256 lines
10 KiB
Org Mode
256 lines
10 KiB
Org Mode
#+TITLE: Using DisPass to manage your passwords
|
||
#+DATE: 2016-02-14
|
||
#+COLESLAW_TAGS: dispass
|
||
|
||
*tl;dr*: If you don’t care about any of the back story and just want
|
||
to know how to use DisPass to manage passwords, skip to [[Managing
|
||
passwords]] for instant gratification.
|
||
|
||
* Introduction
|
||
|
||
DisPass is a project that was started, and is still maintained, by a
|
||
[[https://babab.nl][friend]] and former colleague of mine. I've been using it for quite
|
||
some time. It helps me feel safe online, knowing that all my
|
||
accounts have different and strong passwords.
|
||
|
||
DisPass uses algorithms to make reproducible passphrases. Making it
|
||
a kind-of functional password manager, just like Haskell is a
|
||
functional programming language and Guix is a functional package
|
||
manager. Given the same input DisPass will always produce the same
|
||
output. This means that the generated passphrases are never stored
|
||
anywhere and cannot be discovered by crackers[fn:1] and the like.
|
||
|
||
The input for DisPass consists of a label, algorithm, length,
|
||
possibly a sequence number (depending on the algorithm used) and
|
||
finally a password. All but the label and password have some default
|
||
value, but can also be specified through command-line switches.
|
||
|
||
* The Labelfile
|
||
|
||
Being a functional anything usually means that whatever you're using
|
||
doesn't maintain any state. This can be true for DisPass, but isn't
|
||
necessarily so. It can be a challenge to remember the size,
|
||
algorithm and sequence number for a large number of labels, so there
|
||
is the labelfile.
|
||
|
||
The labelfile is normally located in either
|
||
~$XDG_CONFIG_HOME/dispass/labels~ or ~$HOME/.dispass/labels~, but
|
||
can also be specified on the command-line. It contains the metadata
|
||
for the labels, and the labels themselves. This lets you run
|
||
something like:
|
||
|
||
: dispass generate foobar
|
||
|
||
And it'll know the size, algorithm and sequence number for the label
|
||
“foobar”, assuming you’ve saved it to the labelfile. The labelfile
|
||
is unencrypted, but this information is useless as long as nobody
|
||
knows the password(s) you use to generate the passphrases.
|
||
|
||
* Setting up
|
||
|
||
DisPass is easy to install if you have either Archlinux or pip
|
||
installed. Windows is a bit more problematic and I don’t even know
|
||
how to get started on a Mac personally, but there is no reason it
|
||
can’t work. It doesn’t have many dependencies, so you don’t need to
|
||
install anything else first.
|
||
|
||
The latest release is quite old, but a new release should be coming
|
||
soon. There haven’t been too many developments since version
|
||
0.3.0-dev because it basically does what it needs to do, and the
|
||
user base is currently very small, so bugs might not be encountered
|
||
too quickly. Don’t think that it’s an abandoned project, if you look
|
||
at it’s [[https://github.com/babab/DisPass][github]] page you’ll see that it’s seen a bit of development
|
||
again as of late.
|
||
|
||
In the case of Archlinux I’ve provided packages in the AUR for both
|
||
[[https://aur.archlinux.org/packages/python2-dispass/][python2-dispass]] version 0.2.0 and [[https://aur.archlinux.org/packages/python2-dispass-git/][python2-dispass-git]]. Installing
|
||
either of these like any regular old aur package will get you set
|
||
up. Incidentally, if you’re using Archlinux on x86_64 and have the
|
||
testing package repository enabled, you could also use [[https://ryuslash.org/packages/][my package
|
||
repository]], though no guarantees that it’ll ever work are given
|
||
there.
|
||
|
||
For a general pip installation it should be as easy as running:
|
||
|
||
: sudo pip install dispass
|
||
|
||
* UIs
|
||
|
||
Seeing as how my friend would like it to be generally useful, and
|
||
he’s a VIM user, there is both a GUI and CLI interface. Since I’m an
|
||
Emacs user I’ve created an Emacs and a Conkeror interface for it as
|
||
well.
|
||
|
||
** CLI
|
||
|
||
The CLI is what gets the most attention and gets developed the
|
||
most. I will be working with this in the [[Managing passwords]]
|
||
section.
|
||
|
||
** GUI
|
||
|
||
There is a basic GUI included with dispass, it can be started with
|
||
either the ~gdispass~ or the ~dispass gui~ commands. It requires
|
||
tkinter to be installed. It doesn't do everything the CLI does, but
|
||
there are plans to improve it and use a different gui library (such
|
||
as Qt). In some situations it can copy the generated passphrases
|
||
directly to the clipboard, but this is only true on GNU/Linux, not
|
||
on Windows.
|
||
|
||
** Emacs
|
||
|
||
I wrote an Emacs interface when I started using DisPass. It tries
|
||
to copy the generated passwords directly to the clipboard, instead
|
||
of needing the user to copy it manually as the CLI does. It can
|
||
also insert generated passphrases into a buffer, such as the
|
||
minibuffer.
|
||
|
||
It's available on [[https://github.com/ryuslash/dispass.el][github]].
|
||
|
||
** Conkeror
|
||
|
||
I also wrote a Conkeror interface some time later, because I didn't
|
||
want to keep copying and pasting the passphrases through one of the
|
||
other interfaces (usually Emacs). It inserts the generated
|
||
passphrases into the focused input.
|
||
|
||
It's also available on [[https://github.com/ryuslash/cdispass][github]].
|
||
|
||
** Wishlist
|
||
|
||
As I mentioned, the idea is to expand the GUI and use a different
|
||
gui library for it, to make it look a little better. The
|
||
functionality should also be extended to do everything the CLI
|
||
does.
