雨山


Passgen

April 27, 2020

Intro

Hey! I noticed today as I was updating my projects page that I hadn’t written about Passgen before. Passgen is a stateless password generator. In other words, you enter some information and it spits out a password for you. It’ll always generate the same password for a given set of inputs. So, if you always enter the same domain, username or email address, and master password, it’ll always generate the same password.

A stateless password generator like Passgen is an alternative to using a stateful password manager (one that stores your data somewhere). I’m not sure yet whether or not I’m ready to use it for all of my passwords, though; I’m still testing it out.

Limitations

There are a few known limitations to stateless password managers. I’ll explain the first one by giving an example.

Imagine that you have these credentials:

domain: example.com
username: someone
master password: helloworld
maximum length: 32

Given these inputs, Passgen will always generate this password: ec6fe2d6e9478997f14d04896c2bcae2.

In a stateful password manager, you could generate a new password for this particular set of credentials without needing to change any of the information. However, in a stateless password generator like Passgen where the same inputs always generate the same password, you’d have to change at least one piece of information in order to generate a new password. You could make a change as simple as adding a number to the master password, changing it from helloworld to helloworld1, which would yield a completely new password that looks nothing like the last one: 2dee48fa3153902e1bf87a0d8decee7e. You could also generate a completely new password by changing the domain or username values instead of, or in addition to, the master password value. Well, that’s great and all, but now you’d have to remember a new master password for this set of credentials. If you didn’t change the master passwords for all of your other credentials to match this new master password, then after a while you’d probably end up in a situation in which you’d be remembering a different master password for each set of credentials, which is hardly better than not using a password manager at all. However, the one advantage of using a stateless generator even in such a scenario is that it’s still possible to remember extremely simple inputs (changing them by (for example) only one character at a time (though I’m not necessarily recommending such a strategy)) and keep track of simple state changes in your head, while at the same time being able to generate completely different passwords for each credential set.

Of course, you needn’t use the three fields in Passgen as they’re labelled; you could easily use them as part of a strategy to help you keep track of the state mentally (or physically or digitally). You could, for example, keep track of non-password values on (say) sticky notes or in a text file somewhere, and you could call those values “rotations” or something. So, on one sticky note, you could have: “example.com: 1”, meaning that you’re on password #1 for example.com. Then, you could go to Passgen and enter that rotation number in one of the fields. In this example, I’ve moved the username up to the domain field and entered only the rotation number in the username field:

domain: example.com / someone
username: 1
master password: helloworld
maximum length: 32

This yields the password: 58f62f196e87e92eb2f2bdbd64112d0b.

Then, when it’s time to generate a new password, you’d cross off “example.com: 1” on your sticky note and replace it with: “example.com: 2”. Then, you’d just enter 2 in the username field next time along with all of the other (same) information:

domain: example.com / someone
username: 2
master password: helloworld
maximum length: 32

That would yield the new password: a949c872f373d27369d7c76fc954473f.

Or you could do something else entirely. There are lots of different strategies that could be used here, and I highly doubt the one I just proposed is the best. In any case, the point is that the “stateless” adjective is a bit misleading; state will almost certainly be necessary over time, but the state lives in your head or on paper or in a text file and not in the keychain itself. Ideally, stateless password generators could act a bit like the one-time password tools that are used as second-factor authenticators nowadays: they could use the domain, username, and master password fields in combination with a rolling time value to generate unique passwords every time. But that’d require cooperation from web service back-ends, and I have no idea if anyone is looking to develop such a protocol right now.

The second limitation is specific to Passgen, and it’s this: in Passgen, there’s no way to specify a formula for the generated password. Some websites won’t let you use special characters as part of your password; others require special characters, or require capital letters or numbers, or have other particular rules. At the moment, there’s no way to specify such a formula in Passgen. This is partially by design, as remembering a formula in addition to the other information requires memorizing too much state, in my opinion. But that also means that you may not be able to use Passgen in such situations, or that you might always have to remember to modify the password generated by Passgen by appending an exclamation mark or whatever.

Benefits

So, why would you want to use a stateless password generator when you could instead use any of the many popular stateful password managers that already exist? The primary benefit to a tool like Passgen is that there’s no data to store anywhere, so it can’t get lost or stolen or corrupted or deleted — unless, of course, I incur some kind of brain damage.

Having a stateless password manager also means that I can access my credentials from anywhere in the world as long as I can get to the generator; I don’t need to download and install software and then sync my keychain to a particular machine. So, if someone stole all of my digital devices, I’d still be able to access my accounts from a new device without worry.

Two more benefits of Passgen specifically are that: (1) it’s open source, and (2) it works offline. It’s pretty much just a web page built with Vue, ClipboardJS, and the Node crypto module. You could host it yourself, or download it and use it offline. It doesn’t send data anywhere, and there’s no back-end of any kind. It literally just takes your inputs, generates a password, and copies the generated password to the clipboard so that you can paste it somewhere immediately. In fact, it’d be simple enough to implement in Node itself without any kind of front-end so that it could be used as a command line tool. (You know, I might just do that right now...)

Disclaimer

As I’ve said before, I’m not a security expert, so feel free to check for yourself whether it works as intended or not (and please let me know if it doesn’t). Anyway, enjoy! And let me know if you find it to be useful!