[cryptography] pypass, a HMAC-based passphrase generator

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Wed Sep 29 19:31:57 EDT 2010


Basic idea:

master_secret = hash(master_pass)
passphrase = HMAC(master_secret, hint)

Details in the source.

Not as secure as a password safe, but doesn't require any replication
or backups - just remember your master pass and be able to get this
script.

Generation count is there for sites that make you change it.

Output is in base64, currently.

$ ./pypass.py -h
Usage: ./pypass.py [-g generation] [-c chars] [master_pass] domain_name
-g generation is numeric, defaults to zero
-c chars is how many chars to output, zero is all
only specify master pass on command line if single user machine

$ ./pypass.py foo foo
SCo4YqL0WoD+rmmo5zWBpE3H/qEMdjvzc5op5LOcQimH8Vea5ZemgdJoeXl3MSk6gg+ltBp4NkwMci/SwAiwzQ==

$ ./pypass.py my_master_pass foo
/dM6HO2sBcVc4pNIJvfZBozW24vFuxXxWDrD07bl/V+Dre0CcFzBiWVgXXe3icZmZkf1PFMqYoJyapHC3Epy5w==

$ ./pypass.py -c 5 my_master_pass foo
/dM6H

$ ./pypass.py 
Master Passphrase: 
Domain name or hint:
/dM6HO2sBcVc4pNIJvfZBozW24vFuxXxWDrD07bl/V+Dre0CcFzBiWVgXXe3icZmZkf1PFMqYoJyapHC3Epy5w==

Script attached.

Comments?

Should I use PBKDF2 instead of hashing master pass?

Sample module here:

http://www.dlitz.net/software/python-pbkdf2/

Mildly annoying to require an additional python module though.
-- 
I find your ideas intriguing and would like to subscribe to your newsletter.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20100929/efa80036/attachment.asc>


More information about the cryptography mailing list