Passwords is a quick and dirty perl script for generating and keeping track of passwords. It is aimed at the numerous passwords needed for various web sites, since I got sick of trying to rememember which password I used for which site. Plus reusing passwords across multiple sites isn't exactly brilliant security.
Modern web browsers keep track of passwords for you, which is fine when you only use one web browser and don't use public machines. If you use multiple machines and especially public machines storing the passwords in the web browser is harder and dumber.
So I wrote passwords. It generates passwords from MD5 sums, hence creating a password for each site (of course it is possible that the same password is generated for more than one site, but it is unlikely). The MD5 sum is generated from the site identifier, the username, a global password, and optionally some random text.
Usage
To create a password the script is executed as passwords.pl add,
it prompts for the identifer and the username and adds them to the password file.
To actually retrieve the password (so you can enter it into the
registration or login form, the script is executed as passwords.pl retrieve,
it prompts for the identifier and global password and outputs the username and
the password.
To list all the sites it has passwords for the script is executed as passwords.pl list. It simply outputs all the identfiers and usernames.
If a passwords needs to be changed then execute the script as passwords.pl update, it prompts for the identifier and adds a random character to the text
used to generate the password.
If an old version of a password is needed the script is executed as passwords.pl history. This works just like password.pl retrieve except all
the past passwords are output along with the current password.
Internals
The script manages a password database which is a simple text file that stores one entry per line. Each entry consists of the identifier, the username, and optionally some random characters seperated by tabs.
To generate a password the MD5 sum of the text consisting of the concatanation of the identifier, the username, the global password, and the random chacters is constructed. The first hex representation of the MD5 sum is taken and the first two characters converted to an 8 bit number. The next 8 characters of the MD5 sum make up the password. Any letter chacters (ie. a through f) are converted to uppercase if the corresponding bit in the 8 bit number generated from the firs two characters is 1, or lowercase if it is 0.
The global password is not stored anywhere. If the global password is forgotten then all the passwords are lost. There is also no mechanism for confirming that the global password was entered correctly, if it is entered incorrectly and different password will be generated for that execution of the script.
Future Plans
- Adding some configuration to passwords would be useful. For example allowing
the length to be something other than 8 characters - set when adding the
identifier and username, or restructions such as
must contain at least one number, one uppercase letter, and one lowercase letter
would be good too. As would the ability to use characters other than a-z, A-Z, and 0-9. - Add global password checking, as simple as adding a command to set the global password and storing a special entry in the passwords file that contains the MD5 sum of it so it can be checked before use.
Known Bugs
- No file locking is performed. If the
passwords.pl updateorpasswords.pl addcommands are run concurrently the database file will probably be corrupted. This could cause the loss of all the passwords, so don't do that. - Changing the global password is impossible. This is not solvable and inherant to the way passwords are generated.
Download
- passwords.pl - the script.
- passworlds.pl.asc - PGP signed script.