path: root/dispass_passwords.post

;;;;;
title: Using DisPass to manage your passwords
date: 2016-02-14
tags: dispass
format: html
;;;;;
<p>
<b>tl;dr</b>: If you don’t care about any of the back story and just want
to know how to use DisPass to manage passwords, skip to <a href="#orgheadline1">Managing passwords</a> for instant gratification.
</p>

<div id="outline-container-orgheadline2" class="outline-2">
<h2 id="orgheadline2">Introduction</h2>
<div class="outline-text-2" id="text-orgheadline2">
<p>
DisPass is a project that was started, and is still maintained, by a
<a href="https://babab.nl">friend</a> and former colleague of mine. I've been using it for quite
some time. It helps me feel safe online, knowing that all my
accounts have different and strong passwords.
</p>

<p>
DisPass uses algorithms to make reproducible passphrases. Making it
a kind-of functional password manager, just like Haskell is a
functional programming language and Guix is a functional package
manager. Given the same input DisPass will always produce the same
output. This means that the generated passphrases are never stored
anywhere and cannot be discovered by crackers<sup><a id="fnr.1" class="footref" href="#fn.1">1</a></sup> and the like.
</p>

<p>
The input for DisPass consists of a label, algorithm, length,
possibly a sequence number (depending on the algorithm used) and
finally a password. All but the label and password have some default
value, but can also be specified through command-line switches.
</p>
</div>
</div>

<div id="outline-container-orgheadline3" class="outline-2">
<h2 id="orgheadline3">The Labelfile</h2>
<div class="outline-text-2" id="text-orgheadline3">
<p>
Being a functional anything usually means that whatever you're using
doesn't maintain any state. This can be true for DisPass, but isn't
necessarily so. It can be a challenge to remember the size,
algorithm and sequence number for a large number of labels, so there
is the labelfile.
</p>

<p>
The labelfile is normally located in either
<code>$XDG_CONFIG_HOME/dispass/labels</code> or <code>$HOME/.dispass/labels</code>, but
can also be specified on the command-line. It contains the metadata
for the labels, and the labels themselves. This lets you run
something like:
</p>

<pre class="example">
dispass generate foobar
</pre>

<p>
And it'll know the size, algorithm and sequence number for the label
“foobar”, assuming you’ve saved it to the labelfile. The labelfile
is unencrypted, but this information is useless as long as nobody
knows the password(s) you use to generate the passphrases.
</p>
</div>
</div>

<div id="outline-container-orgheadline4" class="outline-2">
<h2 id="orgheadline4">Setting up</h2>
<div class="outline-text-2" id="text-orgheadline4">
<p>
DisPass is easy to install if you have either Archlinux or pip
installed. Windows is a bit more problematic and I don’t even know
how to get started on a Mac personally, but there is no reason it
can’t work. It doesn’t have many dependencies, so you don’t need to
install anything else first.
</p>

<p>
The latest release is quite old, but a new release should be coming
soon. There haven’t been too many developments since version
0.3.0-dev because it basically does what it needs to do, and the
user base is currently very small, so bugs might not be encountered
too quickly. Don’t think that it’s an abandoned project, if you look
at it’s <a href="https://github.com/babab/DisPass">github</a> page you’ll see that it’s seen a bit of development
again as of late.
</p>

<p>
In the case of Archlinux I’ve provided packages in the AUR for both
<a href="https://aur.archlinux.org/packages/python2-dispass/">python2-dispass</a> version 0.2.0 and <a href="https://aur.archlinux.org/packages/python2-dispass-git/">python2-dispass-git</a>. Installing
either of these like any regular old aur package will get you set
up. Incidentally, if you’re using Archlinux on x86<sub>64</sub> and have the
testing package repository enabled, you could also use <a href="https://ryuslash.org/packages/">my package
repository</a>, though no guarantees that it’ll ever work are given
there.
</p>

<p>
For a general pip installation it should be as easy as running:
</p>

<pre class="example">
sudo pip install dispass
</pre>
</div>
</div>

<div id="outline-container-orgheadline5" class="outline-2">
<h2 id="orgheadline5">UIs</h2>
<div class="outline-text-2" id="text-orgheadline5">
<p>
Seeing as how my friend would like it to be generally useful, and
he’s a VIM user, there is both a GUI and CLI interface. Since I’m an
Emacs user I’ve created an Emacs and a Conkeror interface for it as
well.
</p>
</div>

