-
Notifications
You must be signed in to change notification settings - Fork 2
/
info.html
388 lines (371 loc) · 15.9 KB
/
info.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Info</title>
<link rel="manifest" href="manifest.json"/>
<link rel="stylesheet" href="css/pwa.css" />
<script
async
src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-9946044372357745"
crossorigin="anonymous"
></script>
</head>
<body class="info">
<div id="infoBanner" class="topIcons"
style="justify-content: left; margin-bottom: 3rem;">
<img class="btn back" src="icons/back.svg"
title="Back">
<script>
document.querySelector(".btn.back").addEventListener("click", () => {
window.close();
});
</script>
</div>
<br><br>
<h1>What is HPASS?</h1>
HPASS(™, ©) is a lightweight, intuitive, simple and easy-to-use tool to
create and use strong and unique passwords.
It is implemented as Progressive Web Application
(<a href="https://en.wikipedia.org/wiki/Progressive_web_app">PWA</a>).
<h2>Why?</h2>
If you think there is room for improvement in your current approach to
password handling, you may find HPASS helpful. One way to store and share
passwords is by using a
<a href="https://en.wikipedia.org/wiki/Password_manager">password manager</a
>. It is an often recommended and widely used solution, but not without
problems.
<p>
HPASS(™, ©) uses an alternative approach with one major advantage:
passwords are generated locally, on-demand, and never stored anywhere.
For convenience, three <em>generic settings</em> (
<strong>Secret</strong>,
<strong>Special Character</strong>,
<strong>Length</strong>),
to generate strong, reproducible passwords for any given
site (defined by <strong>Hint</strong>),
are stored (encrypted!) only on your local device.
For extra layer of security two additional
parameters are provided, which are never stored anywhere:
<strong>Top Secret</strong> and
<strong>Burn</strong>.
See <a href="help.html">Help section</a>
for detailed description of all parameters and how
they are used to generate passwords.
</p>
<!--
<p>
Large number of sites and apps offer strong random password generation,
but quite extensive search (see links below) failed to find any which
would allow to generate reproducible, hint-derived passwords as HPASS
does.
</p>
<p>
UPDATE [2024-03-01]: Apparently
<a href="https://en.wikipedia.org/wiki/Master_Password_(algorithm)"
>Master Password</a
>
(rebranded now as Spectre
<a href="https://spectre.app">https://spectre.app</a>) was developed in
2012. It uses basically the same idea as HPASS -
<strong>do not store password,
generate reproducible password when you need it</strong>.
You can find there extensive explanations why this is a better solution
then storing passwords, as password managers do. However, the whole
process Spectre uses seems overcomplicated and restrictive at the same
time. For example, in addition to the HPASS
<strong>Secret</strong> eqivalent, it requires user name, it
generates passwords only following few fixed templates, etc. Take a look,
and decide for yourself.
</p>
-->
<h2>Typical usage</h2>
<p>
Assume you need a password for a website:
URL=<tt>https://www.abc.com</tt>. You can simply enter <tt>abc</tt> as a
password hint into <tt>"Enter Hint"</tt> input box and press generate
button (<img
src="icons/generate.svg"
style="width: 2rem; height: 0.8rem"
/>). This will generate password and copy it to the clipboard -
you can paste it where it is needed.
<p>
Note: You can use Second-level Domain
(<a href="https://en.wikipedia.org/wiki/Second-level_domain">SLD</a>)
- "abc" in the example above - as a password hint,
or any other string you can easily associate with a particular site.
For example, "fb" for "facebook", "bofa" for "bankofamerica", etc.
</p>
<!--
As a convenience feature, if you
enter the whole URL the app will automatically extract
<a href="https://en.wikipedia.org/wiki/Second-level_domain">second-level domain (SLD)</a>
(i.e. "abc" in this example) as a password <tt><strong>Hint</strong></tt>.
-->
</p>
<h2>Notes</h2>
<ul>
<li>
The default values for <strong>Special Character</strong>
(default: "_") and <strong>Length</strong> (default: 15)
have been selected to be accepted by most sites, however,
some sites do not accept all special characters,
and some impose rather short maximum password lengths.
For these sites you need to change these values and save them
as <em>site-specific settings</em>.
</li>
<li>
The purpose of <strong>Secret</strong> is to create unique
passwords for each user.
</li>
<li>
HPASS generates password from given input parameters through a
<a href="https://csrc.nist.gov/glossary/term/one_way_hash_algorithm"
>one-way hash function</a
>
The input parameters used to generate password cannot be recovered
from the password string.
