be a large letter, a small letter, a number and a special character", as a result, the password generated by npwd / cpwd sometimes requires manual work before entering ... Fortunately, there are not many such sites.
The original was published on my blog on 7.08.15. 5 years have passed, and I still use this utility.
How I made myself a password manager
All Articles