summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Willemse2016-02-14 21:38:02 +0100
committerTom Willemse2016-02-14 21:38:24 +0100
commit00d982486fdb1316a65b31c9fc66b7fb97f662d2 (patch)
treead891c138f2b7f740e18aa9ebfb078674c8c3b1f
parente7505fafbe965718daaba35fc6a26cb1a1a843aa (diff)
downloadblog-00d982486fdb1316a65b31c9fc66b7fb97f662d2.tar.gz
blog-00d982486fdb1316a65b31c9fc66b7fb97f662d2.zip
Finish "Using DisPass to manage your passwords"
-rw-r--r--dispass_passwords.org4
-rw-r--r--dispass_passwords.post407
2 files changed, 410 insertions, 1 deletions
diff --git a/dispass_passwords.org b/dispass_passwords.org
index 5ca3eb3..1a5a5cf 100644
--- a/dispass_passwords.org
+++ b/dispass_passwords.org
@@ -1,4 +1,6 @@
#+TITLE: Using DisPass to manage your passwords
+#+DATE: 2016-02-14
+#+COLESLAW_TAGS: dispass
*tl;dr*: If you don’t care about any of the back story and just want
to know how to use DisPass to manage passwords, skip to [[Managing
@@ -251,4 +253,4 @@ passwords]] for instant gratification.
* Footnotes
[fn:1] I refuse to use the term hackers, because to me that means
- something completely different, and I hope to you as well.
+ something completely [[http://www.catb.org/jargon/html/C/cracker.html][different]], and I hope to you as well.
diff --git a/dispass_passwords.post b/dispass_passwords.post
new file mode 100644
index 0000000..fda7d45
--- /dev/null
+++ b/dispass_passwords.post
@@ -0,0 +1,407 @@
+;;;;;
+title: Using DisPass to manage your passwords
+date: 2016-02-14
+tags: dispass
+format: html
+;;;;;
+<p>
+<b>tl;dr</b>: If you don’t care about any of the back story and just want
+to know how to use DisPass to manage passwords, skip to <a href="#orgheadline1">5</a> for instant gratification.
+</p>
+
+<div id="outline-container-orgheadline2" class="outline-2">
+<h2 id="orgheadline2"><span class="section-number-2">1</span> Introduction</h2>
+<div class="outline-text-2" id="text-1">
+<p>
+DisPass is a project that was started, and is still maintained, by a
+<a href="https://babab.nl">friend</a> and former colleague of mine. I've been using it for quite
+some time. It helps me feel safe online, knowing that all my
+accounts have different and strong passwords.
+</p>
+
+<p>
+DisPass uses algorithms to make reproducible passphrases. Making it
+a kind-of functional password manager, just like Haskell is a
+functional programming language and Guix is a functional package
+manager. Given the same input DisPass will always produce the same
+output. This means that the generated passphrases are never stored
+anywhere and cannot be discovered by crackers<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup> and the like.
+</p>
+
+<p>
+The input for DisPass consists of a label, algorithm, length,
+possibly a sequence number (depending on the algorithm used) and
+finally a password. All but the label and password have some default
+value, but can also be specified through command-line switches.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline3" class="outline-2">
+<h2 id="orgheadline3"><span class="section-number-2">2</span> The Labelfile</h2>
+<div class="outline-text-2" id="text-2">
+<p>
+Being a functional anything usually means that whatever you're using
+doesn't maintain any state. This can be true for DisPass, but isn't
+necessarily so. It can be a challenge to remember the size,
+algorithm and sequence number for a large number of labels, so there
+is the labelfile.
+</p>
+
+<p>
+The labelfile is normally located in either
+<code>$XDG_CONFIG_HOME/dispass/labels</code> or <code>$HOME/.dispass/labels</code>, but
+can also be specified on the command-line. It contains the metadata
+for the labels, and the labels themselves. This lets you run
+something like:
+</p>
+
+<pre class="example">
+dispass generate foobar
+</pre>
+
+<p>
+And it'll know the size, algorithm and sequence number for the label
+“foobar”, assuming you’ve saved it to the labelfile. The labelfile
+is unencrypted, but this information is useless as long as nobody
+knows the password(s) you use to generate the passphrases.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline4" class="outline-2">
+<h2 id="orgheadline4"><span class="section-number-2">3</span> Setting up</h2>
+<div class="outline-text-2" id="text-3">
+<p>
+DisPass is easy to install if you have either Archlinux or pip
+installed. Windows is a bit more problematic and I don’t even know
+how to get started on a Mac personally, but there is no reason it
+can’t work. It doesn’t have many dependencies, so you don’t need to
+install anything else first.
+</p>
+
+<p>
+The latest release is quite old, but a new release should be coming
+soon. There haven’t been too many developments since version
+0.3.0-dev because it basically does what it needs to do, and the
+user base is currently very small, so bugs might not be encountered
+too quickly. Don’t think that it’s an abandoned project, if you look
+at it’s <a href="https://github.com/babab/DisPass">github</a> page you’ll see that it’s seen a bit of development
+again as of late.
