blog/dispass_passwords.org

10 KiB
Raw Blame History

Using DisPass to manage your passwords

tl;dr: If you dont care about any of the back story and just want to know how to use DisPass to manage passwords, skip to [[Managing passwords]] for instant gratification.

Introduction

DisPass is a project that was started, and is still maintained, by a friend and former colleague of mine. I've been using it for quite some time. It helps me feel safe online, knowing that all my accounts have different and strong passwords.

DisPass uses algorithms to make reproducible passphrases. Making it a kind-of functional password manager, just like Haskell is a functional programming language and Guix is a functional package manager. Given the same input DisPass will always produce the same output. This means that the generated passphrases are never stored anywhere and cannot be discovered by crackers1 and the like.

The input for DisPass consists of a label, algorithm, length, possibly a sequence number (depending on the algorithm used) and finally a password. All but the label and password have some default value, but can also be specified through command-line switches.

The Labelfile

Being a functional anything usually means that whatever you're using doesn't maintain any state. This can be true for DisPass, but isn't necessarily so. It can be a challenge to remember the size, algorithm and sequence number for a large number of labels, so there is the labelfile.

The labelfile is normally located in either $XDG_CONFIG_HOME/dispass/labels or $HOME/.dispass/labels, but can also be specified on the command-line. It contains the metadata for the labels, and the labels themselves. This lets you run something like:

dispass generate foobar

And it'll know the size, algorithm and sequence number for the label “foobar”, assuming youve saved it to the labelfile. The labelfile is unencrypted, but this information is useless as long as nobody knows the password(s) you use to generate the passphrases.

Setting up

DisPass is easy to install if you have either Archlinux or pip installed. Windows is a bit more problematic and I dont even know how to get started on a Mac personally, but there is no reason it cant work. It doesnt have many dependencies, so you dont need to install anything else first.

The latest release is quite old, but a new release should be coming soon. There havent been too many developments since version 0.3.0-dev because it basically does what it needs to do, and the user base is currently very small, so bugs might not be encountered too quickly. Dont think that its an abandoned project, if you look at its github page youll see that its seen a bit of development again as of late.

In the case of Archlinux Ive provided packages in the AUR for both python2-dispass version 0.2.0 and python2-dispass-git. Installing either of these like any regular old aur package will get you set up. Incidentally, if youre using Archlinux on x86_64 and have the testing package repository enabled, you could also use my package repository, though no guarantees that itll ever work are given there.

For a general pip installation it should be as easy as running:

sudo pip install dispass

UIs

Seeing as how my friend would like it to be generally useful, and hes a VIM user, there is both a GUI and CLI interface. Since Im an Emacs user Ive created an Emacs and a Conkeror interface for it as well.

CLI

The CLI is what gets the most attention and gets developed the most. I will be working with this in the /ryuslash/blog/src/commit/72e6b81dde8f08a249838be8d260b9d87f3466eb/Managing%20passwords section.

GUI

There is a basic GUI included with dispass, it can be started with either the gdispass or the dispass gui commands. It requires tkinter to be installed. It doesn't do everything the CLI does, but there are plans to improve it and use a different gui library (such as Qt). In some situations it can copy the generated passphrases directly to the clipboard, but this is only true on GNU/Linux, not on Windows.

Emacs

I wrote an Emacs interface when I started using DisPass. It tries to copy the generated passwords directly to the clipboard, instead of needing the user to copy it manually as the CLI does. It can also insert generated passphrases into a buffer, such as the minibuffer.

It's available on github.

Conkeror

I also wrote a Conkeror interface some time later, because I didn't want to keep copying and pasting the passphrases through one of the other interfaces (usually Emacs). It inserts the generated passphrases into the focused input.

It's also available on github.

Wishlist

As I mentioned, the idea is to expand the GUI and use a different gui library for it, to make it look a little better. The functionality should also be extended to do everything the CLI does.

