- This topic has 24 replies, 4 voices, and was last updated Mar 23-1:54 am by techore.
-
Posts
-
techore
@masinick, thank you for checking it.
techore
Alright, all my solutions miss the mark on a computer with two displays with different resolutions. I need to identify the display AND its resolution.
I’ll keep digging.
techore
@Robin, I responded to each of your questions, but on attempting to post.. lost it.
Here is a much abbreviated response.
1.) Concerning xdotool
I am looking at it now.
2.) To calculate the width I believe you’d better use the horizontal value
Good input and I agree.
3.) Why installing this hashrat tool
The intent was to expand options including algorithm selection in the GUI. It was simpler to use hashrat and use it’s available options. As the app stands, it doesn’t warrant using hashrat. I appreciate you providing additional options.
shasum -a512 <<<“test 12345” | cut -d’ ‘ -f1
This results in a string length that many websits may not accept. Untested so I am assuming based on past experience. I guess that I should do a bunch of password changes and see how many have a tantrum.
you could use a hash algorithm which is a bit more hardened against brute force, eg. argon2
Not used argon2. I will take a closer look.
4.) Add a user-specific, randomly generated locally stored salt
I agree on the use of a salt as a GUI option would be awesome. It may result in long passwords, but if its a toggle on/off the user decides.
Additional thoughts.
The goal wasn’t to create the strongest password but a password for low to moderate risk websites and improve upon what folks generally do.. password reuse. The question I keep asking myself is “will my wife use it?” You make excellent points and I don’t disagree. I will think on them.
Robin
I need to identify the display AND its resolution.
I’m pretty sure wmctrl does this job for you. It looks for the currently active device (marked by an asterisk in second column) when returning the resolution, as far I know. Right now I can’t connect two monitors to a single PC in order to start twinview, due to incompatible connection standards (vga, hdmi, dp, dvi, s-video…) not matching, so no chance to check.
Windows is like a submarine. Open a window and serious problems will start.
This results in a string length that many websits may not accept.
change 512 to 384, 256, 224, 1 to get different pass string lengths as result. (this could be used for generating different pass-string lengths per GUI radiobutton setting)
It may result in long passwords
No, if you do it the way I had used the salt in my argon2 example (this time the pass phrase provided in a variable, for use in scripting):
$ echo "my_test_salt_$(shasum -a512 <<<"$RANDOM"|cut -d' ' -f1)" > ~/testsalt $ cat ~/testsalt my_test_salt_145f2fac791560c489497fc020e430376ae18506d70c1596a18f6c571b8bb192c209a67919fc8784f9f58ce48ce451aa079343043f6dc97673c1e627e5d5b0a6 $ testphrase="test passphrase 123" $ argon2 $(cat ~/testsalt) -r -d <<<"$testphrase" b453bc6a0ce741bff0c4d828f3de277bc975a84034392daec446ddbbbb992981As you can see, the length of the salt doesn’t correlate to the length of the final pass string used for the web sites.
And since the salt is created from RANDOM for each user (GUI should allow only once, in order to make sure user has always the very same salt, and not a bunch of them), it is next to impossible two users get the same pass-string even when only using weak pass phrases for input in you script GUI. It would be even enough to use simply the website name as pass phrase, as long user keeps his salt file secret.
Windows is like a submarine. Open a window and serious problems will start.
techore
As you can see, the length of the salt doesn’t correlate to the length of the final pass string used for the web sites.
My statement of using a salt resulting with a longer password was dead wrong. No idea why I typed it since I know better. You make an excellent point regarding password length. As long as the user can select different algorithms, they can pick the algorithm based on length.
@Robin, thank you! I have a busy day tomorrow but will update the post, soon.
techore
I have decided to stick with hashrat and not use shasum or sha[1|224|256|386|512]sum or argon2. I do like argon2 but not for this use case.
Let me show you why.
