Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mark David Dumlao <madumlao@gmail.com>]

On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick <neil@digimed.co.uk> wrote:
>
> On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
>
> > My own solution is actually very simple. I have a "secret algorithm"
> > that incorporates several secrets with a predictable way to generate a
> > site-specific secret. The end result is a 100% predictable way to
> > generate unique passwords for every site that are cryptographically
> > secure from each other (you cannot derive
> > one from the other) which can be generated by any device using the
> > appropriate tools.
>
> The was a tool in portage this did this. I tried it but it did not work
> in the real world because you couldn't set a rule for generated passwords
> that matched the requirements of all sites, for example some require a
> non-alphanumeric character while other sites only allow alphanumerics.
>
> I can remember what the tools was called, although I'm pretty sure it
> was written in Python. I'd be interested to know how you get around the
> conflicting restrictions as this seems a good way to do things.
>

Well the original idea is to reduce dependency on specific tools, such
that the algorithm is the secret, and the passwords are just
byproducts of the secret. You will still need tools to do any hashing,
but those are generic tools you can acquire anywhere.

So for example, the "password123" equivalent secret algorithm might be:
1) global pepper: "password"
3) site-specific pepper: pepper plus number = vowels in domain name
2) site-specific ID: pepper dot domain name dot username
4) hashing algorithm: md5sum + base64, take first 8

Example application: madumlao@gmail.com
1) site-specific pepper: pepper3 (3 vowels in domain name: google)
2) site-specific ID: pepper3.google.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz
4) combined with global pepper: password.NGI3MTQz
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2
password: MWJjZjg2

Example application: madumlao@yahoo.com
1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo)
2) site-specific ID: pepper3.yahoo.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5
4) combined with global pepper: password.ZDQzZGM5
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2
password: ZjUwMTI2

The procedure takes up a little more headspace than 1 password, but
definitely less headspace than a dozen cryptographically secure
passwords. You can change the hashing algorithm, peppering rule, ID
rule, number of characters, etc to your tastes. You can add iteration
rules for the nth password change anywhere in the procedure, and add
constraint rules for sites that have certain password limitations (the
caveat is that you have to remember which sites have password changes
and constraints). For me really all that matters is that the building
blocks are widely available and the end result incorporates data loss
that makes it impossible to recover the original secrets.

"Obviously" do not use this algorithm as-is. The algorithm, not the
password, is the secret, so using this algorithm as is is the
equivalent of using any example of a crypto secure password (correct
horse battery stapler) as a password.
-- 
This email is:    [ ] actionable   [x] fyi        [ ] social
Response needed:  [ ] yes          [x] up to you  [ ] no
Time-sensitive:   [ ] immediate    [ ] soon       [x] none