Introducing Petapass

March 27, 2011 at 12:41 PM | Tags: password, python, gui, pygtk, release, security, petapass

This post was import from an earlier version of this blog. Original here.

A few weeks ago, I wrote about a scheme for better passwords. Building on that idea, I'm pleased to announce Petapass, a stateless password generator. The name is a play on my first name as well as the very large number of passwords you can create.

The traditional approach to password management is to store passwords in an encrypted file (various password managers use this approach). Petapass instead implements a stateless password management scheme - all the necessary state resides in your head. It hashes a master password and a per-login descriptive token to generate unique 10-character passwords. The token is merely something you will remember when you need to log in (such as "myblog"). Portable across OSes, nothing to steal, lose or synchronize. I like to think of it as RESTful password management.

Petapass implements a simple GUI. It provides a "daemon mode", where it will remember your master password for a configurable timeout. After entering the token, the generated password is copied to the clipboard, allowing you to easily paste it to a login form or ssh prompt. Binding the command to show the window to a global hotkey makes Petapass unobtrusive and easy to use.

Full details at PYPI. Linux only for now - a windows version should be trivial, while OS X requires a Cocoa GUI.

Note: I couldn't get the window to always raise to the foreground the way I wanted - if you've got PyGTK skills and a few minutes, please ping me.

These comments were imported from an earlier version of this blog.

Jeff Barea 2011/03/27 19:56:41 -0700

I like the concept. One thing I've noticed is by introducing third party programs it makes it less secure than would seem.

Mostly talking about the clipboard copying. A whole host of other security issues, but some of them are simply out of anyone's control really.

ncoghlan_dev 2011/03/27 20:23:36 -0700

I believe Brett Cannon did something along these lines with OpLop (only web based). I've never quite seen the point of stateless generators: yes, it provides substantially improved resistance to dictionary attacks against the sites themselves, but it doesn't help much with remembering your tokens for rarely used sites.

And if you decide to save the tokens somewhere... you're back to needing an encrypted password store. And once you're using one of those *anyway* why not just generate the passwords directly and not bother with the tokens?

None 2011/03/28 08:49:41 -0700

Peter Fein said...
@ncoghlan: yeah, it's similar to OpLop (which does have Python implementation btw). Doing this in a browser at all feels risky, and doing it on a third party webpage is *insane* - you're implicitly trusting all of the code loaded by Oplop every time you use it. While I might trust Brett, I'm relying on his & google's security.

As for remembering tokens, that doesn't seem to be a problem in practice - the tokens themselves don't need to be hard to guess - the domain name (perhaps without TLD) is fine:

@Jeff Barea: The clipboard aspect could be improved (by being eliminated entirely). It's particularly a problem when you're using a clipboard history manager, like parcellite. Perhaps I can add another command to "paste" directly to the current X11 window. See this bug:

Eric 2011/03/28 13:21:09 -0700

I keep wishing that something like this would work for me, but the passwords I'm required to create are full of incompatible restrictions. Some sites are restricted to ten characters, others require at least twelve. Some sites prohibit special characters, others require them. I use an encrypted password store partly to avoid manipulating the result of such a stateless system to fit the need.