Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Fri, 01 Sep 2017 10:36:21 +0200
Message-id: <[🔎] 23752755775289805788@scdbackup.webframe.org>
In-reply-to: <7279755108909413301@scdbackup.webframe.org>
References: <7279755108909413301@scdbackup.webframe.org>

Hi,

i made a test program from the SHA512 function of libjte, which stems from
GNU C Library version 2.7 and is used for Jigdo ISOs. A loop of 10 million
calls with a text of 80 characters, compiled -O2, ends after 4.088 seconds.
That's about 2 exp 23 times faster than python-bcrypt with 2 exp 16 rounds.
So the ratio (bcrypt round / SHA512) is about 2 exp 7 = 128.

SHA512 is taken as placeholder for any postprocessing of the enumerated
celebrity names which the attacker might try. It looks reasonably complex to
serve for this purpose here.

If not other implementations of bcrypt are faster, then during enumeration
this is equivalent to 20+ bits of entropy compared to a SHA512 obfuscated
password with known salt. (Not full 23 bits because generation of input
passwords lasts time, too, maybe longer than their SHA512 processing.)

python-bcrypt consists of a thin outer python wrapper
  https://sources.debian.net/src/python-bcrypt/3.1.3-1/src/bcrypt/__init__.py/
and C code from OpenBSD
  https://sources.debian.net/src/python-bcrypt/3.1.3-1/src/_csrc/
So at least the speed of the implementation language cannot be easily
surpassed by the bcrypt of an attacker.

Here is the python program, Google and i wrote in the last hour:
----------------------------------------------------------------------------
bcryptedpw.py - Compute and show long and enumeration-unfriendly password
                from short user password.
Needs package "python-bcrypt" and maybe others which were already installed
on my Jessie by the wish to have a general software development system.
Provided under BSD license: Use, modify, distribute as you like.
----------------------------------------------------------------------------
#!/usr/bin/python
# -*- coding: utf-8 -*-
import bcrypt
import getpass
import sys
import time

# Seconds how long the result shall stay visible
viewtime=15

# Invisibly ask user password
userpw = getpass.getpass('Your secret password, please: ')

# Compute long remote password and show it
print "Don't go away now ..."
p = bcrypt.hashpw(userpw, '$2a$16$TO/1Wc6L2wC8SgJpgQEV9e')[-31:]
print "Here it is for ", str(viewtime), " seconds:"
sys.stdout.write(p)
sys.stdout.flush()

# Wait and then overwrite by blanks
time.sleep(viewtime)
sys.stdout.write("\r                                        \n")
print "Do not forget to clear your paste buffer !"

----------------------------------------------------------------------------
I know nearly nothing of python. Probably one can do this more elegantly and
more safely in respect to hiding the user password and the result from spies.
(But one can really ask Google like one would ask a workmate at the
 next programming desk. I wonder if it could teach C in a similar way.)


Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: One-line password generator
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: How to Keep Track of Changes to the System
Next by Date: Re: One-line password generator
Previous by thread: Re: How to Keep Track of Changes to the System
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread