Brewpass - stateless password manager

Brewpass is a cli tool for generating deterministic passwords, from a Master Key, a Username and a Service Name.
Brewpass is implemented as a pure function: given the same parameters it will always generate the same password.
Brewpass does not store anything, this way your passwords can't be:

• lost
• corrupted
• destroyed in:
  • data breach
  • natural disaster

• But, this approach makes your passwords succeptible to brute-force attacks.
  Unless you use long and secure Master Key, do not use this tool.
• If you use long and secure Master Key, bruteforcing is very impractical and nearly impossible.
• Sufficiently long Master Key of around 20 characters with no dictionary words or logical patterns, would take atleast 210_494_978_443_749_540 years to crack (assuming generous estimate of 3000 hashes/s).

Demo

Usage

To use Brewpass, run it from the command line with following options:

./brewpass [ARGUMENTS] [ServiceName]

• -n --name : Set the Username parameter. Defaults to $USER.

• -t --tally : Set a unique integer parameter. Defaults to 0.

• -l --len : Set desired password length. Default length is 20.

• -N : Change scrypt N parameter, should be a power of 2 [262144]

• -r : Change scrypt r parameter, tied to a memory usage [8]

• -p : Change scrypt p parameter [1]

• --repeat : ask master key twice to avoid typos

• --notest : do not print the test word in "MasterKey" field

• -c --copy : copy resulting password to clipboard (requires xsel)

• -v --version: show version and exit

• -h --help : show help message and exit

1. When run, Brewpass will ask for the Master Key (input is hidden for security purposes).
2. If the Service parameter is not specified, it will ask for it as well.
3. Next, Brewpass will print the Test Word associated with your password in the key field. You can verify that you typed your password correctly by remembering the Test Word between runs.
4. Finally, Brewpass will calculate and print the resulting password.

Example

./brewpass --name:Test -l50 example.com

Username : Test
Service  : example.com
MasterKey: ANA
Password : ^$436!*49GMkq58zW9o*bzTLoNB029u&1@x481M1$6n&L5Ri#B

Algorithm

Algorithm is designed with an idea to be 'dead simple'.
Legend: '+' is a concatenation, '%' is a remainder.

    key = master_key + tally
    salt = username + service_name
    hash = scrypt(key, salt, N, r, p, length)

    ascii_string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*0123456789!@#$%^&*"
    password = ""
    for byte in hash:
        password += ascii_string[byte % length(ascii_string)]

Caveats:

• username and service name can clash, e.g. "george" + "google" and "georg" + "egoogle" produce exactly the same password.
• symbols and numbers will appear in passwords twice as often - that's intentional, for password forms where they're required.
• the chosen ascii string should be compatible with 90% of services, other 1% requires special rules that are unwieldy, insecure and should be stored and synced, if you can - do not use these services, if you cannot - use password manager such as Bitwarden to generate and store such passwords.`

Dependencies

Brewpass depends on the following packages:

• nim compiler >= V2.0 (easy to backport to nim 1.6)
• nimcrypto >= V0.5.4 by cheatfate

Optional (for smaller static binary produced with nimble musl command):

• musl library
• strip utility from binutils package
• upx

Compilation

• install nim toolchain - instructions
• clone the repo git clone https://codeberg.org/archargelod/brewpass
• cd brewpass
• nimble release - to compile release version or
• nimble musl - to compile tiny static portable version (see Dependencies)