¡No PASSarán - manager and password generator

On Habré and Giktaymsa a lot of words were written about passwords. On the Internet you can find many programs and plugins / add-ons for passwords. Browsers can save passwords. It would seem that everything is already there. But no, I missed my bike, because all the old bikes have their drawbacks. The main drawback of all programs is their database, which can easily be killed. And I went through this. The most famous KeePass program (more precisely, its fork KeePassX) twice killed my file itself. I do not know how it is now, but two years ago she did not know how to backup the database, and if the place ran out or fell, or something else, the database file easily became 0 bytes in size. The only program that I liked was Password Commander, it itself made a backup copy, but, unfortunately, the project died and it was only under Masday.

People are divided into those who do not backup and those who already do.

2-3 years ago, I was born and developed the idea of ​​my bike - a password generator. Of course, the idea is not new and many have had its variations and have been discussed many times. On Habr, in the article " Generating xkcd passwords in PHP " I expressed my idea back in 2014 and after that, slowly began to implement and run it. And in the middle of 2015, I had a browser plugin ¡No PASSarán, which I would like to talk about in this article.



Who is too lazy to read the path to the success of my young, dynamically developing project - you can immediately go to the online version of ¡No PASSarán or go to GitHub / Bitbucket

In addition to the disadvantage described above - the death of the database, all password managers have a number of disadvantages (I’ll list them with excuses):

• The inability to always and everywhere carry a base. Of course, in the age of the Internet and the clouds - this is not a serious drawback and, in principle, you can always have a copy on your phone or in the cloud;
• This is a lot of passwords, you need to look for it in the database, that is, slow access to data. Of course, many managers have already learned how to integrate into browsers and applications and automatically drive in data;
• For example, in browsers, storage reliability is not very good. Of course, you can put a master password, but it can also be intercepted by a keylogger.
• No manager can reset a password.

If you do not use the manager, then remembering hundreds of passwords is not an option and therefore people use, at best, a couple of passwords. Or store in a file, which is password protected at best.

I tried to avoid all these shortcomings in my bike. Some of course are not yet fully resolved, and some are still in the plans. But more about this at the end of the article.

Currently, there are two popular options for “generating” passwords and / or remembering. Both of these options are described in a popular image on the net:



The second option seems to crack longer, judging by the article (see link above) and the comments on the article. But it seems to me that if he will be alone and everywhere, which many do (everywhere they use the same password), then stealing it once - you can hack and steal many accounts. And according to my observations (I do not pretend to be true), it’s easier to hack, because you can collect a database of frequently used words (especially in languages ​​without suffixes and endings) and pick up their pairs, because most will use 2 to 4 words, it's about how to brute 2-4 character passwords, but only on a slightly larger base, because with special characters the number of “words” is also rather big. And here you can also add a service restriction - some services allow only a limited number of characters, which further reduces search. And the next difficulty for the user is to remember or invent a new password, or use a shorter version everywhere. And in this case, not taking into account that other services ask for at least 1 digit or a special symbol.

In my bike I tried to combine and improve, to take the best from these options. From the second option, you need to have 3 words (I named them salt, algorithm and master password), and from the first one, the final version of the password is obtained in MD5, and it is often in MD5 that the password is stored on the server.

Initially, I came up with and used a simple algorithm for sites, such as this:

• There was a master password, say quaka42eqava
• Then he took a site, for example example.com , and got other parts from it, for example: example , 7 , com , moc , 3 ; I think it’s clear what follows from what?
• The third step was to get a new password moc3quaka42eqava7example

This option is easy to remember, you do not need to carry a base with you and satisfies both of the requirements that are described in the picture. But he has bottlenecks:

• for example, I would go to an intruder’s site and enter my password there, created for his intruder’s site. rf => fr2quaka42eqava18 intruder’s site . Looking at the password - he could understand its algorithm and steal some of my accounts
• constantly breaking a domain and counting characters bothers

Because of what, I improved the algorithm. Since all passwords are stored on servers in an encrypted form, namely often in MD5 (with salt), it was decided to go the same way and add encryption to this algorithm. But this caused yet another difficulty - to constantly open the console or MD5 generator and drive data there, so I started to write passwords into a file, which threw my idea into the Stone Age, returning it to the bottleneck - a password database that can be stolen or a file may be damaged and you won’t take it with you (only if specifically). Of course, if you can protect yourself against theft with another password that can close the database, then no one is safe from damaging the file, which can easily happen on an encrypted file. And I decided, or rather got to the project being postponed.

So, imagine that you abandoned your personal project (sorry, of course, postponed to return when there is time!)

Dreddik
( in the article and somewhere in the comments on Habrahabr)

How to use

Suppose you came up with three parts, for example: Master password, as before quaka42eqava, salt is the name of the Kuzya pet and the algorithm is its phone number (Password is case-sensitive, and salt and the algorithm are case-insensitive). We drive the salt and password into the plugin settings and they will be saved there. Then we go to the site we are interested in, where we want to register / log in, place the cursor on the password field and click the plug-in button on the browser panel, then in the window that appears we drive in the master password and press the OK or Enter button. The password will be automatically generated and inserted into the field where the cursor was.

This plugin and online version can be used not only for sites. If you need a password for a third-party program, you need to check the “Forget about domain” checkbox in the online version or in the guest mode of the plugin.

