Safe passwords

Blog

When I started using Internet regularly back in 2007 or so, I used to use same password everywhere. I was changing it periodically (but not so often). After some time (probably a year) I started using password managers. First one was KeePass. I had two pendrives: one with database, second one with secret key stored in file. It was secure solution, but useless when I forgot about at least one of these pendrives. When I switched to Linux I was still using KeePass, but it was necessary to run it with Wine, because there was no version for Linux.

Some time later I found KeePassX which is copy of KeePass rewritten in Qt for all operating systems and a few months ago its fork - KeePassXC. I liked them a lot, but due to increasing number of devices which I am using it was a bit problematic to synchronize its database with all of them. What's more, when I hadn't my database file, I couldn't get access to my secrets. I started thinking about some other solution. I have heard about some kind of software called password generators. They are using service name, some username and master password to generate unique and complicated enough secrets. I think most of them are using keyed-Hash Message Authentication Code to generate secure passwords. HMAC provides data integrity and authentication of a message. You can find more about it in RFC 2104. Good solutions provides also configurable set of character which should be used to generate passwords as well as its lenght and counter (incrementing counter can preserve other settings).

When I was starting reasearch I had in mind that solution which would be suitable for me should have at least desktop application and web browser integration (Firefox in my case). Of course I have been taking into consideration only open source solutions.

I found one which had all these features very quickly. It is called LessPass and is written in JavaScript. This 'package' contains many applications from standalone web browser extension to desktop, mobile and cli clients. While mobile app and Firefox extensions are quite perfect, installing nodejs to be able to run cli or desktop application was too much. I wanted to be able to run LessPass on all my low-end devices. I have decided to find a version written in Python or rewrite it on my own. Fortunately I found that Maurits van der Schee did that a few months ago. To be precise, he wrote a library implementing all functions necessary to generate passwords.

What I had to do was simple CLI application which will take site and login (and optionally profile) from command line and master passwords from standard input and return generated password. So I did it and now it is merged into master branch of lesspass.py project. LessPass offers also server written in Python which can store all profiles, but I didn't consider this solution suitable for me. So my cli client uses json files with passwords settings, stored in ~/.lesspass directory. I keep these settings in git repository, so I can access old configuration at any time.

I encourage you to test this solution and give me a feedback :-)