An alternative to storing passwords in an encrypted password safe is generating them as needed by hashing some unique but openly known string like a web URL (“google.com”) catenated with a secret “master password”. That way only one master password is needed for any number of site passwords, which are each computed from the master password and the unique string. Nothing secret is stored in a file, eliminating some vulnerabilities.
This idea is implemented in several currently available extensions and web sites, but I developed my own so I would know exactly what the code is doing and work around problems with the apps getting the URL wrong.
My web app is a single html file which can be stand alone where all javascript library code is embedded in the file as <script> elements with minified javascript code, or it can be configured to load external javascript files. The file can be stored anywhere a browser can access it.
The unique strings (URLs are convenient strings) are stored in the html file as a javascript 2-dimensional array (with URL and user id), and must be edited to add and remove sites.
Currently I store the html and supporting javascript files in Dropbox as a tar file (passgen.tar.)
The self-contained html file is called passgen-min.html, while the other is passgen.html, and it requires the separate javascript files sha1.js, sha256.js and enc-base64-min.js.
Usage
Any of the following ways can be used to run the web app:
If you are connected to the internet
Go to my web site ocean1.zouck.org on any browser.
If you are not connected (but can connect at least once)
Save the html file passgen-min.html to local storage in android, then install the Open-in-browser app. Then if you have saved the file in downloads, you can simply click it and select open in browser.
On chromebook, save in local storage, then double click from file browser.
 |
Figure 1. Screen Shot of Web App
|
No comments:
Post a Comment