Using external base64 command to result with mixed case, shasum and sha1sum result with:
> echo "www.yahoo.com 123456" |shasum -a 1 |base64 NDgxOTgwZjE1YmQzMWI4ZjMwZGFhMTk0ZTQwYzkwZTdhM2ViNzVjNyAgLQo= > echo "www.yahoo.com 123456" |sha1sum |base64 NDgxOTgwZjE1YmQzMWI4ZjMwZGFhMTk0ZTQwYzkwZTdhM2ViNzVjNyAgLQo=Using argon2 with base64:
> echo "www.yahoo.com 123456" |argon2 "$tstsalt" -id -r |base64 NzU0NmJlODhhY2VjM2NkYjYwMGFkNmIwZDcwYzA1NDBhYzBiN2MzOGM0OTVlYWVmYTMzOTA3YjA1NjNmMTBhYQo=Using hashrat:
> echo "www.yahoo.com 123456" |hashrat -sha1 -64 SBmA8VvTG48w2qGU5AyQ56Prdcc=In addition, hashrat supports additional encode options that provide interesting results.
> echo "www.yahoo.com 123456" |hashrat -sha1 -z85 mdU@sGJJeWRi&o4cPV96 > echo "www.yahoo.com 123456" |hashrat -sha256 -a85 W4R)TL[o%_f+EP&3%C%Cd'&NI#RAS$M=The second result is 32 characters long. If a longer password is needed, it is time to move to multi-factor authentication in my opinion.
@Robin, I will be adding a salt option. Need to decide if the additional options will be from a configuration file or GUI selection. Leaning towards file for I am more comfortable with bash then yad. Undecided.
techore
So, it is far from perfect but this has been an interesting project. I now see the appeal of yad. It’s not perfect, but darn nifty.
ratpass now supports a configuration file to specify supported hashes and encodes and added support for the use of a salt.
@Robin, thank you for the suggestions. Very helpful.
https://gitlab.com/techore/antix-dwm/-/blob/main/file/bin/ratpass
#!/bin/env bash # Project: antix-dwm # Location: /usr/local/bin/ratpass # Dependencies: yad, hashrat, and xsel packages # Description: # Tool to create passwords using hashrat by entering two or # more factors for low to moderate risk websites and removing # the need to memorize complex passwords or using a password safe. # # For example: # "www.yahoo.com 12345678" results with "RtKWmc1NgtNuhx505o2ofMj_KGN" # # To specify a alternative hash or encode or path to a salt, create # file $HOME/.config/ratpass/ratpass.conf and populate with key value # pairs. See 'man hashrat' for supported hashes and encodes. # # Example ratpass.conf: # https://gitlab.com/techore/antix-dwm/-/blob/main/asset/ratpass/ratpass.conf # # Contributions from the amazing people at antixforum.com. # @Robin for suggesting the use of a salt and introducing me to argon2. # @masinick for testing and feedback. # Set configuration file path. conffile="$HOME/.config/ratpass/ratpass.conf" # Set default values. hash=sha1 encode=p64 saltfile="" # If $confile file exists if test -f $conffile ; then # Read each line in configuration file. while read line; do if [[ "$line" =~ ^[^#].+=.+ ]]; then # Get variable name and value. confname=$(echo $line | tr -d '[:space:]' | cut -d= -f1) confvalue=$(echo $line | tr -d '[:space:]' | cut -d= -f2) # Declare and assign values. declare $confname="$confvalue" fi # Read configuration file. done < $conffile fi # If $saltfile value is not empty then expand (eval), e.g. $HOME or ~. if test ! -z "$saltfile" ; then saltfile=$(eval printf $saltfile) # If $saltfile exists, assign salt to $saltval. if test -f "$saltfile" ; then saltval="$(cat "$saltfile" | tr -d '[:space:]')" fi fi # Spawn gtk dilogue using yad and prompt for pass phrase to hash. passphrase=$(yad --title="ratpass" --center --splash --undecorated --borders=10 --width=300 --skip-taskbar --text="Text to hash:" --entry --button="Copy":0) # If $passphrase value is not empty, hash then save to clipboard. if test $? -eq 0 ; then printf "$passphrase$saltval" | hashrat -"$hash" -"$encode" -rawlines | tr --delete "\n" | xsel --clipboard fiNext project will be creating deb packages. I’ve done rpm packages. It will be interesting to see how they differ.
- This reply was modified 1 month, 2 weeks ago by techore.
- This reply was modified 1 month, 2 weeks ago by techore.
- This reply was modified 1 month, 2 weeks ago by techore.
Brian Masinick
@techore: Just wanted to let you know that I copied and built your tool, and I did notice that it needed the three prerequisites, because I was missing two of them, added them and the tool builds correctly. Nice work.
--
Brian Masinicktechore
@masinick, thank you!
- You must be logged in to reply to this topic.
