16 comments

[ 3.2 ms ] story [ 21.9 ms ] thread
I couldn't figure out what I was supposed to type in the result field. May not be the standard ux though - I'm on a tablet.
Ah, thanks for point that out! The only things you need to input are the service and passphrase--the result box is just for the output of the generator.

Now that you've pointed this out, I'm doubting my sanity in making the, um, output box an input... It should focus on the "service" input on page load, but on a tablet that might not be obvious.

Anyway, I should replace that to avoid confusion. Thanks for checking it out!

Seems like this would result in many users using the same password for particular services.
Maybe I'm missing something. I don't see why the use of this service would produce an increase in that phenomenon beyond what it is now. I tend to think this would merely swap encrypted versions of commonly-used passwords for the originals.
Great idea, confusing UI.
If I may offer a simple UI suggestion: Make the result box read only. Combined with the minimalist UI this makes it very confusing for first time experimenters.

Also, I would suggest a submit button for clarity (and tablets).

Yeah, sounds like the UI is a problem for many, and I can see why. I was going for something as minimalist as possible, but clearly I went too far. Thanks for your suggestions!
Have you considered using BCrypt instead of SHA?
Definitely, but the CryptoJS library just seemed more mature than the Javascript BCrypt library I found, so I decided to just repeatedly hash the data to approximate BCrypt's work factor. Thanks!
One very large appeal of bcrypt is its memory usage characteristics. SHA1 is easily done on GPUs, and can be massively parallel with very little work. Simply rehashing doesn't adequately replicate the barriers that bcrypt puts in place to brute-forcing.

See: http://crypto.stackexchange.com/questions/400/why-cant-one-i...

Thank you for that fascinating link. I've never understood why, if bcrypt is good because it's slow, a similarly slow implementation of SHA wouldn't be just as effective. Now I do. Really appreciate it!
How do I run this locally?
There are several local apps that have done this for a long time. I wrote and use SHA1_Pass. It has local clients for Mac, Linux and Windows and a JavaScript version that can run locally on mobile devices. http://16s.us/sha1_pass/
I was wondering about the password change scenario and the FAQ at your link gives some clue. So basically, if you are using this scheme/tool for your passwords than you are basically remembering the changing words (bills1, bills2 etc). This isn't really any different than remembering your passwords (if you are into making password strings of your own).

I guess a local password manager is good enough repository for passwords as it also lets you generate passwords.

Do you have Go installed? If so, just clone the repo into your $GOPATH/src directory and 'go install pgen/mawud'. Then, you can generate a password using 'mawud gmail'--you'll be prompted for your password. You can use flags to set parameters:

-l 10 : sets length to 10 characters

-a ans : sets allowed characters to alphabetic, numeric, and symbolic

-f : shows your master password as you type it in

-p : shows the generated password as well as copying it to your clipboard

The length and allowed-char parameters are saved in the file ~/.pwlist in the gob format, and will be used each time you generate a password for a specific service. For example, you could generate a numeric, 6-character password for "bankpin" with 'mawud bankpin -a n -l 6' and, in the future, just type 'mawud bankpin' to generate the same password.

The local version is something I built for my own use, so it's pretty rough at the moment. For example, the copy-to-clipboard function only works on OS X. Plus, having to install Go is a hassle for most people. I'm planning on writing a Python script using the same generation algorithm and fixing some of the rough edges this weekend.

how and why this is secure blows my mind. Should I stop using keepass?