|
||
|
||
A Firefox extension is also still on the list of desirable
|
||
interfaces. I'm not sure how plausible it is with the new
|
||
WebExtension plugin api, I haven't looked into it yet. I don't
|
||
think chrom(e|ium) allows developers to call external programs,
|
||
which is an obstacle, but I haven't looked at this either.
|
||
|
||
* Managing passwords
|
||
|
||
Now for the real fun. Generating passphrases is simple. Use the
|
||
~generate~ command:
|
||
|
||
: dispass generate foobar
|
||
|
||
If no entry exists in the labelfile for ~foobar~, it uses the
|
||
defaults, which at the time of writing are a length of 30, and the
|
||
algorithm ~dispass1~. This algorithm doesn't use a sequence
|
||
number. It can generate more than one passphrase at a time.
|
||
|
||
The generated passphrases are presented in an ncurses screen so they
|
||
aren't kept in your terminal emulator's scrollback history, at least
|
||
in some cases. You can use the ~-o~ switch to do away with the
|
||
ncurses screen and just output a line for each generated
|
||
passphrase. Together with something like awk this can be used to
|
||
directly send some command the passphrase it needs. For example, if
|
||
the program ~foo~ needs a password from stdin, you could use:
|
||
|
||
: dispass generate -o foobar | awk '{ print $2 }' | foo
|
||
|
||
You can specify a different length, algorithm and sequence number by
|
||
using command line switches. For example, I normally prefer the
|
||
~dispass2~ algorithm since it adds a sequence number. For some crazy
|
||
reason the place I use the passphrase limits it to a length of 16
|
||
characters and I've had to change my password twice, so I use a
|
||
sequence number of 3. I could use:
|
||
|
||
: dispass generate -l 16 -a dispass2 -s 3 foobar
|
||
|
||
It would be difficult to remember all this, so I personally would
|
||
add it to the labelfile. To do this I can use the ~add~
|
||
command. Basically this is:
|
||
|
||
: dispass add foobar
|
||
|
||
This creates an entry in the label file with the same default values
|
||
as the generate command: a length of 30 and using the ~dispass1~
|
||
algorithm. To use the values we used before we can instead do:
|
||
|
||
: dispass add foobar:16:dispass2:3
|
||
|
||
This way we can add multiple entries with different values at once:
|
||
|
||
: dispass add foo:16 bar::dispass2:2
|
||
|
||
This would add the ~foo~ label with a length of 16, using the
|
||
default algorithm and the label ~bar~ with the default length, using
|
||
the ~dispass2~ algorithm and the sequence number 2. As you can see
|
||
you can omit any trailing parameters and leave any parameters in
|
||
between empty to use their default values.
|
||
|
||
If you added it before I showed you the extended add syntax you can
|
||
use ~update~ to change an existing entry in the labelfile:
|
||
|
||
: dispass update foobar 13:dispass2:3
|
||
|
||
Unlike the ~add~ command, the ~update~ command only updates one
|
||
label at a time.
|
||
|
||
Now, the place I use my password was cracked by crackers[fn:1], my
|
||
password was stolen. That's no biggie. I use the ~list~ command to
|
||
check what my sequence number is:
|
||
|
||
: dispass list
|
||
|
||
Then I can update my labelfile and use a new sequence number:
|
||
|
||
: dispass update foobar ::4
|
||
|
||
I could also use the convenient ~increment~ command:
|
||
|
||
: dispass increment foobar
|
||
|
||
Everytime the sequence number is changed the input changes and so
|
||
does the passphrase. So a simple call to the ~increment~ command
|
||
will completely change your passphrase. This is nice, because
|
||
otherwise I'd have to change either the label or the password used
|
||
to generate the passphrase.
|
||
|
||
Actually, I just quit the job where I used my ~foobar~ label. I
|
||
still use many other labels and don't want my list to get too big. I
|
||
also don't want to delete the label in case I ever need to get back
|
||
in there, so I just disable it:
|
||
|
||
: dispass disable foobar
|
||
|
||
This keeps it in the labelfile, but commands such as ~list~ don't
|
||
show it anymore. But then they really need me back, and since I'm
|
||
now a freelance worker I can accommodate them, so I enable my label
|
||
again:
|
||
|
||
: dispass enable foobar
|
||
|
||
But now the place where I use the ~foobar~ label has gone out of
|
||
business (I mean, come on, using a maximum password length of 16 and
|
||
getting cracked by crackers all the time, are you really surprised?)
|
||
and their site has been taken offline. Now I really have no reason
|
||
to keep this label around, so I remove it:
|
||
|
||
: dispass remove foobar
|
||
|
||
* Cons
|
||
|
||
Yes, this is an excellent project and I'm not just saying that
|
||
because a friend of mine wrote it. There are some things that it
|
||
just isn't suited for.
|
||
|
||
When sharing a single account with someone else (don't do this!),
|
||
you can't expect the other party to use the same label and password
|
||
to generate the passphrase, if they're even tech-savvy enough to use
|
||
DisPass just like you. It also increases the amount of information
|
||
you need to remember to use DisPass. There are better programs to
|
||
store pre-generated passwords.
|
||
|
||
Due to the way the current algorithms are implemented there is a
|
||
limit to the length of the passphrases and that limit isn't entirely
|
||
consistent. This is only a problem when you need passphrases of more
|
||
than 100 characters, and I haven't had that problem yet.
|
||
|
||
* Footnotes
|
||
|
||
[fn:1] I refuse to use the term hackers, because to me that means
|
||
something completely [[http://www.catb.org/jargon/html/C/cracker.html][different]], and I hope to you as well.
|