stepchowfun / hashpass Goto Github PK

Hi,
My question is how does it work if the service domain name changes from www.facebook.com to login.facebook.com ?

In case it is using the domain name of the password box as-is, it may fail to produce the same password.

Hello,

I really like the idea of a stateless password manager but who do I know my username then?
I could of course choose the same user for every page, but might not want to do that. On some sites it also might already be taken.

After reading this advice:

If a generated password is ever compromised, you don't need to memorize a whole new secret key and update all of your passwords. For that service only, just add an incrementing index to your secret key. Such a tiny change in your secret key results in a completely new password for that service. For example, if your key was bananas, just use bananas2. If you can't remember which iteration of your secret key you used for a particular service, simply try them all in order.

I think this is not very practical nor elegant. On some sites I only have a few tries and if I change my password on a regular basis (which is advised in some cases) the account might get frozen before you reach the correct iteration.

For this both problems a simple solution would be to save the user and the creation date in some kind of database. This might contradict the principle of hashpass in a way, but keep in mind only non-critical information would be saved. A possible attacer that gets the database wouldn't be able to do much with it still without the master password.

Instead of:

Hashpass combines the current domain name and your secret key with a / as follows:
www.facebook.com/bananas. It then computes the SHA-256 hash of that string

It would include the creation date in the hashing input:

www.facebook.com/bananas/2017-05-14

I supposed you have already thought through this problems and might have come up with conclusions/solutions. Let me know what you think.

I think it would be nice if you can easily change domain field. For example if you want to use your password to access subdomain of website.

Makes passwords a little harder to crack

Hi,

first of all, great project, I really like your idea!
So much in fact, that I implemented a compatible client for the command line over here: https://github.com/binaryplease/go-hashpass

I hope that is okay, I don't want to steal any of work and ideas. You link a compatible python script at the bottom of your repo, I wrote my app in Go because it allows me to run the binary on any system without having to install python.

Just wanted to leave a comment in case you want to link to the project in the README.
Cheers!