A strong, yet deterministic password generator forked from Jonathan Self's original proposition. Fulfills strong entropy requirements.

Muja c9b24c136d Overwrite clipboard after password is used 8 years ago
src c9b24c136d Overwrite clipboard after password is used 8 years ago
LICENSE a981bbae1c Init commit 9 years ago
README.md 9e1d9e1001 Created a graphical user interface. Added modularity to the code. Updated the readme 8 years ago
passgen 46696a0a1c Now with a less expensive looping mechanism 9 years ago
pypassgen 1a4fcd08c7 Modified the generation algorithm: passwords are now incompatible with older version. 8 years ago

README.md

Create strong passwords from easy-to-remember strings

strong-passgen allows you to create a strong password from relatively simple strings in an easy method.

Pick a password seed and a service-specific name, and run the script like this:

$ ./passgen
Enter your salt: # for example, "banana"
Confirm: # repeat it.
Enter your string: example.com # creating a password for https://example.com
o]o~\sfqFiws]_^iy^=|[nwnwsyyn{mV
Copy and press enter to finish

Or, alternatively, put the service name explicitly as an argument for the script:

$ ./passgen example.com
Enter your salt: # for example, "banana"
Confirm: # repeat it.
o]o~\sfqFiws]_^iy^=|[nwnwsyyn{mV
Copy and press enter to finish

Remember to clear the clipboard after copying your password!

Graphical Interface

strong-passgen now comes with a graphical interface that makes it much easier to use in text-poor environments such as Microsoft Windows and Mac that don't play very well with copying text from the command-line. It requires Python's PyGTK module, which is available from most package managers and also bundled in portable versions of Python for Windows.

To use it graphically, double-click the main.py file, enter a password seed and an identifier and click Generate. You can now copy the password and paste it easily into other programs and websites.

Motivation and improvements

This is a fork of the Password generator from the one in JXSelf's post:

https://jxself.org/password-generator.shtml

In his original proposal, Jonathan suggests taking a hash of a relatively weak password composed of a password seed (called there a "salt") combined with a service-specific identifier (called a "string") and encoding it with base64 to produce a 32-character strong-looking password.

However, it ocurred to me that perhaps these passwords may be easy to reverse in case it becomes known that you indeed generate your passwords using this method. All the attacker has to do is realize that the password looks like a base64-encoded string (easy to infer from the pattern of the string).

My modifications over the original algorithm initially included the insertion of additional methods for making the reversibility harder, and the usage of more non-alphanumeric characters through the usage of tr. However, seeing that not all base64 shell implementations work in the same way (especially for decoding), strong-passgen now implements a different algorithm, involving multiple hashing and sampling based on the input of the program.

Limitations and security considerations

strong-passgen is a password generator, not a password manager. Functions such as secure storage and retrieval, autocomplete macros are completely out of scope. Please note that this also includes the clearing of the clipboard after the password has been used as well. You should immediately copy something else after usage to avoid having your password pasted somewhere unintendedly.

This software has NOT been audited from a security standpoint (I welcome somebody to do it anytime, though), and therefore should NOT be considered fail-proof. Use strong-passgen at your own risk!