Additionally 4 buttons are available (in the online version 3):
Icon buttons ¡No PASSarán

• Copy password to clipboard
• Show generated password
• Advanced password generation settings
• Guest mode (not available in the online version, because the online version initially reproduces the guest mode)

Generation Algorithms

Algorithms are constructed as follows. For example, we specified the phone 88005555555, Kuzya salt and the master password quaka42eqava, for example.com. Next, there will be three stages of automatic generation based on the algorithm:

• We get all the parts (I will not duplicate the parts):
  
  • 8 - The first half of the password master is quaka4
  • 0 - The entire domain name is an example
  • 5 - The number of characters in a zone is a COM zone , and therefore 3
• The result is added to the string, but at the beginning a master password is necessarily added, this is an additional precaution: quaka42eqavaquaka4quaka4exampleexample3333333 . A good length is a password, right? Who can figure out how many years it takes to select?
• As the last step, we reduce the number of years for selection, namely, we overtake this line in MD5 => md5 (quaka42eqavaquaka4quaka4exampleexample3333333) => f837bab2e4d20a53e884a42e9473708a

Algorithms can be built in two ways - basic and advanced.

The basic method of constructing the algorithm

For the basic algorithm, all letters (Russian and English) and numbers are available, they must be indicated with a single "word".

• 0 - Entire domain name (alias: a, k, u, a, th, y, e)
• 1 - The entire domain zone (alias: b, l, v, b, k, f, u)
• 2 - The first half of the domain (alias: c, m, w, b, l, x, i)
• 3 - The second half of the domain (alias: d, n, x, g, m, c)
• 4 - The number of characters in the domain (alias: e, o, y, d, n, h)
• 5 - The number of characters in the zone (alias: f, p, z, e, o, w)
• 6 - Whole salt (alias: g, q, ё, п, щ)
• 7 - Master password in its entirety (alias: h, r, f, p, b)
• 8 - First half of the master password (alias: i, s, s, s, s, s)
• 9 - The second half of the master password (alias: j, t, and, t, b)

Advanced way to build an algorithm

Of course, they can and should be used with numbers from the basic algorithm.
For the advanced method, it is mandatory to use numbers separated by any character, except for numbers and letters. These algorithms will be supplemented.

• 10 - Entire inverted domain name
• 11 - Inverted domain zone entirely
• 12 - Inverted first half of the domain
• 13 - Inverted second half of the domain
• 14 - no
• 15 - no
• 16 - Whole inverted salt
• 17 - Inverted master password entirely
• 18 - Inverted first half of the master password
• 19 - Inverted second half of the master password
• 160 - The first half of salt
• 161 - The second half of salt
• 162 - Inverted first half of salt
• 163 - Inverted second half of salt

That is, for example, 8-8-0-0-1-163-10-13

It is recommended to use an element of the algorithm with a domain - 0, 2, 3, etc.

Advanced settings

On some sites, such as Yandex, you need to set a password one on all subdomains. To do this, you need to activate the "Disable subdomains" setting, after that, during the generation, subdomains will be ignored and only the domain will be used. Attention! If you have already created a password on a subdomain, then it will no longer work, you will need to uncheck the subdomain.

There are sites that prohibit the use of more than a certain number of characters in a password. On these sites, you can enable the circumcision setting. ¡No PASSarán uses the standard javascript substr function, so for details on how to trim a string, see the documentation for this function. Usage example:
Suppose we have the line “abgdejouzi” generated, then driving in the field “Trim” the numbers, we will have the following

-3, 2  => жз
-3     => жзи
 1     => бвгдеёжзи
-20, 2 => аб

All these settings are stored in the browser. In future versions, it will be possible to save advanced settings to a file for transfer between browsers and computers.

Advantages and disadvantages

Now you do not need to store hundreds of passwords either on a computer or in your head or in a notebook. All passwords are unique and it is almost impossible to crack or steal them. The password consists of two parts (three elements): the master password and the salt algorithm, which are separated from each other. The algorithm and salt are stored in the browser and can be stolen by taking possession of your computer, but attackers still can not get your passwords. If a master password is stolen, for example using a keylogger, then without knowing the algorithm and salt, they will not be able to access passwords.

Exception: the online version, which is recommended to be used only as a last resort and when you are sure that there are no keyloggers and other animals on the computer. In this case, it is better not to use passwords in general, no matter how reliable they are.

These passwords are difficult to social engineering.

Passwords can be transmitted over an insecure (http) connection. Even if the password is intercepted for the current site, passwords from other sites will remain safe.

Of the disadvantages:

• There are three key “words” to remember. Although the salt and the algorithm can not be remembered, they can be written on a piece of paper and hidden in a safe in order to be restored sometime, if you suddenly need to, but then the online version will not be available if you forget.
• You must have a computer with a plugin on hand or go to the online version.
• There are currently no special characters, but they are planned

A little more about ¡No PASSarán

The latest version adds the ability to generate a password in guest mode. Due to this, you can have several accounts with different generated passwords on one site. To do this, for example, in the Salt field, write the current login and using this salt-login a unique password will be generated. Knowing the next login - you will not need to remember the password, because everything else (algorithm and master password) is used as before.

I have been using this plugin since April 2015. I experienced all the beauty and convenience on myself. I invite you to use this plugin for free, without registration and SMS.

Links and Installation

Online version on GitHub's mirrors:

Online ¡No PASSarán. Mirror 1
Online ¡No PASSarán. Mirror 2
Online ¡No PASSarán. Mirror 3

Repositories

Github and bitbucket

Extensions for browsers:

For Chrome and similar browsers

• Stable branch in Google WebStore, stable version 1.3
• Beta branch of Google WebStore, latest version 1.4.0 (beta version)

For firefox

• On the AMO website (addons.mozilla.org) you can find stable and beta versions

PS Do not swear heavily on the code.