Jacksum: How to skip files during hash calculation or the verification process

You could skip files during the hash calcualation process so that you do not create hash values at all for particular files and/or you could skip files during the verification process.

Skip files during hash calculation

To keep the example short, let's say we don't want to hash program libraries. Those files usually end with .dll on Windows, and with .so on GNU/Linux.

1. Create a list of files

Let's say we want to list all files in the current working directory (.) and below.

On GNU/Linux and macOS:

> find . -type f > files.list

On Windows:

> dir /A-D /B /S . > files.list

Using Jacksum:

> jacksum --style files-only . > files.list

2. Modify the file list as required

The -v option for grep and findstr lists files only that do not match the criteria given. You can use regular expressions. The $ at the end marks the end of a string.

On GNU/Linux or macOS:

> grep -v ".so$" files.list > files-filtered.list

On Windows:

> findstr /V ".dll$" files.list > files-filtered.list

3. Hash the file list

We can hash that list using the Jacksum option -L (or --file-list):

> jacksum -a sha256 -L files-filtered.list > hashes.sha256

Skip files during the verification process

If you want to ignore particular paths from a hash file you can do it in a similar way.

1. Modify the hash file as required

On GNU/Linux or macOS:

> grep -v ".so$" hashes.sha256 > hashes-filtered.sha256

On Windows:

> findstr /V ".dll$" hashes.sha256 > hashes-filtered.sha256

2. Start the integrity verification process

> jacksum -a sha256 -c hashes-filtered.sha256 .

Note: the dot at the end of the command says: verify not only the integrity of the paths stored in the hashes.sha256, but also read the current working directory (.) and all files below (-r max is set implicitly). With that you will also find new files that have been added after the file called hashes.sha256 was produced. Without the dot you will verify the files only that have a trace in hashes-filtered.sha256.

How to create unique and secure passwords for websites with a master password and Jacksum

 Jacksum 3.7.0 introduced a new feature: read text from the console without echoing, hash that string using your preferred hash-function and encode the hash-value using your preferred encoding. In other words, you can treat Jacksum as a password generator that generates the actual password for a website.

Example:

> jacksum -q password -a ascon-hash -8 -E z85
Password: facebook.com do-not-use-this-password
Cvn7Zojybu819s=b</ClQ/-5S@[%X@*F0?I?mlcb

Reads a password or passphrase from the console, not including any line-termination characters. You can use that mode to generate both unique and strong passwords for websites. The returned hash values will be stronger than anything a normal human brain could remember, and nothing needs to be stored on disk. If the password is compromised, the master password will still remain secret. Oh, please do not use the password from the example above, because now it is known to all people who read this article.

Some notes and recommendations:

• Combine a master password with website-specific information, such as the domain name, to get unique passwords. In the example above I have used facebook.com
  
• For the master password you should use a strong password that is at least 8 characters long; the longer, the better, and you should be able to remember it easily. Again, please do not use the password from the example above.
  
• You should use a non-broken, strong cryptographic hash algorithm for the task. In the example I have used "ascon-hash" which is supported since version 3.7.0 of Jacksum. For more information about the Ascon-Hash, please type `jacksum -h ascon-hash`. Of course, if you like it stronger, you could also use sha3-512 for example.
  
• Set the character set explicitly if you use multiple different operating systems or environments that do not use UTF-8 for the console by default, and make sure to remember the character set as well. In the example above I have used option -8 which sets UTF-8 for both stdout and stderr. See also `jacksum -h -8`.
  
• You can use all of the available characters for the password.
• You can copy and paste the password to the prompt, but it is better if you remember it and type it, as this trains your brain to remember the password, and your brain will be the only place where the master password resides.
• Dependent on the allowed characters of the website login you can select one of the encodings that Jacksum supports. See also `jacksum -h -E`. In the example above I have used z85 which perfectly works for most websites.
  

Due to security reasons the following limits apply:

• You won't see the password that you enter; in other words, echoing is disabled to prevent shoulder-surfing attacks.
• Only the hash is printed by default; it is not possible to print the password in clear text, even if particular format options such as -F or --style are set. Use option "-q readline" if you prefer echoing.
• Operating system piping is not possible, because we want to make sure that the password is coming from a keyboard and not transfer passwords in clear text between processes via piping.
• Operating system redirection is not possible, because a console is required to enter the password. Use the options -o/-O to save the hash to a file if you do no wish to see the hash value in the console.
• To minimize the lifetime of sensitive data in memory, the password is cleared from memory after processing. Java's String interning is not used for the password.

Stay safe!

Regards,
Johann