From e7505fafbe965718daaba35fc6a26cb1a1a843aa Mon Sep 17 00:00:00 2001 From: Tom Willemse Date: Sun, 14 Feb 2016 19:59:36 +0100 Subject: [PATCH] Add post "Using DisPass to manage your passwords" --- dispass_passwords.org | 254 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 254 insertions(+) create mode 100644 dispass_passwords.org diff --git a/dispass_passwords.org b/dispass_passwords.org new file mode 100644 index 0000000..5ca3eb3 --- /dev/null +++ b/dispass_passwords.org @@ -0,0 +1,254 @@ +#+TITLE: Using DisPass to manage your passwords + +*tl;dr*: If you don’t care about any of the back story and just want +to know how to use DisPass to manage passwords, skip to [[Managing +passwords]] for instant gratification. + +* Introduction + + DisPass is a project that was started, and is still maintained, by a + [[https://babab.nl][friend]] and former colleague of mine. I've been using it for quite + some time. It helps me feel safe online, knowing that all my + accounts have different and strong passwords. + + DisPass uses algorithms to make reproducible passphrases. Making it + a kind-of functional password manager, just like Haskell is a + functional programming language and Guix is a functional package + manager. Given the same input DisPass will always produce the same + output. This means that the generated passphrases are never stored + anywhere and cannot be discovered by crackers[fn:1] and the like. + + The input for DisPass consists of a label, algorithm, length, + possibly a sequence number (depending on the algorithm used) and + finally a password. All but the label and password have some default + value, but can also be specified through command-line switches. + +* The Labelfile + + Being a functional anything usually means that whatever you're using + doesn't maintain any state. This can be true for DisPass, but isn't + necessarily so. It can be a challenge to remember the size, + algorithm and sequence number for a large number of labels, so there + is the labelfile. + + The labelfile is normally located in either + ~$XDG_CONFIG_HOME/dispass/labels~ or ~$HOME/.dispass/labels~, but + can also be specified on the command-line. It contains the metadata + for the labels, and the labels themselves. This lets you run + something like: + + : dispass generate foobar + + And it'll know the size, algorithm and sequence number for the label + “foobar”, assuming you’ve saved it to the labelfile. The labelfile + is unencrypted, but this information is useless as long as nobody + knows the password(s) you use to generate the passphrases. + +* Setting up + + DisPass is easy to install if you have either Archlinux or pip + installed. Windows is a bit more problematic and I don’t even know + how to get started on a Mac personally, but there is no reason it + can’t work. It doesn’t have many dependencies, so you don’t need to + install anything else first. + + The latest release is quite old, but a new release should be coming + soon. There haven’t been too many developments since version + 0.3.0-dev because it basically does what it needs to do, and the + user base is currently very small, so bugs might not be encountered + too quickly. Don’t think that it’s an abandoned project, if you look + at it’s [[https://github.com/babab/DisPass][github]] page you’ll see that it’s seen a bit of development + again as of late. + + In the case of Archlinux I’ve provided packages in the AUR for both + [[https://aur.archlinux.org/packages/python2-dispass/][python2-dispass]] version 0.2.0 and [[https://aur.archlinux.org/packages/python2-dispass-git/][python2-dispass-git]]. Installing + either of these like any regular old aur package will get you set + up. Incidentally, if you’re using Archlinux on x86_64 and have the + testing package repository enabled, you could also use [[https://ryuslash.org/packages/][my package + repository]], though no guarantees that it’ll ever work are given + there. + + For a general pip installation it should be as easy as running: + + : sudo pip install dispass + +* UIs + + Seeing as how my friend would like it to be generally useful, and + he’s a VIM user, there is both a GUI and CLI interface. Since I’m an + Emacs user I’ve created an Emacs and a Conkeror interface for it as + well. + +** CLI + + The CLI is what gets the most attention and gets developed the + most. I will be working with this in the [[Managing passwords]] + section. + +** GUI + + There is a basic GUI included with dispass, it can be started with + either the ~gdispass~ or the ~dispass gui~ commands. It requires + tkinter to be installed. It doesn't do everything the CLI does, but + there are plans to improve it and use a different gui library (such + as Qt). In some situations it can copy the generated passphrases + directly to the clipboard, but this is only true on GNU/Linux, not + on Windows. + +** Emacs + + I wrote an Emacs interface when I started using DisPass. It tries + to copy the generated passwords directly to the clipboard, instead + of needing the user to copy it manually as the CLI does. It can + also insert generated passphrases into a buffer, such as the + minibuffer. + + It's available on [[https://github.com/ryuslash/dispass.el][github]]. + +** Conkeror + + I also wrote a Conkeror interface some time later, because I didn't + want to keep copying and pasting the passphrases through one of the + other interfaces (usually Emacs). It inserts the generated + passphrases into the focused input. + + It's also available on [[https://github.com/ryuslash/cdispass][github]]. + +** Wishlist + + As I mentioned, the idea is to expand the GUI and use a different + gui library for it, to make it look a little better. The + functionality should also be extended to do everything the CLI + does. + + A Firefox extension is also still on the list of desirable + interfaces. I'm not sure how plausible it is with the new + WebExtension plugin api, I haven't looked into it yet. I don't + think chrom(e|ium) allows developers to call external programs, + which is an obstacle, but I haven't looked at this either. + +* Managing passwords + + Now for the real fun. Generating passphrases is simple. Use the + ~generate~ command: + + : dispass generate foobar + + If no entry exists in the labelfile for ~foobar~, it uses the + defaults, which at the time of writing are a length of 30, and the + algorithm ~dispass1~. This algorithm doesn't use a sequence + number. It can generate more than one passphrase at a time. + + The generated passphrases are presented in an ncurses screen so they + aren't kept in your terminal emulator's scrollback history, at least + in some cases. You can use the ~-o~ switch to do away with the + ncurses screen and just output a line for each generated + passphrase. Together with something like awk this can be used to + directly send some command the passphrase it needs. For example, if + the program ~foo~ needs a password from stdin, you could use: + + : dispass generate -o foobar | awk '{ print $2 }' | foo + + You can specify a different length, algorithm and sequence number by + using command line switches. For example, I normally prefer the + ~dispass2~ algorithm since it adds a sequence number. For some crazy + reason the place I use the passphrase limits it to a length of 16 + characters and I've had to change my password twice, so I use a + sequence number of 3. I could use: + + : dispass generate -l 16 -a dispass2 -s 3 foobar + + It would be difficult to remember all this, so I personally would + add it to the labelfile. To do this I can use the ~add~ + command. Basically this is: + + : dispass add foobar + + This creates an entry in the label file with the same default values + as the generate command: a length of 30 and using the ~dispass1~ + algorithm. To use the values we used before we can instead do: + + : dispass add foobar:16:dispass2:3 + + This way we can add multiple entries with different values at once: + + : dispass add foo:16 bar::dispass2:2 + + This would add the ~foo~ label with a length of 16, using the + default algorithm and the label ~bar~ with the default length, using + the ~dispass2~ algorithm and the sequence number 2. As you can see + you can omit any trailing parameters and leave any parameters in + between empty to use their default values. + + If you added it before I showed you the extended add syntax you can + use ~update~ to change an existing entry in the labelfile: + + : dispass update foobar 13:dispass2:3 + + Unlike the ~add~ command, the ~update~ command only updates one + label at a time. + + Now, the place I use my password was cracked by crackers[fn:1], my + password was stolen. That's no biggie. I use the ~list~ command to + check what my sequence number is: + + : dispass list + + Then I can update my labelfile and use a new sequence number: + + : dispass update foobar ::4 + + I could also use the convenient ~increment~ command: + + : dispass increment foobar + + Everytime the sequence number is changed the input changes and so + does the passphrase. So a simple call to the ~increment~ command + will completely change your passphrase. This is nice, because + otherwise I'd have to change either the label or the password used + to generate the passphrase. + + Actually, I just quit the job where I used my ~foobar~ label. I + still use many other labels and don't want my list to get too big. I + also don't want to delete the label in case I ever need to get back + in there, so I just disable it: + + : dispass disable foobar + + This keeps it in the labelfile, but commands such as ~list~ don't + show it anymore. But then they really need me back, and since I'm + now a freelance worker I can accommodate them, so I enable my label + again: + + : dispass enable foobar + + But now the place where I use the ~foobar~ label has gone out of + business (I mean, come on, using a maximum password length of 16 and + getting cracked by crackers all the time, are you really surprised?) + and their site has been taken offline. Now I really have no reason + to keep this label around, so I remove it: + + : dispass remove foobar + +* Cons + + Yes, this is an excellent project and I'm not just saying that + because a friend of mine wrote it. There are some things that it + just isn't suited for. + + When sharing a single account with someone else (don't do this!), + you can't expect the other party to use the same label and password + to generate the passphrase, if they're even tech-savvy enough to use + DisPass just like you. It also increases the amount of information + you need to remember to use DisPass. There are better programs to + store pre-generated passwords. + + Due to the way the current algorithms are implemented there is a + limit to the length of the passphrases and that limit isn't entirely + consistent. This is only a problem when you need passphrases of more + than 100 characters, and I haven't had that problem yet. + +* Footnotes + +[fn:1] I refuse to use the term hackers, because to me that means + something completely different, and I hope to you as well.