[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: A deterministic password generator written in Lua.
- From: luiz <bloataware@...>
- Date: Mon, 5 Sep 2022 00:51:36 +0200 (CEST)
With each passing day, we see more and more data leaks piling up, which just
reiterates how awful the practice of password reuse is. "But how I am
supposed to remember dozens of different passwords?" Well, there is a simple
solution: password managers. An usual password manager will take a master
password to encrypt a vault (a local file in your system), where it will store
your new randomly generated strong passwords. However things can go wrong:
By forgetting your master password you will, essentially, lose the key to
your digital life. There are two possible solutions here, you can use a strong
yet memorable passphrase (ala xkcdpass) and use it every day, making it very
hard to forget; or you can use a cloud based password manager and hope that they
will not be compromised (*cough* *cough* LastPass).
By losing the vault file you will completely lose access to your digital
life. The solutions are either using a password manager that is "vaultless" or,
again, trusting the cloud.
A deterministic password generator solves the second problem by deriving all of
your passwords from a single master password, no vaults, only "states" required.
There are a plethora of solutions out there for this, but most of them are
insecure (using outdated algorithms), false advertisement (no such thing as a
"stateless password manager") and or highly complex. So I wrote my own instead:
it uses very secure algorithms (argon2i and blake2b), it encourages keeping the
"state" secret and best of all it is written in 100 lines of Lua. Here's the
Well... What do you think?
P.S. A "state" is basically everything that you need remember in order to
generate the same password again beyond the master password, i.e. length,
alphabet and most importantly its salt (or "secret" as I call it in the script).