+</p>
+
+<p>
+In the case of Archlinux I’ve provided packages in the AUR for both
+<a href="https://aur.archlinux.org/packages/python2-dispass/">python2-dispass</a> version 0.2.0 and <a href="https://aur.archlinux.org/packages/python2-dispass-git/">python2-dispass-git</a>. Installing
+either of these like any regular old aur package will get you set
+up. Incidentally, if you’re using Archlinux on x86<sub>64</sub> and have the
+testing package repository enabled, you could also use <a href="https://ryuslash.org/packages/">my package
+repository</a>, though no guarantees that it’ll ever work are given
+there.
+</p>
+
+<p>
+For a general pip installation it should be as easy as running:
+</p>
+
+<pre class="example">
+sudo pip install dispass
+</pre>
+</div>
+</div>
+
+<div id="outline-container-orgheadline10" class="outline-2">
+<h2 id="orgheadline10"><span class="section-number-2">4</span> UIs</h2>
+<div class="outline-text-2" id="text-4">
+<p>
+Seeing as how my friend would like it to be generally useful, and
+he’s a VIM user, there is both a GUI and CLI interface. Since I’m an
+Emacs user I’ve created an Emacs and a Conkeror interface for it as
+well.
+</p>
+</div>
+
+<div id="outline-container-orgheadline5" class="outline-3">
+<h3 id="orgheadline5"><span class="section-number-3">4.1</span> CLI</h3>
+<div class="outline-text-3" id="text-4-1">
+<p>
+The CLI is what gets the most attention and gets developed the
+most. I will be working with this in the <a href="#orgheadline1">5</a>
+section.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline6" class="outline-3">
+<h3 id="orgheadline6"><span class="section-number-3">4.2</span> GUI</h3>
+<div class="outline-text-3" id="text-4-2">
+<p>
+There is a basic GUI included with dispass, it can be started with
+either the <code>gdispass</code> or the <code>dispass gui</code> commands. It requires
+tkinter to be installed. It doesn't do everything the CLI does, but
+there are plans to improve it and use a different gui library (such
+as Qt). In some situations it can copy the generated passphrases
+directly to the clipboard, but this is only true on GNU/Linux, not
+on Windows.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline7" class="outline-3">
+<h3 id="orgheadline7"><span class="section-number-3">4.3</span> Emacs</h3>
+<div class="outline-text-3" id="text-4-3">
+<p>
+I wrote an Emacs interface when I started using DisPass. It tries
+to copy the generated passwords directly to the clipboard, instead
+of needing the user to copy it manually as the CLI does. It can
+also insert generated passphrases into a buffer, such as the
+minibuffer.
+</p>
+
+<p>
+It's available on <a href="https://github.com/ryuslash/dispass.el">github</a>.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline8" class="outline-3">
+<h3 id="orgheadline8"><span class="section-number-3">4.4</span> Conkeror</h3>
+<div class="outline-text-3" id="text-4-4">
+<p>
+I also wrote a Conkeror interface some time later, because I didn't
+want to keep copying and pasting the passphrases through one of the
+other interfaces (usually Emacs). It inserts the generated
+passphrases into the focused input.
+</p>
+
+<p>
+It's also available on <a href="https://github.com/ryuslash/cdispass">github</a>.
+</p>
+</div>
+</div>
+
+<div id="outline-container-orgheadline9" class="outline-3">
+<h3 id="orgheadline9"><span class="section-number-3">4.5</span> Wishlist</h3>
+<div class="outline-text-3" id="text-4-5">
+<p>
+As I mentioned, the idea is to expand the GUI and use a different
+gui library for it, to make it look a little better. The
+functionality should also be extended to do everything the CLI
+does.
+</p>
+
+<p>
+A Firefox extension is also still on the list of desirable
+interfaces. I'm not sure how plausible it is with the new
+WebExtension plugin api, I haven't looked into it yet. I don't
+think chrom(e|ium) allows developers to call external programs,
+which is an obstacle, but I haven't looked at this either.
+</p>
+</div>
+</div>
+</div>
+
+<div id="outline-container-orgheadline1" class="outline-2">
+<h2 id="orgheadline1"><span class="section-number-2">5</span> Managing passwords</h2>
+<div class="outline-text-2" id="text-5">
+<p>
+Now for the real fun. Generating passphrases is simple. Use the
+<code>generate</code> command:
+</p>
+
+<pre class="example">
+dispass generate foobar
+</pre>
+
+<p>
+If no entry exists in the labelfile for <code>foobar</code>, it uses the
+defaults, which at the time of writing are a length of 30, and the
+algorithm <code>dispass1</code>. This algorithm doesn't use a sequence
+number. It can generate more than one passphrase at a time.
