NO MORE PASSWORD REUSE

[code] Python (2.6), GPL

Im far from being a security expert, but I recognize the real danger in our poor password practices (particularly the reuse of passwords between sites). Elaborate routines for contructing passwords are well-intentioned, but ridiculous, so says both my mother and XKCD. Though what the comic suggests is an improvement, I think it’s still too much effort to remember different passphrases for different sites.

I think LastPass and the like have the right idea, have a vault of passwords and one master password to unlock it, but, kind of hiliariously, this has some meta-security problems of its own. Really, the problem with LastPass is that it stores data at all.

What I want is a piece of code that takes the url of a site where I want to have an account and then spits out a password. As long as I have access to the code, or can remember the algorithm behind it, I can generate my password for any site on demand when I need to log in. Nothing stored on the system, nothing to remember, a unique, ridiculous looking and ridiculously strong password for every site.

Such an algorithm would have some constraints. Namely:

• knowledge of the algorithm should not allow hackers to generate my passwords (so we’re probably going to have to use a memorized, non-random salt)
• the algorithm should work for all password forms (probably a maximum / minimum length, and some characters are likely unacceptable)
• I should be able to memorize the algorithm in case I lose my code (not perform it manually, but it should be easy to re-program if necessary)
• it should be accessible on all my systems (ie, offline and via a web form for iPhone or when using unfamiliar devices)
• it should, in fact, generate cryptographically difficult passwords

This short python script is what I came up with. It runs both as a commandline tool and as a cgi script on the web, and generates an alphanumeric + puncutation password. It requires a master salt to generate the passwords, but this can be a simple short dictionary word that I wont have to write down.

There are some drawbacks, naturally. Foremost is that the use of a web query is a weak link, because presumably Im submitting my master salt in plain text over the network. Not that anyone would know what I was doing, but security through obscurity is a not a great feature to have included. Secondly, there’s no provision for changing a password if it’s somehow compromised, ie, it generates one password per url. Also, this isnt hugely practical for people like my mother to use that arent going to be running a commandline tool or hitting weird urls. And finally, of course, I have to run this script anytime I want to log in anywhere. However, that’s probably going to be faster than consulting my passwords.txt file, which I would have to do if I actually kept unique passwords for every site.

Regardless, I think this is actually going to work, making my life more securish. But Im sure a similar approach has been developed before. What do you think? Is this code flawed or am I on to something? Publishing the code here is my own mini-security experiment (it does expose some additional info, like password length and the set of possible characters, but I think we’ll still be ok).