MD5 is compromised, has been for a while (like SHA-1). Not only you can bruteforce it using GPUs (a single Titan X can do 10billion hashes a second), but you can check for collisions using again GPUs. It's quite easy to do using tools like hashcat (https://hashcat.net/hashcat/).
If you run a string consisting of the name of the service your are using plus the users "password manager password" ie "ProtonMailUSERPASSWORD123@#" through an MD5 hash to bring the string to a constant 32 character length string and then Base64 hash that string which gives you your result my thought would be that using that method would more or less make your password generation secure.
The idea is that you would then use the hash itself as your password on the website.
Does my logic hold up in this scenario?
I'm genuinely curious to know where the weak links are in this methodology.
Had a friend build a CLI password generator using Scrypt in Python (https://github.com/libeclipse/visionary).
I've been working on a password manager for a while (https://github.com/spaceshuttl/coffer) but am still trying to find time to finish it.
1 Like
The weak link would be MD5. If let's say I know you use this program to manage your password and let's assume I know you have a facebook account. What I can do is try to find the master password that appended to the string Facebook or the service name, gives me access to the account. That's not quite easy to do, it takes a lot of time, but it can be done.
Or let's say your password leaks somewhere. I can Base64Decode it, now I have a MD5 hash. Since your password has been leaked, I know for what it was used, and I can try to find the correct master password that matches the hash I have.
It's still a long process, but with powerful hardware and depending on the difficulty of the master password it can be done.
1 Like
I added SHA512, and I'm using my RSA 4096 private key as the seed string which I pass through the SHA512 hash, then the Base64 hash, and finally the MD5 hash (just to shorten the insanely long hash string). Also I'm storing the RSA private key on a veracrypt encrypted flash drive.
Hopefully this is enough to make the process of generating passwords fairly secure.
So the user puts in the name of the service which is attached to the end of the RSA4096 string and passed through all of those hash functions. Obviously since you are modifying the original string slightly each time the resulting hash is unique while also being reproducable.
So right now I plug my USB in, mount it using Veracrypt, call the program which reads the decrypted RSA private key, then punch in the name of the service I want to log in to and then the program gives me the password.
I think at the very least this is kind of a neat project.
I'd love to see what you think of the updated source.
Correction: The order I am hashing the private key is SHA512 > MD5 > Base64
I'll take a look.
1 Like
Why MD5 hash it? Sure it will make it shorter but it will also reduce the keyspace a lot. Also, base64 isn't an hash algorithm it just refers to the number base 64.
Personally, I think everything they're doing is overly complex and unneeded. All you need is to base64 or base85 or whatever you choose, a urandom of however many bytes.
If I understood it correctly, the point of @MyNewLamborghini's project is not to generate passwords but to "store" them hashed instead of encrypted by using a master key and hash it together with the name of each service.
Edit: That was a shit explanation (my excuse is that it's the middle of the night), obviously you don't actually store anything apart from maybe your master key and the service names but technically you could keep booth of those in your head. You generate the passwords when you need them using the master key and the service names.
1 Like
So, salted passwords? There are libraries that can handle passwords and salts without all this complexity. Have a look at this file to see the way I've implemented the python cryptography library. When instantiating the kdf, I pass a salt from a configuration var. I initialize the salt with urandom or pulling data from the password DB file.
For doing what I described you could just do it in one line of bash:cat <(echo master key & echo service name) | sha512sum
Oh bash. How I love you.
1 Like
So, new issue today, minor hindrance to my progress, my main desktop is unable to initialize the crypto module. Works fine on my laptop, both running Solus 1.2, up to date. Hope I don't have to go back to arch.
File "/home/kbrennan/projects/keymaster/keymaster/crypto.py", line 35, in __init__
backend=default_backend())
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/backends/__init__.py", line 40, in default_backend
_default_backend = MultiBackend(_available_backends())
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/backends/__init__.py", line 27, in _available_backends
"cryptography.backends"
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/backends/__init__.py", line 26, in <listcomp>
for ep in pkg_resources.iter_entry_points(
File "/usr/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2361, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
from cryptography.hazmat.backends.openssl.backend import backend
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 45, in <module>
from cryptography.hazmat.bindings.openssl import binding
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module>
Binding.init_static_locks()
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 161, in init_static_locks
cls._ensure_ffi_initialized()
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 156, in _ensure_ffi_initialized
cls._register_osrandom_engine()
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 121, in _register_osrandom_engine
_openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0)
File "/usr/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _openssl_assert
errors
cryptography.exceptions.InternalError: Unknown OpenSSL error. Please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLError(code=621174887, lib=37, func=102, reason=103), _OpenSSLError(code=621215847, lib=37, func=112, reason=103)])Some people have said reinstalling the python-cryptography library fixes the issues, but I've had no such luck. I'll keep trying things, but time is my major problem here. Three days to finish the project, no time to debug OS issues.
"Unknown OpenSSL error" Make sure you have OpenSSL installed on your machine
Should have elaborated a bit more. Openssl is installed. The entire system is identical in packages installed to the laptop. I'm just going to nuke and pave this evening when I get back from work.
@Tobbbles I managed to fix the problem by installing the system.devel package group on the system. It includes about 70 packages, so on Monday, I'll go through them and figure out exactly what it was, but for now, I've managed to fix it so I can comfortably code.
I'll be updating with pics of my latest progress soon, I'm just finishing up a few things on the account details pane.
PICSPAM INCOMING!
When you start the program, you start up looking like this.
the open-file dialog
Enter your password
If a password has expired (based on user preferences), the user is warned.
Once the database is loaded, you see something like this.
When the password is shown.
When you click the configure button next to the text "Expires: %s" you see a calendar and a couple button options. This will either set or erase the account expiration date. If the date is set to a time in the past, the expiration is disabled.
If you need to generate a password, you are greeted with this dialog box. It's not the prettiest thing yet, but I'm still finalizing it.
To create a new database, you use this window, accessed by clicking the "New" button on the header bar of the main window.
No program is complete without the ability to to edit preferences.
I'll be adding a few more images in the next 24 hours, but for now, I'm going to get back to finalizing the program.
1 Like
I'm definitely getting in this ! I've been looking towards doing a Password generator & Store written in Python or Cython, I'll help any way I can