lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


With each passing day, we see more and more data leaks piling up, which just
reiterates how awful the practice of password reuse is. "But how I am
supposed to remember dozens of different passwords?" Well, there is a simple
solution: password managers. An usual password manager will take a master
password to encrypt a vault (a local file in your system), where it will store
your new randomly generated strong passwords. However things can go wrong:

    By forgetting your master password you will, essentially, lose the key to
your digital life. There are two possible solutions here, you can use a strong
yet memorable passphrase (ala xkcdpass) and use it every day, making it very
hard to forget; or you can use a cloud based password manager and hope that they
will not be compromised (*cough* *cough* LastPass).
    By losing the vault file you will completely lose access to your digital
life. The solutions are either using a password manager that is "vaultless" or,
again, trusting the cloud.

A deterministic password generator solves the second problem by deriving all of
your passwords from a single master password, no vaults, only "states" required.
There are a plethora of solutions out there for this, but most of them are
insecure (using outdated algorithms), false advertisement (no such thing as a
"stateless password manager") and or highly complex. So I wrote my own instead:
it uses very secure algorithms (argon2i and blake2b), it encourages keeping the
"state" secret and best of all it is written in 100 lines of Lua. Here's the
source code:

Well... What do you think?

P.S. A "state" is basically everything that you need remember in order to
generate the same password again beyond the master password, i.e. length,
alphabet and most importantly its salt (or "secret" as I call it in the script).