Saturday, September 23, 2023

How to create unique and secure passwords for websites with a master password and Jacksum

 Jacksum 3.7.0 introduced a new feature: read text from the console without echoing, hash that string using your preferred hash-function and encode the hash-value using your preferred encoding. In other words, you can treat Jacksum as a password generator that generates the actual password for a website.


> jacksum -q password -a ascon-hash -8 -E z85
Password: do-not-use-this-password

Reads a password or passphrase from the console, not including any line-termination characters. You can use that mode to generate both unique and strong passwords for websites. The returned hash values will be stronger than anything a normal human brain could remember, and nothing needs to be stored on disk. If the password is compromised, the master password will still remain secret. Oh, please do not use the password from the example above, because now it is known to all people who read this article.

Some notes and recommendations:

  • Combine a master password with website-specific information, such as the domain name, to get unique passwords. In the example above I have used
  • For the master password you should use a strong password that is at least 8 characters long; the longer, the better, and you should be able to remember it easily. Again, please do not use the password from the example above.
  • You should use a non-broken, strong cryptographic hash algorithm for the task. In the example I have used "ascon-hash" which is supported since version 3.7.0 of Jacksum. For more information about the Ascon-Hash, please type `jacksum -h ascon-hash`. Of course, if you like it stronger, you could also use sha3-512 for example.
  • Set the character set explicitly if you use multiple different operating systems or environments that do not use UTF-8 for the console by default, and make sure to remember the character set as well. In the example above I have used option -8 which sets UTF-8 for both stdout and stderr. See also `jacksum -h -8`.
  • You can use all of the available characters for the password.
  • You can copy and paste the password to the prompt, but it is better if you remember it and type it, as this trains your brain to remember the password, and your brain will be the only place where the master password resides.
  • Dependent on the allowed characters of the website login you can select one of the encodings that Jacksum supports. See also `jacksum -h -E`. In the example above I have used z85 which perfectly works for most websites.

Due to security reasons the following limits apply:

  • You won't see the password that you enter; in other words, echoing is disabled to prevent shoulder-surfing attacks.
  • Only the hash is printed by default; it is not possible to print the password in clear text, even if particular format options such as -F or --style are set. Use option "-q readline" if you prefer echoing.
  • Operating system piping is not possible, because we want to make sure that the password is coming from a keyboard and not transfer passwords in clear text between processes via piping.
  • Operating system redirection is not possible, because a console is required to enter the password. Use the options -o/-O to save the hash to a file if you do no wish to see the hash value in the console.
  • To minimize the lifetime of sensitive data in memory, the password is cleared from memory after processing. Java's String interning is not used for the password.

Stay safe!



No comments:

Post a Comment