From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3FE98138334 for ; Wed, 6 Feb 2019 02:42:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AEB42E0C9A; Wed, 6 Feb 2019 02:42:14 +0000 (UTC) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 402C7E0C86 for ; Wed, 6 Feb 2019 02:42:14 +0000 (UTC) Received: by mail-qt1-x82f.google.com with SMTP id b8so6413396qtj.1 for ; Tue, 05 Feb 2019 18:42:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=fDipjJ2VHdgEwqc7JiKuTitUX9+YGOepraiDrdtPZew=; b=DlOxYVEW2sm5dgNIm7vbcAEPNkxJbvqhdsDpCCIxPW0I/IHOhJMANt+7OoZc2bMvGD WGSkhvjI1lLdpOaCiXicu+Tpc4Hbxzvz94kDONh4sb26nKg98K8szVP8dp5/bTuSmj/V mfRQCpt8DteKiQ8sGkgwg6JO/WSUlkfn7zbMnP+A5L3LScov6T8aZ34QEbt8sJQgpwG0 RaKopzZfUaLXKEWd/pDJjlBstE25E+M6C0HI0O0n1wDi1ZgSEJmRZLRBU0iINnBYuyEL q0HGi+u6Urru4qAhVIYzoFJLMR7jnrGdpv8XqLfufI0mClP0CMoldfTdiKTjPeiUZYds 5LRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=fDipjJ2VHdgEwqc7JiKuTitUX9+YGOepraiDrdtPZew=; b=dGRqrH4Z7+z4/j4dUqMYqih6TdXbAGIpD6QIowRmsmPv1SkmgLI82Ois2HMKmmrQw5 0pXmmBhXPb+/nSZ99MhiTiZRL/6qGxBRvv6dRQbqaApZ40d2bDtHAi2bmod1XDeN+9K1 vag/0fDEz9f8YsNO/DaDbHluKXNZIeZAvyEbaiZRzcVza6EgyOH9xVhEkMFDae/vPLga NiOEeA8kuZhXS2oQzhQWzpNrcQoqaQzydtRnIDfI6FGe67e9/5inW4VsnEj6OZJQJKJq HUBCTw3nJtcmrVqXky96HGva8wcI6Bzaw0GXIfeHXmaK+NGMGswKEtkeVXExcKm9z7cx W3Ew== X-Gm-Message-State: AHQUAuaiKgP/JZkjWC8f9PU62Z6++gCM/QAYjsoCY/agVVcCz+Nhz4r3 TPWHLoHLsM7SAb2xVWW6J1I8igtJsK1d67xrDcNDtRng X-Google-Smtp-Source: AHgI3IbvelMqmzQERx+byzJ34GgHU5IOagS5e2Gke+mwUzVMbdzcmnCw+FjvY19TsGuooRG4x30/4OmrtcJ9hOdcWH8= X-Received: by 2002:a0c:9d41:: with SMTP id n1mr6211614qvf.212.1549420932800; Tue, 05 Feb 2019 18:42:12 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <8d027455-f210-c399-f5a7-bfb05692cc5f@gmail.com> <4T37M4RU.7P6POHFW.VWXHN7BS@VBETV3G5.Q4J4WRJ3.XBFRTPM4> <20190205211653.57d0b0dc@digimed.co.uk> In-Reply-To: <20190205211653.57d0b0dc@digimed.co.uk> From: Mark David Dumlao Date: Wed, 6 Feb 2019 10:41:35 +0800 Message-ID: Subject: Re: [gentoo-user] Re: Coming up with a password that is very strong. To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: f41e68c4-e74c-42bc-a213-4f84e42ab231 X-Archives-Hash: 1940f2c48a1888e454b5457ee0593a3c On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick wrote: > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote: > > > My own solution is actually very simple. I have a "secret algorithm" > > that incorporates several secrets with a predictable way to generate a > > site-specific secret. The end result is a 100% predictable way to > > generate unique passwords for every site that are cryptographically > > secure from each other (you cannot derive > > one from the other) which can be generated by any device using the > > appropriate tools. > > The was a tool in portage this did this. I tried it but it did not work > in the real world because you couldn't set a rule for generated passwords > that matched the requirements of all sites, for example some require a > non-alphanumeric character while other sites only allow alphanumerics. > > I can remember what the tools was called, although I'm pretty sure it > was written in Python. I'd be interested to know how you get around the > conflicting restrictions as this seems a good way to do things. > Well the original idea is to reduce dependency on specific tools, such that the algorithm is the secret, and the passwords are just byproducts of the secret. You will still need tools to do any hashing, but those are generic tools you can acquire anywhere. So for example, the "password123" equivalent secret algorithm might be: 1) global pepper: "password" 3) site-specific pepper: pepper plus number = vowels in domain name 2) site-specific ID: pepper dot domain name dot username 4) hashing algorithm: md5sum + base64, take first 8 Example application: madumlao@gmail.com 1) site-specific pepper: pepper3 (3 vowels in domain name: google) 2) site-specific ID: pepper3.google.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz 4) combined with global pepper: password.NGI3MTQz 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2 password: MWJjZjg2 Example application: madumlao@yahoo.com 1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo) 2) site-specific ID: pepper3.yahoo.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5 4) combined with global pepper: password.ZDQzZGM5 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2 password: ZjUwMTI2 The procedure takes up a little more headspace than 1 password, but definitely less headspace than a dozen cryptographically secure passwords. You can change the hashing algorithm, peppering rule, ID rule, number of characters, etc to your tastes. You can add iteration rules for the nth password change anywhere in the procedure, and add constraint rules for sites that have certain password limitations (the caveat is that you have to remember which sites have password changes and constraints). For me really all that matters is that the building blocks are widely available and the end result incorporates data loss that makes it impossible to recover the original secrets. "Obviously" do not use this algorithm as-is. The algorithm, not the password, is the secret, so using this algorithm as is is the equivalent of using any example of a crypto secure password (correct horse battery stapler) as a password. -- This email is: [ ] actionable [x] fyi [ ] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate [ ] soon [x] none