

SHA1 hashed Sentence Based Passwords - 16s
http://16s.us/sha1_pass/

======
16s
Submitter here. I decided to take my own advice and use a strong, unique
password on every site that requires authentication.

That's easy to say, but hard to do. I can't imagine how non-technical people
cope with all the security advice about passwords they receive. The horror
stories (such as Gawker's password compromise) don't help matters either.

The requirements of SHA1 Pass are:

0\. Focus on sentence based passwords only (not long, complex passwords that
no one can remember).

1\. Generate passwords (do not store them). Nothing to safeguard or to backup
in case of failure, corruption, or loss. All the end-users have to do is
remember sentences.

2\. Password generation must occur _locally_ on end-use devices (not in web
browsers and not in the cloud on some other company's server). Sorry, I just
don't trust that.

3\. SHA1 Pass must be portable and reproducible so others can implement the
idea in the absence of SHA1 Pass or even perfect the idea. OpenSSL, crypto++,
sha1sum and various other programming libraries and apps do SHA1. There is no
secret/closed encryption.

I've been using SHA1 Pass for quite a while now, but I wanted to polish it up
a bit and really start using it (especially after the gawker compromise) and
share the application with Hacker News.

I realize that there is already excellent password management software
available that has solid reputation and many features. I've used Password Safe
(Bruce Schneier originally) and heard good things about 1Password. However,
both of those tools _store passwords_ and don't focus on sentence based
passwords (I'm not sure about portability).

~~~
mooism2
Constructive criticism:

It might be easier to use if it was a browser extension. This would allow me
to type a sentence into the password field, right-click the password field,
select base64/hex/whatever, and not have to worry about alt-tabbing between
programs or pasting the password.

(Can browser extensions read the contents of password fields? I don't know.)

------
ra
I'm a big fan of using long, multi-word phrases for passwords because:

\- they're easy to remember

\- it's possible to have 'topical' phrases for the particular purpose, this
encourages me to use a wider variety of passwords'

\- They're good cryptographic seeds

\- They're never going to be in your rainbow table

That is why I really hate web sites with rigid password rules (e.g: Yahoo).
Why the hell should I have an uppercase char or a numeric if my password is,
"if jullian assange is a terrorist then so is my mum".

~~~
16s
I agree. That's why I added the base64 encoding option. The sentence you gave
would SHA1 | base64 encode to this password:

PtyrFg9YAStZenWaledWVdzTl8E=

It has uppercase, lowercase, numeric and a special char. If that is too long
for some sites (and I have found that to occur), then use the half base64
password:

PtyrFg9YAStZen

Has all of the complexity as above except a special char.

