Tag Archives: password

mnemonicode: At long last we meet

I’ve been waiting quite a while to see mnemonicode pop up in the rotation. I remember adding it to the list a long while back and thinking, “That is really cool.”

mnemonicode is not a new tool; in fact, the GitHub repo I linked to is just a six-year-old (?) mirror of the original, which is apparently no longer online (but is archived, thank goodness). But I’m really glad I found it, and that Stephen Paul Weber uploaded it there.

What’s so great about it? Well, if you’re like me, and your passwords are just 12-digit strings of random letters and numbers, they can get a little clunky to remember. (But they are fairly time-consuming to force.) Unless the password actually has some intrinsic meaning to it, which mine don’t, it can be a challenge. Of course, that’s the purpose of having such an obtuse password.

But here’s what mnemonicode can do, with its mnencode and mndecode tools:

kmandla@6m47421: ~$ echo TxFX0rxNFkVN | mnencode 
 nova-figure-peru--george-side-ninja
 jargon-contact-ninja--airline

See where this is going yet?

kmandla@6m47421: ~$ echo "nova-figure-peru--george-side-ninja
> jargon-contact-ninja--airline" | mndecode
TxFX0rxNFkVN

No longer do I need to remember a string of 12 characters or letters. If I can recall the normal English words, hyphens and line breaks that mnencode gave me, I can translate it back as a matter of course.

To the best of my knowledge, this is not an additional layer of encryption. I’m not actually making the password any more secure than if I had converted with something like rot13. But it does make it easier to remember.

I’d also be a little more comfortable relaying words or sequences of numbers to someone, perhaps written down or face-to-face, if I knew they were going to pipe it back through mndecode later. Which may be part of its history, actually.

mnemonicode could use a little attention these days; aside from the archived explanation of the original program, the GitHub version doesn’t seem to have any documentation. What little I know is through experimentation.

mnemonicode is in AUR and in Sid; I’m glad to see that since I have a feeling this could be something useful in my encrypted live system. It would at least help me remember some of the more eccentric passwords I use. 😐

P.S.: No, those are not my real passwords. You should know better than that.

john: Again, a tool is just a tool

The gods of chance seem to favor tools with the potential for less-than-pristine motives today. First pirate-get and now john.

2014-08-08-6m47421-john

john, a/k/a John the Ripper, is a password cracker … and this is where I acknowledge my rudimentary understanding of security and cryptography, because a lot of what john does is … way beyond my scope.

I did get it running in an acceptable fashion though, as you can see above. The john wiki is replete with tutorials of all levels, on how to make it work in just about any conceivable fashion. I’ll give you a hint: If you want to see a progress update, smack the space bar and john will let you know how far along he is.

Oh, and not that it matters to you, but I hear there’s a GUI for john, too. 😉

I feel john would do best on a multiprocessor machine with some real oomph to it; I understand that it can not only take advantage of multiple CPUs, but knows enough to handle multiple threads per core. There are machines available to consumers that would no doubt tear through a run-of-the-mill job with john in a matter of hours, if not minutes.

But as you can see, I didn’t bother waiting for john to find my own password. It would be a while, not just because this is a single-processor machine from 12 years ago, but because my password is not a recognizable word. Not that it would take long to find it, but it could take longer.

I leave you to experiment with john; there have been terrifically few times in my life when I needed any kind of password cracking utility, and so each time has been a new experience and I relearn everything over again. If you’re in the market for a password cracker, john might work for you. Only you can be sure. 😉

yapet: Oh, what a difference three years makes

Perhaps its my own personality, or perhaps yapet has matured sufficiently in the last three and a half years to fully win my appreciation.

2014-07-04-6m47421-yapet

yapet is a password “wallet,” I guess, but is fully enclosed and functional within its own interface and settings. I make that distinction because for the past year or so I’ve been a rabid fan of pass, which keeps most of its structure at the command line, and relies on core Unix-ish tools.

Contrast that with pwsafe, which we saw months and months ago. It still hovers at the command line, but obscures the data tree that is plainly visible with pass. If that bothers you, you’ll prefer pwsafe.

yapet inflates the concept to a full console application, with its own measures of obscurity and security. You have to supply a password to get into the application. Once there, you can manage your passwords from within the application, leaving no visible data trace in your history, with the possible exception of invoking yapet.

yapet offers onboard password generation with the option to add (or avoid) special characters and punctuation. It will pull random characters from /dev/random, /dev/urandom and other sources.

File operation and menus are all done with strong colors and an obvious and intuitive arrangement. yapet worked fine as far down as 80×24, and I didn’t feel a need to squish it any more than that.

Three years ago I offered a small critique of the Debian version available at the time, mentioning that at 120Mhz, there were terrifying screen refreshes that more or less kept me from using it.

I can’t say for sure how the newest versions — 1.0 at the time of this writing, released only four or five months ago — would behave and super-slow speeds. I know on this machine, coasting along at a comfortable 2.6Ghz and with a proprietary video driver under X, there was no hint of that same flickering effect.

Which I credit the yapet team for eliminating — and for making yapet into something quite enjoyable. I am sure it is gratifying to watch a program grow from an idea to version 1.0; it’s likewise satisfying to see something go from fair-to-middling to bona-fide-rock-and-roll-star.

I’m more than willing to hand out one of my few remaining K.Mandla gold stars to yapet. Well done, sirs and madams, well done. ⭐ 😉

P.S.: No, those aren’t my real passwords. You shouldn’t even have to ask that question. :mrgreen:

pwsafe: Simpler password management

This will be twice in the same day I’ve mentioned pass in reference to another program. People will start to think me a spammer. 😯

But I have to compare pwsafe to pass, just because the latter is what I prefer, even if the former is quite a good option.

2014-03-21-lv-r1fz6-pwsafe

I know some people don’t like the tree-like folder structure of pass, and that’s fine. For those folks I can recommend pwsafe.

pwsafe keeps everything in one dot-file, with no discernible cues to what the accounts or passwords are, as you can see.

2014-03-21-lv-r1fz6-pwsafe

pwsafe also does a few other things differently; you can declare groups, add notes to passwords and a few other points. And pwsafe, as best I can tell, doesn’t require you to set up gpg beforehand. You might like that.

As a final note, pwsafe claims to be compatible with a Windows-based password manager called Password Safe, about which I know almost nothing. I don’t mention that as an endorsement, but rather as a point of compatibility.

pwsafe looks to be just as useful and flexible as pass, but definitely goes about business in its own way. Vive la différence. 😉

pwgen: Making it up as you go

I like password generators. I don’t know why. I think they’re fun to watch in action, and they’re good to keep around even if there’s not much I really do with them.

Here’s pwgen, which I find amusing at the least.

2014-03-21-lv-r1fz6-pwgen

pwgen might remind you of otp, which was mentioned last month. It has similar output and does much the same thing.

On the other hand, pwgen can wrangle passwords in a way that satisfies some constraints. For example, if a site requires you use a symbol (which I find incredibly annoying), pwgen can inject them. Same for capitalized letters or numbers.

It can also yank out certain characters, like vowels, thereby reducing the risk of accidentally creating a password that sounds “naughty” in English. 😳 Of course, for all you know, whatever is left could be a majestically foul utterance in another language. 🙄

I’ve noticed (because I played with pwgen so much 🙄 ) that the sequence of flags is important. For example:

kmandla@lv-r1fz6: ~$ pwgen -A -B -s -1

is different from

kmandla@lv-r1fz6: ~$ pwgen -s -A -B -1

and if you try you’ll see that the first one, in spite of the -A flag, will produce passwords with capital letters, probably because the -s came after. The second on the other hand, will pull them out before they hit the screen.

I have pass installed, so pwgen came along for free. You can use pwgen independently of pass though, which is only to be expected. 😉

pwcrypt: On-the-fly password encryption

I like finding applications that are 10 or 15 years old, and discovering that they still work fine in spite of their age.

To the best of my knowledge, pwcrypt works just as well now as it did way back in 2000, when it was released into the wild.

2014-03-19-lv-r1fz6-pwcrypt

If I understand the README file right, pwcrypt allows you to inject a password and have it display as encrypted text, which might be useful in scripts and so forth.

I can’t think of a reason offhand that I would need it, personally, but it’s possible that you might see a niche where it will fit. The author has some better suggestions in the documentation.

pwcrypt has about five options, none of which are difficult to decode. And as you can see in the screenshot, it seems to do its job well … inasmuch as the results are completely indecipherable to me. 🙄

Believe it or not, that’s about all I can think of to say. It’s a short little program, it didn’t give me any stress in compiling, and it seems to do what it claims.

Can’t ask for more than that. 😀

P.S.: This one is not in AUR or Debian. A wild program, running free! 😯

pass: My favorite password manager

I’ve been waiting for quite a while to mention pass, and now that the time has come, I’m rather excited about it.

2014-02-23-lv-r1fz6-pass

pass, for me, might be the quintessential Unixy program. It uses a lot of the existing Linux environment to encrypt, sort, manage and store all my passwords, and does it in a way that is completely obvious.

I won’t pretend to be an expert on pass, but I don’t need to either.

Want to see the passwords you have? pass ls. Want to remove a password? pass rm (name). Everything is structured like a folder tree, as you can see above.

And you can arrange and nest them however you like. If you have four GMail accounts, like me, they can all go inside GMail, which can go inside a folder called e-mail, or whatever you prefer.

And even better, if you go poking around in the .password-store folder, you’ll see — omigosh! they’re all arranged in a folder tree! 😯 🙄

You can even go inside that tree and kick things around a bit, and pass won’t mind at all. Usually. 😕

You’ll need to work up your local gnupg structure to get pass working, but it should require only that you step through gpg --gen-key, and pass will work off of that. If you’ve already done that, you’re one step closer to password management nirvana.

So let’s recap: Minimal overhead and no frilly side points, follows a logical style, needs no specialized file structures or esoteric encryption libraries, keeps its commands similar to shell commands, has a pretty tree structure … yep, I think that’s it.

On the down side? Well … ah … hmmm. Aha! No color! 👿

In spite of that shortcoming, I’m willing to hand out one of K.Mandla’s highly coveted gold smilies to pass, because I like it so much. Congrats! 😀

otp: Not as simple as it looks

At first glance otp seems like a rather straightforward password generator.

2014-02-18-lv-r1fz6-otp

And there are at least a half-dozen ways to generate random passwords at the Linux console, so why is otp special?

Well, aside from being more flexible in its output than jamming /dev/urandom through tr, or chopping off the output of mcookie, otp has a couple of other cool gimmicks.

For one, it can follow English language conventions, meaning the passwords you get look like chopped up English words.

Not cool enough? How about controlling otp’s seed to pitch the random number generator in a predictable fashion.

“That’s dumb, K.Mandla,” you say. “Why in the world would anyone want predictable passwords?”

Well it does suggest that two people using otp could share passwords without saying them outright to each other, just by knowing the seed and which output to choose. Seed is 33, password is 15, or something James Bond-ish like that.

otp does other stuff too, like uppercase and lowercase passwords, passwords only in numbers, and producing md5 signatures for keys. And you can format its output to your screen dimensions, which would be important if you have long passwords breaking across lines.

otp is one of those programs that’s easy to overlook, and yet is strikingly effective. And oddly enough, this too is in Debian, but not in Arch or AUR. 😕 Archers don’t like the letter O, I guess. …

apg: Pronounced, “ay-pee-jee”

A couple of weeks ago I pointed out a site that could check password strength, and calculate the maximum time it would take to crack it in a brute-force attack.

I hope you took the time to look at that page. It’s very enlightening. 😯

Since then I have wanted to take a look at apg, an automatic password generator.

2013-08-12-v5-122p-apg

On the surface, apg doesn’t do a whole lot that a dozen dozen websites don’t do as well.

apg’s strength, if you ask me, is in it’s flexibility and control. The average online utility that will scramble a few letters for you doesn’t have the same capacity for detail as apg.

Consider: These days, a lot of websites demand you use a capital letter in your password. Personally I find that annoying, but this isn’t about me.

apg lets you slant the generator to produce a password that does have, somewhere in it, a capital letter.

And you can do the same for numbers, symbols, lowercase letters, and so forth.

apg will also give up pronounceable passwords, which I suppose could be less secure, but are probably a lot easier to remember.

Even better, apg will translate passwords into speakable fragments, like you see above. I’m not sure why that would be necessary, but it’s pretty cool.

apg is worth looking into, particularly if you’re an administrator who has to keep resetting passwords for forgetful staffers.

I mentioned one way to do it a few months ago; but really apg is probably better. 😐