A Firefox extension is also still on the list of desirable interfaces. I'm not sure how plausible it is with the new WebExtension plugin api, I haven't looked into it yet. I don't think chrom(e|ium) allows developers to call external programs, which is an obstacle, but I haven't looked at this either.

Managing passwords

Now for the real fun. Generating passphrases is simple. Use the generate command:

dispass generate foobar

If no entry exists in the labelfile for foobar, it uses the defaults, which at the time of writing are a length of 30, and the algorithm dispass1. This algorithm doesn't use a sequence number. It can generate more than one passphrase at a time.

The generated passphrases are presented in an ncurses screen so they aren't kept in your terminal emulator's scrollback history, at least in some cases. You can use the -o switch to do away with the ncurses screen and just output a line for each generated passphrase. Together with something like awk this can be used to directly send some command the passphrase it needs. For example, if the program foo needs a password from stdin, you could use:

dispass generate -o foobar | awk '{ print $2 }' | foo

You can specify a different length, algorithm and sequence number by using command line switches. For example, I normally prefer the dispass2 algorithm since it adds a sequence number. For some crazy reason the place I use the passphrase limits it to a length of 16 characters and I've had to change my password twice, so I use a sequence number of 3. I could use:

dispass generate -l 16 -a dispass2 -s 3 foobar

It would be difficult to remember all this, so I personally would add it to the labelfile. To do this I can use the add command. Basically this is:

dispass add foobar

This creates an entry in the label file with the same default values as the generate command: a length of 30 and using the dispass1 algorithm. To use the values we used before we can instead do:

dispass add foobar:16:dispass2:3

This way we can add multiple entries with different values at once:

dispass add foo:16 bar::dispass2:2

This would add the foo label with a length of 16, using the default algorithm and the label bar with the default length, using the dispass2 algorithm and the sequence number 2. As you can see you can omit any trailing parameters and leave any parameters in between empty to use their default values.

If you added it before I showed you the extended add syntax you can use update to change an existing entry in the labelfile:

dispass update foobar 13:dispass2:3

Unlike the add command, the update command only updates one label at a time.

Now, the place I use my password was cracked by crackers1, my password was stolen. That's no biggie. I use the list command to check what my sequence number is:

dispass list

Then I can update my labelfile and use a new sequence number:

dispass update foobar ::4

I could also use the convenient increment command:

dispass increment foobar

Everytime the sequence number is changed the input changes and so does the passphrase. So a simple call to the increment command will completely change your passphrase. This is nice, because otherwise I'd have to change either the label or the password used to generate the passphrase.

Actually, I just quit the job where I used my foobar label. I still use many other labels and don't want my list to get too big. I also don't want to delete the label in case I ever need to get back in there, so I just disable it:

dispass disable foobar

This keeps it in the labelfile, but commands such as list don't show it anymore. But then they really need me back, and since I'm now a freelance worker I can accommodate them, so I enable my label again:

dispass enable foobar

But now the place where I use the foobar label has gone out of business (I mean, come on, using a maximum password length of 16 and getting cracked by crackers all the time, are you really surprised?) and their site has been taken offline. Now I really have no reason to keep this label around, so I remove it:

dispass remove foobar

Cons

Yes, this is an excellent project and I'm not just saying that because a friend of mine wrote it. There are some things that it just isn't suited for.

When sharing a single account with someone else (don't do this!), you can't expect the other party to use the same label and password to generate the passphrase, if they're even tech-savvy enough to use DisPass just like you. It also increases the amount of information you need to remember to use DisPass. There are better programs to store pre-generated passwords.

Due to the way the current algorithms are implemented there is a limit to the length of the passphrases and that limit isn't entirely consistent. This is only a problem when you need passphrases of more than 100 characters, and I haven't had that problem yet.

Footnotes


1

I refuse to use the term hackers, because to me that means something completely different, and I hope to you as well.