<div id="outline-container-orgheadline6" class="outline-3">
<h3 id="orgheadline6">CLI</h3>
<div class="outline-text-3" id="text-orgheadline6">
<p>
The CLI is what gets the most attention and gets developed the
most. I will be working with this in the <a href="#orgheadline1">Managing passwords</a>
section.
</p>
</div>
</div>

<div id="outline-container-orgheadline7" class="outline-3">
<h3 id="orgheadline7">GUI</h3>
<div class="outline-text-3" id="text-orgheadline7">
<p>
There is a basic GUI included with dispass, it can be started with
either the <code>gdispass</code> or the <code>dispass gui</code> commands. It requires
tkinter to be installed. It doesn't do everything the CLI does, but
there are plans to improve it and use a different gui library (such
as Qt). In some situations it can copy the generated passphrases
directly to the clipboard, but this is only true on GNU/Linux, not
on Windows.
</p>
</div>
</div>

<div id="outline-container-orgheadline8" class="outline-3">
<h3 id="orgheadline8">Emacs</h3>
<div class="outline-text-3" id="text-orgheadline8">
<p>
I wrote an Emacs interface when I started using DisPass. It tries
to copy the generated passwords directly to the clipboard, instead
of needing the user to copy it manually as the CLI does. It can
also insert generated passphrases into a buffer, such as the
minibuffer.
</p>

<p>
It's available on <a href="https://github.com/ryuslash/dispass.el">github</a>.
</p>
</div>
</div>

<div id="outline-container-orgheadline9" class="outline-3">
<h3 id="orgheadline9">Conkeror</h3>
<div class="outline-text-3" id="text-orgheadline9">
<p>
I also wrote a Conkeror interface some time later, because I didn't
want to keep copying and pasting the passphrases through one of the
other interfaces (usually Emacs). It inserts the generated
passphrases into the focused input.
</p>

<p>
It's also available on <a href="https://github.com/ryuslash/cdispass">github</a>.
</p>
</div>
</div>

<div id="outline-container-orgheadline10" class="outline-3">
<h3 id="orgheadline10">Wishlist</h3>
<div class="outline-text-3" id="text-orgheadline10">
<p>
As I mentioned, the idea is to expand the GUI and use a different
gui library for it, to make it look a little better. The
functionality should also be extended to do everything the CLI
does.
</p>

<p>
A Firefox extension is also still on the list of desirable
interfaces. I'm not sure how plausible it is with the new
WebExtension plugin api, I haven't looked into it yet. I don't
think chrom(e|ium) allows developers to call external programs,
which is an obstacle, but I haven't looked at this either.
</p>
</div>
</div>
</div>

<div id="outline-container-orgheadline1" class="outline-2">
<h2 id="orgheadline1">Managing passwords</h2>
<div class="outline-text-2" id="text-orgheadline1">
<p>
Now for the real fun. Generating passphrases is simple. Use the
<code>generate</code> command:
</p>

<pre class="example">
dispass generate foobar
</pre>

<p>
If no entry exists in the labelfile for <code>foobar</code>, it uses the
defaults, which at the time of writing are a length of 30, and the
algorithm <code>dispass1</code>. This algorithm doesn't use a sequence
number. It can generate more than one passphrase at a time.
</p>

<p>
The generated passphrases are presented in an ncurses screen so they
aren't kept in your terminal emulator's scrollback history, at least
in some cases. You can use the <code>-o</code> switch to do away with the
ncurses screen and just output a line for each generated
passphrase. Together with something like awk this can be used to
directly send some command the passphrase it needs. For example, if
the program <code>foo</code> needs a password from stdin, you could use:
</p>

<pre class="example">
dispass generate -o foobar | awk '{ print $2 }' | foo
</pre>

<p>
You can specify a different length, algorithm and sequence number by
using command line switches. For example, I normally prefer the
<code>dispass2</code> algorithm since it adds a sequence number. For some crazy
reason the place I use the passphrase limits it to a length of 16
characters and I've had to change my password twice, so I use a
sequence number of 3. I could use:
</p>