</li>
</ul>
<h2>Security considerations</h2>
Keeping only local copy of any sensitive information is more secure and
less tempting for any potential hackers then keeping it in a centralized location -
just compare relative effort and payoff of breaking once into
central database with millions of password vs breaking into millions of
individual devices.
However,
<a
href="https://hbr.org/2017/12/you-cant-secure-100-of-your-data-100-of-the-time"
>no information is 100% secure if it is written down</a
>, and
<a
href="https://www.jamaicaobserver.com/letters/theres-no-such-thing-as-100-secure-data/"
>
the only secure data is the one that is kept in your head</a
>
(barring any
<a href="https://link.springer.com/article/10.1007/s10676-016-9398-9">mind-reading capabilities</a>).
Given that, if you are
concerned about bad actors breaking into your device
and stealing settings you use to generate passwords, there are some steps you
can take to make your passwords virtually 100% secure by paying (small)
inconvenience price.
<br><br>
For example you can:
<br><br>
<ol>
<li>
Use <strong>Top Secret</strong> and/or <strong>Burn</strong> for extra layer
of security. These two parameters are never stored.
</li>
<li>Instead of using secondary domain use some nickname
e.g. "cr" instead "consumerreports" for https://www.consumerreports.org
</li>
<li>
obfuscate secondary domain in some known only to you fashion e.g.
append some character(s), insert space before the last character, etc.
</li>
<li>use generated password as a hint and generate password again</li>
</ol>
<br>
You can probably invent infinite number of similar simple schemes to accomplish the same goal i.e.
that the part of the whole password generating procedure is stored only in
your head :)
<!-- Of course, if the sites you need to login into where the
security is most important (bank accounts, etc.) offer multifactor
authentication (<a
href="https://en.wikipedia.org/wiki/Multi-factor_authentication"
>MFA</a
>) it is always a good idea to use it.
Note however that with recent rise in
<a href="https://en.wikipedia.org/wiki/SIM_swap_scam">SIM swap scams</a>
this is not entirely fullproof. -->
For sites which offer it, multifactor authentication (<a
href="https://en.wikipedia.org/wiki/Multi-factor_authentication"
>MFA</a
>) offers extra layer of security. However, rise of
<a href="https://en.wikipedia.org/wiki/SIM_swap_scam">SIM swap scams</a>
in the 2021-2022 period, illustrates that MFA is not entirely fullproof.
<p>
Last, but not least, all HPASS
<a href="https://github.com/hpass314159">code</a>
is open source - you can inspect it, comment on it, propose and contribute
improvements.
</p>
<h2>Support</h2>
If you have any questions, comments, suggestions please send email to
<strong><tt>[email protected]</tt></strong>.
Answering all questions individually might be not
feasible, but all concerns will be addressed in
<!-- <a href="https://hpass.app/help.html#FAQ">Frequently Asked Questions</a> -->
<a href="help.html#FAQ">Frequently Asked Questions</a> document.
<h2>Problems with password managers</h2>
<p>
You can find multiple sources discussing pros and cons of using password
manager. Very short list is:
</p>
<ul>
<li><strong>Pros:</strong> ability to share passwords,
some offer encrypted storage for other sensitive information
(credit card numbers, bank accounts, etc.)</li>
<li>
<strong>Cons:</strong> vulnerability
to hacking, safety, lock-in for browser build-in password managers.
</li>
</ul>
<h2>Similar applications</h2>
<!--
LessPass:
LessPass is an open-source password manager that generates passwords using a deterministic algorithm. It uses a master password and site-specific information to create unique passwords for each service.
Password Hasher Plus:
This is a browser extension that generates site-specific passwords based on a master password and the domain name. It uses a combination of HMAC-SHA256 and PBKDF2 for password generation.
Master Password:
Master Password is an algorithm and app that generates unique passwords for different sites using a master password and site name. It's available on multiple platforms and doesn't store passwords.
Spectre:
Spectre (formerly 1Password's Password Generator) is a stateless password manager that uses a master password and site information to generate unique passwords. It's available as a web app and browser extension.
HashPass:
HashPass is a simple web-based tool that uses SHA-256 hashing to generate site-specific passwords from a master password and domain name.
PWGen:
PWGen is a command-line tool that can generate reproducible passwords using various algorithms, including HMAC-SHA1.
https://sitepassword.alanhkarp.com/
-->
<ol>
<li>
<a href="https://play.google.com/store/apps/details?id=com.saltthepass.app">SaltThePass</a>
- is a companion app for https://saltthepass.com.
SaltThePass is a password generator that will help you generate unique,
secure passwords for all of the websites you visit based on a single Master Password that you remember.
