This project is no longer maintained (it works though), use Derivatex instead
Make sure you use Python 3.7.x (32bit) or Python 2.7.x and PIP
-
Install necessary packages
# Python 3 pip3 install argon2_cffi qrcode pyperclip # Python 2 pip install argon2_cffi pysha3 qrcode pyperclip
-
Launch the main script main.py. The options are:
python main.py
will open the user interface (see below)python main.py #setup
will generate the master digest file deterministically from your master password and birth datepython main.py facebook
will generate a deterministic password for facebook with a length of 24 characterspython main.py facebook short
will generate a deterministic password for facebook with a length of 8 characters
-
Install necessary packages
# Python 3 pip3 install argon2_cffi kivy kivy.deps.sdl2 kivy.deps.glew # Python 2 pip install argon2_cffi kivy kivy.deps.sdl2 kivy.deps.glew
-
Launch the user interface with
python main.py
To run tests and develop the code, install the following:
# Python 3
pip3 install argon2_cffi qrcode pyperclip argon2_cffi kivy kivy.deps.sdl2 kivy.deps.glew nose rednose coverage coveralls
# Python 2
pip install argon2_cffi pysha3 qrcode pyperclip argon2_cffi kivy kivy.deps.sdl2 kivy.deps.glew nose rednose coverage coveralls mock
- Not remembering passwords
- Resistant to loss
- Resistant to bruteforce attacks
- Botnets
- Cloud computing and GPUs
- ASICs miners
- Resistant to rainbow attacks
- Hacking attacks
- Website hacked
- HTTP sniffing
- HTTPS and NSA backdoors at certificate authorities issuing your keys
- Your master password can't be found at all
- Your passwords are vulnerable if:
- The attacker knows you are using this program
- The attacker has your
- Your birthdate AND your master password, or
- Your master password digest file
- If you carry this program on a USB drive, be careful not to lose it !!
- Replace '/' in path with sys.sep
- Build it as executable for
- Docstring with Sphinx
- Finish User interface with Kivy
- Colors and better experience
- Add settings, tools
- Use Android fingerprint as PIN code replacement
- Make password robustness check better
- Add other dictionaries
- Check for birthdates in password
- Check for common names of individuals (i.e. Trump)
- Check for common names of places (i.e. Paris)
- Write some C code binding to Python to securely erase memory
- Write/Read of master password digest
- Recovery procedure if the master password digest file is lost
- Password generated matches all website requirements (hopefully)
- Unique password generated for each website
- Argon2ID
- Unit tests for robustness.py
- Robustness of password is calculated and transparent
- basic UI
- Uses SHA3
- Unit tests with coveralls and Travis CI
- SSH keys generation from file
- See the list of websites you generated a password for
- AES encryption of files/directories
- Optional PIN code to have a few days of delay to change all passwords and against stupid people
- Shamir Secret sharing
- Show robustness of password: # of words, # of letters, # of digits etc.
- You input your password and birthdate once to generate the file
MasterPasswordDigest.txt
- It is impossible to deduce your password or birthdate from this file
- This file should be kept safe
- Every time you login or signup on a website, use the program to generate another password by entering the website name
- This password is always the same for the same (password, birthdate, website) combination
- It is impossible to deduce the
MasterPasswordDigest.txt
file or the website name from this password - This password matches all website's passwords requirements, including at least:
- 1 lowercase letter
- 1 uppercase letter
- 1 digit
- 1 symbol
- Equal to 30 characters in length
- No common words our famous names
- The first part of the program stores the nth argon2id hash digest of your master password in a file (that should thus be kept safe !)
- nth is derived from your birth date
- This allows you to restore the file from your master password and birth date
- This should only be ran once when you start using the program, for ease of use
- We use argon2id to avoid botnet / cloud computing / ASICs - based attacks
- If we would use SHA256, Bitcoin miners may break it
- Even memory-hard hash algorithms such as Scrypt have now ASICs or can be bruteforced with GPUs
- The second part of the program prompts you every time for the website/company name to generate a password deterministically.
- This allows you to use this program to generate your password for signup AND for login
- This also uses argon2id for better security
- The generation of the password works as follows:
- The master password digest is read from your file and concatenated with the website name
- This is then hashed with argon2id
- An offset is set to be equal to the integer value of this digest
- Only the first 30 characters of this digest are taken, to keep under the password length limit of certain websites
- For each character of the previously derived hexadecimal digest:
- The character is converted to an integer (with ASCII)
- The offset is added to the character's value
- The result is MOD 127 so that it will be less than 127 (to avoid non-allowed characters of the ASCII table)
- 2 and 3 are performed again if the result is less than 33 (again, to avoid non-allowed characters)
- The character is replaced by the character corresponding to the value previously calculated. This overall gives a more complex password, if the attacker does not know you used this program.
- We choose 4 unique indexes in the string of characters to change in the current 30 characters long password
- A list of indexes is created and empty.
- The initial index is set to 1
- The following is executed 4 times:
- The index is set to itself times the offset and MOD 30
- If the index is in the list of indexes already, 3 is performed again
- The index is added to the list of indexes
- Finally, for each of these 4 indexes:
- The character in the password at the first index is ensured to be a digit
- The character in the password at the second index is ensured to be a lowercase letter
- The character in the password at the third index is ensured to be an uppercase letter
- The character in the password at the fourth index is ensured to be a symbol (not any ASCII number though)
- The password is then shown to the user.
- Always match password requirements for websites
- If a website not using password hashing is hacked, the attacker will be limited to this website
- You can re-use this program for all websites, especially if the attacker does not know you use this program (most likely)
- As long as the attacker does not know you use this program:
- Your password is very strong and unbreakable if the attacker attacks a website
- Plaintext communication (over HTTP) of your password won't reveal any information about your master password or password generation
- NSA sniffing on HTTPS providers will also not learn any information regarding your master password or password generation
- If an attacker only knows you use this program AND has one (or more) of your generated password(s)
- You are safe depending on your master password. This information is given when running firstrun.py. For example, the master password abc12$ is safe for 1253600 years (with a single machine attacking)
- If an attacker knows you use this program AND has your MasterPasswordDigest:
- You are safe depending on your master password. This information is given when running firstrun.py. For example, the master password abc12$ is safe for 1044700 years (with a single machine attacking)