<pre class="example">
dispass generate -l 16 -a dispass2 -s 3 foobar
</pre>

<p>
It would be difficult to remember all this, so I personally would
add it to the labelfile. To do this I can use the <code>add</code>
command. Basically this is:
</p>

<pre class="example">
dispass add foobar
</pre>

<p>
This creates an entry in the label file with the same default values
as the generate command: a length of 30 and using the <code>dispass1</code>
algorithm. To use the values we used before we can instead do:
</p>

<pre class="example">
dispass add foobar:16:dispass2:3
</pre>

<p>
This way we can add multiple entries with different values at once:
</p>

<pre class="example">
dispass add foo:16 bar::dispass2:2
</pre>

<p>
This would add the <code>foo</code> label with a length of 16, using the
default algorithm and the label <code>bar</code> with the default length, using
the <code>dispass2</code> algorithm and the sequence number 2. As you can see
you can omit any trailing parameters and leave any parameters in
between empty to use their default values.
</p>

<p>
If you added it before I showed you the extended add syntax you can
use <code>update</code> to change an existing entry in the labelfile:
</p>

<pre class="example">
dispass update foobar 13:dispass2:3
</pre>

<p>
Unlike the <code>add</code> command, the <code>update</code> command only updates one
label at a time.
</p>

<p>
Now, the place I use my password was cracked by crackers<sup><a id="fnr.1.100" class="footref" href="#fn.1">1</a></sup>, my
password was stolen. That's no biggie. I use the <code>list</code> command to
check what my sequence number is:
</p>

<pre class="example">
dispass list
</pre>

<p>
Then I can update my labelfile and use a new sequence number:
</p>

<pre class="example">
dispass update foobar ::4
</pre>

<p>
I could also use the convenient <code>increment</code> command:
</p>

<pre class="example">
dispass increment foobar
</pre>

<p>
Everytime the sequence number is changed the input changes and so
does the passphrase. So a simple call to the <code>increment</code> command
will completely change your passphrase. This is nice, because
otherwise I'd have to change either the label or the password used
to generate the passphrase.
</p>

<p>
Actually, I just quit the job where I used my <code>foobar</code> label. I
still use many other labels and don't want my list to get too big. I
also don't want to delete the label in case I ever need to get back
in there, so I just disable it:
</p>

<pre class="example">
dispass disable foobar
</pre>

<p>
This keeps it in the labelfile, but commands such as <code>list</code> don't
show it anymore. But then they really need me back, and since I'm
now a freelance worker I can accommodate them, so I enable my label
again:
</p>

<pre class="example">
dispass enable foobar
</pre>

<p>
But now the place where I use the <code>foobar</code> label has gone out of
business (I mean, come on, using a maximum password length of 16 and
getting cracked by crackers all the time, are you really surprised?)
and their site has been taken offline. Now I really have no reason
to keep this label around, so I remove it:
</p>

<pre class="example">
dispass remove foobar
</pre>
</div>
</div>

<div id="outline-container-orgheadline11" class="outline-2">
<h2 id="orgheadline11">Cons</h2>
<div class="outline-text-2" id="text-orgheadline11">
<p>
Yes, this is an excellent project and I'm not just saying that
because a friend of mine wrote it. There are some things that it
just isn't suited for.
</p>

<p>
When sharing a single account with someone else (don't do this!),
you can't expect the other party to use the same label and password
to generate the passphrase, if they're even tech-savvy enough to use
DisPass just like you. It also increases the amount of information
you need to remember to use DisPass. There are better programs to
store pre-generated passwords.
</p>

<p>
Due to the way the current algorithms are implemented there is a
limit to the length of the passphrases and that limit isn't entirely
consistent. This is only a problem when you need passphrases of more
than 100 characters, and I haven't had that problem yet.
</p>
</div>
</div>
<div id="footnotes">
<h2 class="footnotes">Footnotes: </h2>
<div id="text-footnotes">

<div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1">1</a></sup> <div class="footpara"><p class="footpara">
I refuse to use the term hackers, because to me that means
something completely <a href="http://www.catb.org/jargon/html/C/cracker.html">different</a>, and I hope to you as well.
</p></div></div>


</div>
</div>