ailyaut/ailyaut.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ailyaut.com/projects/pwgen/index.html
ailyaut e8cf8acbbc first commit
2025-05-15 16:06:00 +01:00

120 lines
8.6 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>pwgen Ailyaut's blog</title>
<link rel="icon" type="image/png" href="../../media/icons/favicon-16x16.png" sizes="16x16">
<link rel="stylesheet" href="../../style.css" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta property="og:title" content="pwgen Ailyaut's blog" />
<meta property="og:type" content="blog" />
<meta property="og:url" content="https://ailyaut.com/" />
<meta property="og:image" content="https://ailyaut.com/media/preview.png" />
<meta property="og:description" content="Hi! I'm Ailyaut, a 24-year-old everything-designer with a particular interest in open source and card games." />
<meta property="og:locale" content="en_US" />
</head>
<body>
<header>
<div id="header_box">
<div>
<a href="../../index.html" id="header_title">Ailyaut's blog</a>
</div>
<nav id="header_nav">
<a href="../../blog.html" class="nav_button">Blog</a>
<a href="../../gallery.html" class="nav_button">Gallery</a>
<a href="../../projects.html" class="nav_button_active">Projects</a>
<a href="../../about.html" class="nav_button">About</a>
</nav>
</div>
</header>
<main>
<div class="box" style="justify-content: space-between; gap: 2em;">
<div class="column" style="--custom_width: 60%;">
<h1>pwgen</h1>
<p class="light">Disclaimer 1: this is not <a target="_blank" href="https://manpages.debian.org/bullseye/pwgen/pwgen.1.en.html">pwgen</a>, sorry for the confusing name, I will change it.<br>
Disclaimer 2: I wrote this in 2023. What I consider "secure" has changed a lot since then.</p>
<p class="italic">'An easy to use secure password generator.'<br> me in 2023</p>
<h2>Why?</h2>
<p>In 2022, a site on which I had an account was hacked. A lot of user information was stolen, including email addresses, IP addresses and passwords. Unfortunately I was the kind of person who always uses the same password on all sites, and that password had just been compromised.<br>
The obvious solution would have been to use a password manager, but I wasn't comfortable with the idea that all my passwords would be protected by one single master password.<br>
So I came up with a solution that allows me to always use extremely strong passwords, all unique, without having to memorize anything complicated.</p>
<h2>How does it work?</h2>
<p>The principle is ridiculously simple.</p>
<p>The application just creates a hash of what the user enters with the SHA-1 algorithm. Since the slightest change in input gives a completely different result, it is very easy to create unique passwords. For example, you can start with a very bad password, like “1234”, and then add the name of the service you are creating an account for, like Netflix.</p>
<p>The result of the following input: </p>
<p class="monospace">1234+netflix</p>
<p>will be:</p>
<p class="monospace">84b55c61cb905355057e2995c13ae833ba7d2850</p>
<p>Which is quite strong!</p>
<p>Now lets say we want to create a password for Gmail.<br>
We can input the following: </p>
<p class="monospace">1234+gmail</p>
<p>which gives us:</p>
<p class="monospace">77b4f11c48a113adf628bf55510d5cbe5af1e15d</p>
<p>A completely different result, even though we started with the same simple password.<br>
Moreover, there is no need to worry about a password being compromised anymore: it is impossible to recover the original input from the hash, so the simple password “1234” can never be guessed by an attacker in order to deduce your other passwords. </p>
<h2>How would I remember such a long password?</h2>
<p>Thats the best part! You dont!<br>
Each time you need to log into an account, you can launch the app and type your simple password, like “1234+gmail”. The output will be exactly the same as when you first generated it! This is one of the proprieties of a hash: a same input will always give the same output. </p>
<h2>Limitations</h2>
<p class="light">----- 2025 edit start -----</p>
<p>Hashes only use a very limited set of characters (1-9 and a-f), which makes it easier to brute force the password despite the string being 40 characters long if the attacker knows that the password is just a hash.</p>
<p>I am no cryptography expert, but I see two ways of attacking such a password:</p>
<ol>
<li>Guessing the input password using social engineering or other compromised passwords and then hashing it to try it (still more expensive than just trying passwords directly).</li>
<li>Brute forcing the final password directly, knowing that it has only a very limited set of characters.</li>
</ol>
<p>To improve on the current design, I could use each two-character sequence of the hash as a hex code for an ASCII character and create a new string that would be the addition of those ASCII characters.
This way, the password wouldn't look like a hash if it got exposed (so the use of this application wouldn't be as obvious, and the attack #1 wouldn't be attempted),
and it would also be computationally more expensive to try passwords by guessing the input string if there are more steps than just hashing (this would make attack #1 more difficult).
It also solves the problem of attack #2 by using a much wider set of characters.</p>
<p class="light">----- 2025 edit end -----</p>
<h2>Try it!</h2>
<p>You can try the current version for yourself!<br>
I made a GUI application for Android, Windows and Linux (X11) using Godot Engine.<br>
There are also 2 CLI versions in Rust and Golang, because I tried to learn these languages at some point.<br>
I decline any responsibility in case something bad happens with this app. Use it at your own risk.</p>
<p class="light">Downloads will be available later.</p>
</div>
<div class="column" style="--custom_width: 30%;">
<img style="border-radius: 1em;" src="thumb.png"/>
<h3 style="margin-bottom: 0.5em;">My role</h3>
<p style="margin-bottom: 0;">Programming, UI</p>
<h3>Software used</h3>
<p>Godot Engine (for GUI version)</p>
</div>
</div>
<div class="spacer" style="--size: 2em"></div>
<a href="#" class="btt"><img class="bttimg" src="../../media/icons/arrow_upward.png"/></a>
</main>
<footer>
<div id="footer_box">
<div class="footer_item">
<p>Copyright © 2025 Ailyaut</p>
</div>
<div class="footer_item">
<a target="_blank" href="https://www.websitecarbon.com/website/ailyaut-robotfumeur-fr-index-html/" style="text-decoration: none;">
<p style="color: black; background-color: var(--accent); padding: 0.2em 0.6em 0.2em 0.6em ; border-radius: 1em;">
0.02g of CO₂/view
</p>
</a>
</div>
<div class="footer_item" style="justify-content: flex-end; gap: 1.75em;">
<a rel="me" href="https://mastodon.online/@ailyaut" target="_blank"><img src="../../media/icons/mastodon.png" class="icon" alt="Mastodon" title="Mastodon"/></a>
<a href="https://www.youtube.com/@ailyaut" target="_blank"><img src="../../media/icons/youtube.png" class="icon" alt="YouTube" title="YouTube"/></a>
<a href="https://ailyaut.bandcamp.com/" target="_blank"><img src="../../media/icons/bandcamp.png" class="icon" alt="Bandcamp" title="Bandcamp"/></a>
<a href="https://codeberg.org/ailyaut" target="_blank"><img src="../../media/icons/git.png" class="icon" alt="Git" title="Git"/></a>
<a href="../../rss.xml"><img src="../../media/icons/rss.png" class="icon" alt="RSS feed" title="RSS feed"/></a>
</div>
</div>
</footer>
</body>
Reference in New Issue View Git Blame Copy Permalink