</li>
<li>
<a href="https://www.lesspass.com">LessPass</a> -
generates passwords based on your master password,
the domain of the site, and your username or email.
It's a web-based tool with browser extensions and mobile apps.
</li>
<li>
<a href="https://masterpassword.app">Master Password</a> -
uses a master password, your name,
and the site domain to generate passwords.
It's available as a web app, desktop application, and mobile app.
</li>
<li>
<a href="https://spectre.app">Spectre</a> -
Instead of saving and sending passwords across the internet,
Spectre calculates the password you need,
only when you need it, then throws it away again.
</li>
<li>
<a href="https://supergenpass.com/">SuperGenPass</a> -
generates passwords using a master password and the domain of the site.
It's available as a bookmarklet and browser extension.
</li>
<li>
<a href="https://scottparry.co/labs/hashpass">HashPass</a> -
Remember one master password to access all of your passwords, anywhere, anytime,
on any device.
Never storing any data or having to synchronize anything.
</li>
<li>
<a href="https://addons.mozilla.org/en-US/firefox/addon/password-hasher-plus/versions/">Password Hasher Plus</a> -
A browser extension that creates site-specific passwords based on a master password,
the domain name, and other customizable parameters
</li>
<li>
<a href="https://passwordmaker.org/passwordmaker.html">PasswordMaker</a>
</li>
<li>
<a href="https://sitepassword.alanhkarp.com/">SitePassword</a>
</li>
</ol>
<h2>Further reading</h2>
<!-- https://www.pcmag.com/opinions/warning-dont-let-google-manage-your-passwords -->
<ol>
<li>
<a href="https://whatpwacando.today">What PWA Can Do Today</a>
</li>
<li>
<a href="https://pages.nist.gov/800-63-4/sp800-63b.html#appA">
NIST Digital Identity Guidelines SP 800-63-4 (second public draft, 28 Aug 2024)
</a> and related Slashdot
<a href="https://slashdot.org/story/433587">
story
</a>
</li>
<li>
<a href="https://crypto.stackexchange.com/questions/11464/what-are-the-pros-and-cons-of-deterministic-site-specific-password-generation-fr">
What are the pros and cons of deterministic site-specific password generation from a master pass?
</a>
</li>
<li>
<a href="https://derekbruff.org/blogs/fywscrypto/practical-crypto/dont-give-them-the-finger-why-passwords-are-more-secure-than-touchid/">
Why passwords are more secure that TouchID
</a>
</li>
<li>
<a href="https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers">
4 fatal flaws in deterministic password managers
</a>
</li>
<li>
<a href="https://sites.google.com/site/smzmo7qyrridijpujf8bcw/home">
Good writeup about passwords (Google site)
</a>
</li>
<li>
<a href="https://en.wikipedia.org/wiki/Password_strength">
Password strength (Wikipedia)
</a>
</li>
<li>
<a href="https://www.passwordmanager.com/password-manager-trust-survey/">
Most people don't trust password managers...</a>
</li>
<li>
<a href="https://www.pcmag.com/opinions/warning-dont-let-google-manage-your-passwords">
Don't Let Google Manage Your Passwords</a>
</li>
<li>
<a href="https://securityintelligence.com/news/lastpass-breaches-cast-doubt-on-password-manager-safety/">
LastPass breaches cast doubt on password manager safety
</a>
</li>
<li>
<a href="https://blog.hypr.com/problems-with-password-managers">
https://blog.hypr.com/problems-with-password-managers
</a>
</li>
<li>
<a href="https://www.makeuseof.com/are-password-managers-safe-or-not/"
>https://www.makeuseof.com/are-password-managers-safe-or-not</a>
</li>
<li>
<a href="https://blog.knowbe4.com/what-about-password-manager-risks"
>https://blog.knowbe4.com/what-about-password-manager-risks</a>
</li>
<li>
<a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">
Salt(cryptography)
</a>
</li>
<li>
<a href="https://hashcat.net/hashcat">
hashcat: World's fastest and most advanced password recovery utility
</a>
</li>
<li>
<a href="https://stackoverflow.com/questions/1607075/storing-encrypted-passwords">
Stackoverflow thread on dangers of storing encrypted passwords
</a>
</li>
<li>
<a href="https://arxiv.org/pdf/1703.01959">
"AutoPass: An Automatic Password Generator" (2017) Fatma Al Maqbali and Chris J Mitchell
</a>
</li>
</ol>
</body>
</html>
<!-- Interesting sites:
https://randompasswordgen.com
-->