2010/08/05

More on Passwords

In the comments of a previous post on creating passwords, xenoterracide mentioned his method of creating more secure passwords.

I say "more secure" rather than secure because, as mentioned in an exchange in xeno's comments section that got so heated xeno locked the comments, the entropy could be better, plus if the desire for the passworded information gets big enough, they'll just use legal or extralegal methods rather than crack your password. Basically, we're trying to make it easier to have passwords that are better than average.

The Xeno method is as follows.

echo -n SOME_STRING_YOU_WILL_REMEMBER | sum | base64 

or

echo -n SOME_STRING_YOU_WILL_REMEMBER | sha1sum | base64 

I wrote code to automate it somewhat. I display the hexdigest and base64 digest of the string.

#!/usr/bin/perl

# turns the input into a string and puts out SHA1 digests in both hex and base64

use 5.010 ;
use strict ;
use warnings ;
use Digest::SHA1 ;

my $sha = Digest::SHA1->new;
$sha->add( lc join ' ' , @ARGV ) ;
say $sha->hexdigest;
say $sha->b64digest; 

But I have realized a problem with this. Let me give you the use case.

You have otherwise had your account hacked. You do this on a machine where someone else has root, or you have an ancient version of sendmail or you use .authorized_keys and someone came in free from another machine. They don't need to be root, they just need to be you.

grep password .bash_history
grep sha1sum .bash_history

So, writing it up as a tool that takes the string from STDIN while running, not from the command line so it ends up in the .history, that's how it should be.

I haven't written it up like that yet, but it should be easy. I mean, the above example is only 4 lines of real code, right?
Post a Comment