From e7505fafbe965718daaba35fc6a26cb1a1a843aa Mon Sep 17 00:00:00 2001
From: Tom Willemse
Date: Sun, 14 Feb 2016 19:59:36 +0100
Subject: Add post "Using DisPass to manage your passwords"

---
 dispass_passwords.org | 254 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 254 insertions(+)
 create mode 100644 dispass_passwords.org

diff --git a/dispass_passwords.org b/dispass_passwords.org
new file mode 100644
index 0000000..5ca3eb3
--- /dev/null
+++ b/dispass_passwords.org
@@ -0,0 +1,254 @@
+#+TITLE: Using DisPass to manage your passwords
+
+*tl;dr*: If you don’t care about any of the back story and just want
+to know how to use DisPass to manage passwords, skip to [[Managing
+passwords]] for instant gratification.
+
+* Introduction
+
+  DisPass is a project that was started, and is still maintained, by a
+  [[https://babab.nl][friend]] and former colleague of mine. I've been using it for quite
+  some time. It helps me feel safe online, knowing that all my
+  accounts have different and strong passwords.
+
+  DisPass uses algorithms to make reproducible passphrases. Making it
+  a kind-of functional password manager, just like Haskell is a
+  functional programming language and Guix is a functional package
+  manager. Given the same input DisPass will always produce the same
+  output. This means that the generated passphrases are never stored
+  anywhere and cannot be discovered by crackers[fn:1] and the like.
+
+  The input for DisPass consists of a label, algorithm, length,
+  possibly a sequence number (depending on the algorithm used) and
+  finally a password. All but the label and password have some default
+  value, but can also be specified through command-line switches.
+
+* The Labelfile
+
+  Being a functional anything usually means that whatever you're using
+  doesn't maintain any state. This can be true for DisPass, but isn't
+  necessarily so. It can be a challenge to remember the size,
+  algorithm and sequence number for a large number of labels, so there
+  is the labelfile.
+
+  The labelfile is normally located in either
+  ~$XDG_CONFIG_HOME/dispass/labels~ or ~$HOME/.dispass/labels~, but
+  can also be specified on the command-line. It contains the metadata
+  for the labels, and the labels themselves. This lets you run
+  something like:
+
+  : dispass generate foobar
+
+  And it'll know the size, algorithm and sequence number for the label
+  “foobar”, assuming you’ve saved it to the labelfile. The labelfile
+  is unencrypted, but this information is useless as long as nobody
+  knows the password(s) you use to generate the passphrases.
+
+* Setting up
+
+  DisPass is easy to install if you have either Archlinux or pip
+  installed. Windows is a bit more problematic and I don’t even know
+  how to get started on a Mac personally, but there is no reason it
+  can’t work. It doesn’t have many dependencies, so you don’t need to
+  install anything else first.
+
+  The latest release is quite old, but a new release should be coming
+  soon. There haven’t been too many developments since version
+  0.3.0-dev because it basically does what it needs to do, and the
+  user base is currently very small, so bugs might not be encountered
+  too quickly. Don’t think that it’s an abandoned project, if you look
+  at it’s [[https://github.com/babab/DisPass][github]] page you’ll see that it’s seen a bit of development
+  again as of late.
+
+  In the case of Archlinux I’ve provided packages in the AUR for both
+  [[https://aur.archlinux.org/packages/python2-dispass/][python2-dispass]] version 0.2.0 and [[https://aur.archlinux.org/packages/python2-dispass-git/][python2-dispass-git]]. Installing
+  either of these like any regular old aur package will get you set
+  up. Incidentally, if you’re using Archlinux on x86_64 and have the
+  testing package repository enabled, you could also use [[https://ryuslash.org/packages/][my package
+  repository]], though no guarantees that it’ll ever work are given
+  there.
+
+  For a general pip installation it should be as easy as running:
+
+  : sudo pip install dispass
+
+* UIs
+
+  Seeing as how my friend would like it to be generally useful, and
+  he’s a VIM user, there is both a GUI and CLI interface. Since I’m an
+  Emacs user I’ve created an Emacs and a Conkeror interface for it as
+  well.
+
+** CLI
+
+   The CLI is what gets the most attention and gets developed the
+   most. I will be working with this in the [[Managing passwords]]
+   section.
+
+** GUI
+
+   There is a basic GUI included with dispass, it can be started with
+   either the ~gdispass~ or the ~dispass gui~ commands. It requires
+   tkinter to be installed. It doesn't do everything the CLI does, but
+   there are plans to improve it and use a different gui library (such
+   as Qt). In some situations it can copy the generated passphrases
+   directly to the clipboard, but this is only true on GNU/Linux, not
+   on Windows.
+
+** Emacs
+
+   I wrote an Emacs interface when I started using DisPass. It tries
+   to copy the generated passwords directly to the clipboard, instead
+   of needing the user to copy it manually as the CLI does. It can
+   also insert generated passphrases into a buffer, such as the
+   minibuffer.
+
+   It's available on [[https://github.com/ryuslash/dispass.el][github]].
+
+** Conkeror
+
+   I also wrote a Conkeror interface some time later, because I didn't
+   want to keep copying and pasting the passphrases through one of the
+   other interfaces (usually Emacs). It inserts the generated
+   passphrases into the focused input.
