*tl;dr*: If you don’t care about any of the back story and just want
to know how to use DisPass to manage passwords, skip to [[Managing
passwords]] for instant gratification.
* Introduction
DisPass is a project that was started, and is still maintained, by a
[[https://babab.nl][friend]] and former colleague of mine. I've been using it for quite
some time. It helps me feel safe online, knowing that all my
accounts have different and strong passwords.
DisPass uses algorithms to make reproducible passphrases. Making it
a kind-of functional password manager, just like Haskell is a
functional programming language and Guix is a functional package
manager. Given the same input DisPass will always produce the same
output. This means that the generated passphrases are never stored
anywhere and cannot be discovered by crackers[fn:1] and the like.
The input for DisPass consists of a label, algorithm, length,
possibly a sequence number (depending on the algorithm used) and
finally a password. All but the label and password have some default
value, but can also be specified through command-line switches.
* The Labelfile
Being a functional anything usually means that whatever you're using
doesn't maintain any state. This can be true for DisPass, but isn't
necessarily so. It can be a challenge to remember the size,
algorithm and sequence number for a large number of labels, so there
is the labelfile.
The labelfile is normally located in either
~$XDG_CONFIG_HOME/dispass/labels~ or ~$HOME/.dispass/labels~, but
can also be specified on the command-line. It contains the metadata
for the labels, and the labels themselves. This lets you run
something like:
: dispass generate foobar
And it'll know the size, algorithm and sequence number for the label
“foobar”, assuming you’ve saved it to the labelfile. The labelfile
is unencrypted, but this information is useless as long as nobody
knows the password(s) you use to generate the passphrases.
* Setting up
DisPass is easy to install if you have either Archlinux or pip
installed. Windows is a bit more problematic and I don’t even know
how to get started on a Mac personally, but there is no reason it
can’t work. It doesn’t have many dependencies, so you don’t need to
install anything else first.
The latest release is quite old, but a new release should be coming
soon. There haven’t been too many developments since version
0.3.0-dev because it basically does what it needs to do, and the
user base is currently very small, so bugs might not be encountered
too quickly. Don’t think that it’s an abandoned project, if you look
at it’s [[https://github.com/babab/DisPass][github]] page you’ll see that it’s seen a bit of development
again as of late.
In the case of Archlinux I’ve provided packages in the AUR for both
[[https://aur.archlinux.org/packages/python2-dispass/][python2-dispass]] version 0.2.0 and [[https://aur.archlinux.org/packages/python2-dispass-git/][python2-dispass-git]]. Installing
either of these like any regular old aur package will get you set
up. Incidentally, if you’re using Archlinux on x86_64 and have the
testing package repository enabled, you could also use [[https://ryuslash.org/packages/][my package
repository]], though no guarantees that it’ll ever work are given
there.
For a general pip installation it should be as easy as running:
: sudo pip install dispass
* UIs
Seeing as how my friend would like it to be generally useful, and
he’s a VIM user, there is both a GUI and CLI interface. Since I’m an
Emacs user I’ve created an Emacs and a Conkeror interface for it as
well.
** CLI
The CLI is what gets the most attention and gets developed the
most. I will be working with this in the [[Managing passwords]]
section.
** GUI
There is a basic GUI included with dispass, it can be started with
either the ~gdispass~ or the ~dispass gui~ commands. It requires
tkinter to be installed. It doesn't do everything the CLI does, but
there are plans to improve it and use a different gui library (such
as Qt). In some situations it can copy the generated passphrases
directly to the clipboard, but this is only true on GNU/Linux, not
on Windows.
** Emacs
I wrote an Emacs interface when I started using DisPass. It tries
to copy the generated passwords directly to the clipboard, instead
of needing the user to copy it manually as the CLI does. It can
also insert generated passphrases into a buffer, such as the
minibuffer.
It's available on [[https://github.com/ryuslash/dispass.el][github]].
** Conkeror
I also wrote a Conkeror interface some time later, because I didn't
want to keep copying and pasting the passphrases through one of the
other interfaces (usually Emacs). It inserts the generated
passphrases into the focused input.
It's also available on [[https://github.com/ryuslash/cdispass][github]].
** Wishlist
As I mentioned, the idea is to expand the GUI and use a different
gui library for it, to make it look a little better. The
functionality should also be extended to do everything the CLI
does.
A Firefox extension is also still on the list of desirable
interfaces. I'm not sure how plausible it is with the new
WebExtension plugin api, I haven't looked into it yet. I don't
think chrom(e|ium) allows developers to call external programs,
which is an obstacle, but I haven't looked at this either.
* Managing passwords
Now for the real fun. Generating passphrases is simple. Use the
~generate~ command:
: dispass generate foobar
If no entry exists in the labelfile for ~foobar~, it uses the
defaults, which at the time of writing are a length of 30, and the
algorithm ~dispass1~. This algorithm doesn't use a sequence
number. It can generate more than one passphrase at a time.
The generated passphrases are presented in an ncurses screen so they
aren't kept in your terminal emulator's scrollback history, at least
in some cases. You can use the ~-o~ switch to do away with the
ncurses screen and just output a line for each generated
passphrase. Together with something like awk this can be used to
directly send some command the passphrase it needs. For example, if
the program ~foo~ needs a password from stdin, you could use:
