Brewpass - stateless password manager
Brewpass is a cli tool for generating deterministic passwords, from a Master Key, a Username and a Service Name.
Brewpass is implemented as a pure function: given the same parameters it will always generate the same password.
Brewpass does not store anything, this way your passwords can't be:
- destroyed in:
- data breach
- natural disaster
- But, this approach makes your passwords succeptible to brute-force attacks.
Unless you use long and secure Master Key, do not use this tool.
- If you use long and secure Master Key, bruteforcing is very impractical and nearly impossible.
- Sufficiently long Master Key of around 20 characters with no dictionary words or logical patterns, would take atleast 210_494_978_443_749_540 years to crack (assuming generous estimate of 3000 hashes/s).
To use Brewpass, run it from the command line with following options:
./brewpass [ARGUMENTS] [ServiceName]
-n --name: Set the Username parameter. Defaults to $USER.
-t --tally: Set a unique integer parameter. Defaults to 0.
-l --len: Set desired password length. Default length is 20.
-N: Change scrypt N parameter, should be a power of 2 
-r: Change scrypt r parameter, tied to a memory usage 
-p: Change scrypt p parameter 
--repeat: ask master key twice to avoid typos
--notest: do not print the test word in "MasterKey" field
-c --copy: copy resulting password to clipboard (requires xsel)
-v --version: show version and exit
-h --help: show help message and exit
- When run, Brewpass will ask for the Master Key (input is hidden for security purposes).
- If the Service parameter is not specified, it will ask for it as well.
- Next, Brewpass will print the Test Word associated with your password in the key field. You can verify that you typed your password correctly by remembering the Test Word between runs.
- Finally, Brewpass will calculate and print the resulting password.
./brewpass --name:Test -l50 example.com Username : Test Service : example.com MasterKey: ANA Password : ^$436!*49GMkq58zW9o*bzTLoNB029u&1@x481M1$6n&L5Ri#B
Algorithm is designed with an idea to be 'dead simple'.
Legend: '+' is a concatenation, '%' is a remainder.
key = master_key + tally salt = username + service_name hash = scrypt(key, salt, N, r, p, length) ascii_string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*0123456789!@#$%^&*" password = "" for byte in hash: password += ascii_string[byte % length(ascii_string)]
- username and service name can clash, e.g. "george" + "google" and "georg" + "egoogle" produce exactly the same password.
- symbols and numbers will appear in passwords twice as often - that's intentional, for password forms where they're required.
- the chosen ascii string should be compatible with 90% of services, other 1% requires special rules that are unwieldy, insecure and should be stored and synced, if you can - do not use these services, if you cannot - use password manager such as Bitwarden to generate and store such passwords.`
Brewpass depends on the following packages:
- nim compiler >= V2.0 (easy to backport to nim 1.6)
- nimcrypto >= V0.5.4 by cheatfate
Optional (for smaller static binary produced with
nimble musl command):
- musl library
- strip utility from binutils package