+
+   It's also available on [[https://github.com/ryuslash/cdispass][github]].
+
+** Wishlist
+
+   As I mentioned, the idea is to expand the GUI and use a different
+   gui library for it, to make it look a little better. The
+   functionality should also be extended to do everything the CLI
+   does.
+
+   A Firefox extension is also still on the list of desirable
+   interfaces. I'm not sure how plausible it is with the new
+   WebExtension plugin api, I haven't looked into it yet. I don't
+   think chrom(e|ium) allows developers to call external programs,
+   which is an obstacle, but I haven't looked at this either.
+
+* Managing passwords
+
+  Now for the real fun. Generating passphrases is simple. Use the
+  ~generate~ command:
+
+  : dispass generate foobar
+
+  If no entry exists in the labelfile for ~foobar~, it uses the
+  defaults, which at the time of writing are a length of 30, and the
+  algorithm ~dispass1~. This algorithm doesn't use a sequence
+  number. It can generate more than one passphrase at a time.
+
+  The generated passphrases are presented in an ncurses screen so they
+  aren't kept in your terminal emulator's scrollback history, at least
+  in some cases. You can use the ~-o~ switch to do away with the
+  ncurses screen and just output a line for each generated
+  passphrase. Together with something like awk this can be used to
+  directly send some command the passphrase it needs. For example, if
+  the program ~foo~ needs a password from stdin, you could use:
+
+  : dispass generate -o foobar | awk '{ print $2 }' | foo
+
+  You can specify a different length, algorithm and sequence number by
+  using command line switches. For example, I normally prefer the
+  ~dispass2~ algorithm since it adds a sequence number. For some crazy
+  reason the place I use the passphrase limits it to a length of 16
+  characters and I've had to change my password twice, so I use a
+  sequence number of 3. I could use:
+
+  : dispass generate -l 16 -a dispass2 -s 3 foobar
+
+  It would be difficult to remember all this, so I personally would
+  add it to the labelfile. To do this I can use the ~add~
+  command. Basically this is:
+
+  : dispass add foobar
+
+  This creates an entry in the label file with the same default values
+  as the generate command: a length of 30 and using the ~dispass1~
+  algorithm. To use the values we used before we can instead do:
+
+  : dispass add foobar:16:dispass2:3
+
+  This way we can add multiple entries with different values at once:
+
+  : dispass add foo:16 bar::dispass2:2
+
+  This would add the ~foo~ label with a length of 16, using the
+  default algorithm and the label ~bar~ with the default length, using
+  the ~dispass2~ algorithm and the sequence number 2. As you can see
+  you can omit any trailing parameters and leave any parameters in
+  between empty to use their default values.
+
+  If you added it before I showed you the extended add syntax you can
+  use ~update~ to change an existing entry in the labelfile:
+
+  : dispass update foobar 13:dispass2:3
+
+  Unlike the ~add~ command, the ~update~ command only updates one
+  label at a time.
+
+  Now, the place I use my password was cracked by crackers[fn:1], my
+  password was stolen. That's no biggie. I use the ~list~ command to
+  check what my sequence number is:
+
+  : dispass list
+
+  Then I can update my labelfile and use a new sequence number:
+
+  : dispass update foobar ::4
+
+  I could also use the convenient ~increment~ command:
+
+  : dispass increment foobar
+
+  Everytime the sequence number is changed the input changes and so
+  does the passphrase. So a simple call to the ~increment~ command
+  will completely change your passphrase. This is nice, because
+  otherwise I'd have to change either the label or the password used
+  to generate the passphrase.
+
+  Actually, I just quit the job where I used my ~foobar~ label. I
+  still use many other labels and don't want my list to get too big. I
+  also don't want to delete the label in case I ever need to get back
+  in there, so I just disable it:
+
+  : dispass disable foobar
+
+  This keeps it in the labelfile, but commands such as ~list~ don't
+  show it anymore. But then they really need me back, and since I'm
+  now a freelance worker I can accommodate them, so I enable my label
+  again:
+
+  : dispass enable foobar
+
+  But now the place where I use the ~foobar~ label has gone out of
+  business (I mean, come on, using a maximum password length of 16 and
+  getting cracked by crackers all the time, are you really surprised?)
+  and their site has been taken offline. Now I really have no reason
+  to keep this label around, so I remove it:
+
+  : dispass remove foobar
+
+* Cons
+
+  Yes, this is an excellent project and I'm not just saying that
+  because a friend of mine wrote it. There are some things that it
+  just isn't suited for.
+
+  When sharing a single account with someone else (don't do this!),
+  you can't expect the other party to use the same label and password
+  to generate the passphrase, if they're even tech-savvy enough to use
+  DisPass just like you. It also increases the amount of information
+  you need to remember to use DisPass. There are better programs to
+  store pre-generated passwords.
+
+  Due to the way the current algorithms are implemented there is a
+  limit to the length of the passphrases and that limit isn't entirely
+  consistent. This is only a problem when you need passphrases of more
+  than 100 characters, and I haven't had that problem yet.
+
+* Footnotes
+
+[fn:1] I refuse to use the term hackers, because to me that means
+  something completely different, and I hope to you as well.
-- 
cgit v1.2.3-54-g00ecf