+</p>
+
+<p>
+The generated passphrases are presented in an ncurses screen so they
+aren't kept in your terminal emulator's scrollback history, at least
+in some cases. You can use the <code>-o</code> switch to do away with the
+ncurses screen and just output a line for each generated
+passphrase. Together with something like awk this can be used to
+directly send some command the passphrase it needs. For example, if
+the program <code>foo</code> needs a password from stdin, you could use:
+</p>
+
+<pre class="example">
+dispass generate -o foobar | awk '{ print $2 }' | foo
+</pre>
+
+<p>
+You can specify a different length, algorithm and sequence number by
+using command line switches. For example, I normally prefer the
+<code>dispass2</code> algorithm since it adds a sequence number. For some crazy
+reason the place I use the passphrase limits it to a length of 16
+characters and I've had to change my password twice, so I use a
+sequence number of 3. I could use:
+</p>
+
+<pre class="example">
+dispass generate -l 16 -a dispass2 -s 3 foobar
+</pre>
+
+<p>
+It would be difficult to remember all this, so I personally would
+add it to the labelfile. To do this I can use the <code>add</code>
+command. Basically this is:
+</p>
+
+<pre class="example">
+dispass add foobar
+</pre>
+
+<p>
+This creates an entry in the label file with the same default values
+as the generate command: a length of 30 and using the <code>dispass1</code>
+algorithm. To use the values we used before we can instead do:
+</p>
+
+<pre class="example">
+dispass add foobar:16:dispass2:3
+</pre>
+
+<p>
+This way we can add multiple entries with different values at once:
+</p>
+
+<pre class="example">
+dispass add foo:16 bar::dispass2:2
+</pre>
+
+<p>
+This would add the <code>foo</code> label with a length of 16, using the
+default algorithm and the label <code>bar</code> with the default length, using
+the <code>dispass2</code> algorithm and the sequence number 2. As you can see
+you can omit any trailing parameters and leave any parameters in
+between empty to use their default values.
+</p>
+
+<p>
+If you added it before I showed you the extended add syntax you can
+use <code>update</code> to change an existing entry in the labelfile:
+</p>
+
+<pre class="example">
+dispass update foobar 13:dispass2:3
+</pre>
+
+<p>
+Unlike the <code>add</code> command, the <code>update</code> command only updates one
+label at a time.
+</p>
+
+<p>
+Now, the place I use my password was cracked by crackers<sup><a id="fnr.1.100" class="footref" href="#fn.1">1</a></sup>, my
+password was stolen. That's no biggie. I use the <code>list</code> command to
+check what my sequence number is:
+</p>
+
+<pre class="example">
+dispass list
+</pre>
+
+<p>
+Then I can update my labelfile and use a new sequence number:
+</p>
+
+<pre class="example">
+dispass update foobar ::4
+</pre>
+
+<p>
+I could also use the convenient <code>increment</code> command:
+</p>
+
+<pre class="example">
+dispass increment foobar
+</pre>
+
+<p>
+Everytime the sequence number is changed the input changes and so
+does the passphrase. So a simple call to the <code>increment</code> command
+will completely change your passphrase. This is nice, because
+otherwise I'd have to change either the label or the password used
+to generate the passphrase.
+</p>
+
+<p>
+Actually, I just quit the job where I used my <code>foobar</code> label. I
+still use many other labels and don't want my list to get too big. I
+also don't want to delete the label in case I ever need to get back
+in there, so I just disable it:
+</p>
+
+<pre class="example">
+dispass disable foobar
+</pre>
+
+<p>
+This keeps it in the labelfile, but commands such as <code>list</code> don't
+show it anymore. But then they really need me back, and since I'm
+now a freelance worker I can accommodate them, so I enable my label
+again:
+</p>
+
+<pre class="example">
+dispass enable foobar
+</pre>
+
+<p>
+But now the place where I use the <code>foobar</code> label has gone out of
+business (I mean, come on, using a maximum password length of 16 and
+getting cracked by crackers all the time, are you really surprised?)
+and their site has been taken offline. Now I really have no reason
+to keep this label around, so I remove it:
+</p>
+
+<pre class="example">
+dispass remove foobar
+</pre>
+</div>
+</div>
+
+<div id="outline-container-orgheadline11" class="outline-2">
+<h2 id="orgheadline11"><span class="section-number-2">6</span> Cons</h2>
+<div class="outline-text-2" id="text-6">
+<p>
+Yes, this is an excellent project and I'm not just saying that
+because a friend of mine wrote it. There are some things that it
+just isn't suited for.
+</p>
+
+<p>
+When sharing a single account with someone else (don't do this!),
+you can't expect the other party to use the same label and password
+to generate the passphrase, if they're even tech-savvy enough to use
+DisPass just like you. It also increases the amount of information
+you need to remember to use DisPass. There are better programs to
+store pre-generated passwords.
+</p>
+
+<p>
+Due to the way the current algorithms are implemented there is a
+limit to the length of the passphrases and that limit isn't entirely
+consistent. This is only a problem when you need passphrases of more
+than 100 characters, and I haven't had that problem yet.
+</p>
+</div>
+</div>
+<div id="footnotes">
+<h2 class="footnotes">Footnotes: </h2>
+<div id="text-footnotes">
+
+<div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara">
+I refuse to use the term hackers, because to me that means
+something completely <a href="http://www.catb.org/jargon/html/C/cracker.html">different</a>, and I hope to you as well.
+</p></div></div>
+
+
+</div>
+</div>