The main repository. Contains both Python and Javascript implementations.
Revision | 0eda3b1990cb95ef22853e3d130428713cc84552 (tree) |
---|---|
Time | 2019-02-24 04:47:25 |
Author | Eric Hopper <hopper@omni...> |
Commiter | Eric Hopper |
Make --help better. Update README.md for recent changes.
@@ -41,7 +41,7 @@ | ||
41 | 41 | ```text |
42 | 42 | $ ./makepw.py --help |
43 | 43 | usage: makepw.py [-h] [--iterations ITERS] [--site SITE] [--extra] [--old] |
44 | - [--no-check] | |
44 | + [--format FORMAT] [--list-formats] [--random] [--no-check] | |
45 | 45 | |
46 | 46 | Generate a site password from a master password and a site name. |
47 | 47 |
@@ -51,26 +51,39 @@ | ||
51 | 51 | Number of hash iterations. Defaults to 200000. For the |
52 | 52 | original behavior of a non-iterated hash, use an |
53 | 53 | iteration count of 0. |
54 | - --site SITE, -s SITE Last two components of site domain name (aka | |
55 | - slashdot.org). | |
56 | - --extra, -e Add just a few more bits of entropy to the result | |
57 | - while still satisfying the requires of both upper and | |
58 | - lowercase, a digit and a symbol. | |
54 | + --site SITE, -s SITE Unique site or account identifier, usually the last | |
55 | + two components of site domain name (aka slashdot.org). | |
56 | + --extra, -e Backwards compatility - equivalent to --format | |
57 | + stupid_policy14 | |
59 | 58 | --old, -o Use old non-PBKDF2 function for generating the |
60 | - password. | |
59 | + password. Not relevant with -r | |
60 | + --format FORMAT, -f FORMAT | |
61 | + Output format of resulting password. Defaults to | |
62 | + 'stupid_policy13'. Use --list-formats for a list of | |
63 | + supported formats. | |
64 | + --list-formats, -l Print out a list of supported formats, like --help, | |
65 | + this short-circuits any other function. | |
66 | + --random, -r Use the OS secure random number generation to creae a | |
67 | + random password instead of asking for a master | |
68 | + password. Useful for generating master passwords, or | |
69 | + with the xkcd algorithm. Implies --no-check and | |
70 | + ignores the site name and --iterations. | |
61 | 71 | --no-check, -n Do not print out hash for check_site site. This hash |
62 | 72 | can help you tell if you entered the wrong password. |
63 | 73 | ``` |
64 | 74 | |
65 | 75 | ## How It Works ## |
66 | 76 | |
67 | -It uses the PKCS#5 v2.0 PBKDF2 with a large (but configurable) number | |
68 | -of iterations to make sure that even if an attacker manages to get the | |
69 | -plaintext password for a given site, it will be practically impossible | |
70 | -for them to reverse the hash and figure out the master password. | |
77 | +When not using `--random` mode, it uses the PKCS#5 v2.0 PBKDF2 with a | |
78 | +large (but configurable) number of iterations to make sure that even if | |
79 | +an attacker manages to get the plaintext password for a given site, it | |
80 | +will be practically impossible for them to reverse the hash and figure | |
81 | +out the master password. | |
71 | 82 | |
72 | 83 | ## Known Bugs ## |
73 | 84 | |
74 | 85 | It has a small bug in which it skips 'Z', 'z' and '9' for generating the |
75 | -uppercase, lowercase and digit characters. This bug should be faithfully | |
76 | -replicated to all the various implementations. | |
86 | +uppercase, lowercase and digit characters. When implementing this for | |
87 | +some other language, this this bug should be faithfully replicated to | |
88 | +maintain compatibility and allow people to use any implementation for | |
89 | +re-creating a password they created with a different implementation. |
@@ -130,21 +130,22 @@ | ||
130 | 130 | "use an iteration count of 0.") |
131 | 131 | parser.add_argument('--site', '-s', |
132 | 132 | metavar='SITE', type=str, |
133 | - help="Last two components of site domain name " | |
134 | - "(aka slashdot.org).") | |
133 | + help="Unique site or account identifier, usually the" | |
134 | + " last two components of site domain name (aka" | |
135 | + " slashdot.org).") | |
135 | 136 | parser.add_argument('--extra', '-e', action='store_true', default=False, |
136 | - help="Add just a few more bits of entropy to the " | |
137 | - "result while still satisfying the requires of both " | |
138 | - "upper and lowercase, a digit and a symbol.") | |
137 | + help="Backwards compatility - equivalent to " | |
138 | + "--format stupid_policy14") | |
139 | 139 | parser.add_argument('--old', '-o', action='store_true', default=False, |
140 | 140 | help="Use old non-PBKDF2 function for generating the " |
141 | - "password.") | |
141 | + "password. Not relevant with -r") | |
142 | 142 | parser.add_argument('--format', '-f', |
143 | 143 | metavar='FORMAT', type=str, default=None, |
144 | - help="Output format of resulting password. This will" | |
145 | - " supercede the -eargument. Use --list-formats for a" | |
144 | + help="Output format of resulting password. Defaults" | |
145 | + " to 'stupid_policy13'. Use --list-formats for a" | |
146 | 146 | " list of supported formats.") |
147 | 147 | parser.add_argument('--list-formats', '-l', action='store_true', |
148 | + default="stupid_policy13", | |
148 | 149 | help="Print out a list of supported formats," |
149 | 150 | " like --help, this short-circuits any other function.") |
150 | 151 | parser.add_argument('--random', '-r', action='store_true', |