Rehashing Hashapass
A while back we posted on hashapass.rb as a homegrown solution to password management. Sadly, the post was ‘lost’ in the latest site redesign, but since then we’ve hashed countless passwords.
However, using Ruby for the script had one drawback: it was 2 seconds too slow when loading. Looking for instant gratification, we decided to rewrite it as a shell script, adding support for other unices along the way courtesy of xsel. The password hashing itself is now handled by the openssl command line script.
So go ahead, checkout the latest version over at github and enjoy a faster hashing experience.
Our previous Hashapass post is reproduced in full below, partly for people interested in its original development, partly because the short screencast was so much fun to make.
I solved my password management problem years ago when I stumbled upon hashapass.com Being able to easily generate a different password for every account is the way to go as far as I’m concerned. But therein lies the problem: easy generation.
Being dependent on an online outfit can be cumbersome, what with the looming fear that if the site goes down, your passwords are lost forever. Even if the site can be downloaded onto the desktop, there’s still that little issue of usability.
Having to use a website requires one too many steps to get a password. Even using OS X’s Dashboard and a widget is troublesome: a mouse is still needed to select the widget. These are things we can improve on with a simple terminal app. Oh, and let’s write it in Ruby to keep things fun.
Algorithm
Initially, I thought about using a hashing algorithm that’s independent from hashapass.com, but the prospect of needing to change all my current passwords made me think differently. Turns out, 10 minutes of delving into their javascript was enough to figure out that HMAC-SHA1 with a Base64 encoding is used for the hashing. With an extra 20 minutes I got a Ruby equivalent for the same operation.
Copy to Clipboard
To make this work, there must be no need for text selection plus +C. I was lucky enough to recall it is possible to copy to OS X’s clipboard via the command line. In hindsight, I shouldn’t have been so suprised. One quick Google search later, pbcopy came up, and all was good. Well, almost: there was a problem with a newline being tacked on to whatever text got piped into pbcopy, which turned out to be @echo@’s default setting. printf is a better alternative for this case.
Options
There are two scenarios where copying the password directly to the clipboard may be vexing. Some entry forms don’t make use of the system clipboard, thus making it impossible to paste in a password. All right, so just add an option to display said password. The more concerning situation occurs when generating a new password for a new account: since a master password is needed for the hashing operation, that opens up an opportunity for a typo. Were it an old account, the user would likely try to generate the password again and miss the typo this time. However, the same user will be hard-pressed when trying to access a new account and not being able to generate the correct password due to the typo. Solution: add an option that confirms the inputted master password.
Omnipresence
Up to this point, the improvements over using a Dashboard widget aren’t really outstanding. Perhaps merely cosmetic. Having to launch a terminal window, or at least keep one around in the background to change to, really ruins the workflow. In the end, what really makes it all come together happens to be visor.app, which provides an ever present, Quake-style terminal.
End Result
So, how does the end product look? Take a glance.
The code is Mac-only due to the use of pbcopy. Linux seems to have xsel produce the same results, though this remains untested by me.
Now to send it to the hashapass.com folks to help with distribution… grabbing the code from github is suggested. Hope this offers a decent solution to password management, at least until OpenID becomes a bit more pervasive.