keeweb
keeweb copied to clipboard
keeweb
New future xkcd Password Generator
Hi and thanks for this very nice apps. Is that possible in the future to add this xkcd password generator
http://preshing.com/20110811/xkcd-password-generator/
👍 good idea, looks like an easter egg, will be added in future releases. The only problem here is word db storage, I'll think how to deal with it. We have a deflater, so it can be delivered in zipped format... Source code, bsd license: http://preshing.com/files/xkcd_pw.js.php
Not necessarily easter egg, this is a common and useful strategy for password generation. One scenario where that is used is the Diceware strategy, which is a simple yet effective strategy that uses a combination of words determined from a word list. That list doesn't need to be excessively long to provide good security, the one publicly available on this site is less than 90 kB in uncompressed form - so not really an issue. Be advised though that it is not a good idea to generate the diceware numbers with a PRNG, use numbers from a "good" random source if available.
less than 90 kB
This is 1/10 of the whole app. E.g. QR code recognition library is 40kb. If we allow such a freedom in choosing libraries, the app will grow into a 5mb-monster in a month. So I think it will be added as a plugin, once we support them. Then it may contain dictionaries for another languages, e.g. german dictionary may be different.
not a good idea to generate the diceware numbers with a PRNG
We currently use browser's crypto random function for generator if it's available, so it will be used here as well.
Oh OK, you're right, I didn't think of the web deployed version, I had the electron bundle in mind where it wouldn't really change anything about the size. The plugin idea sounds good!
What about allowing to mix multiple languages?
heute penguin duimpje beautiful
(German, English, Dutch, English)
This is 1/10 of the whole app. E.g. QR code recognition library is 40kb. If we allow such a freedom in choosing libraries, the app will grow into a 5mb-monster in a month.
This logic here is incredibly lost on me. At a poultry 130MB I don't think another 90kb is going to make much of a difference....
What about allowing to mix multiple languages?
:+1:
Please don't forget that the most important platform for us is web. The whole webapp is 1.3 MB.
I'd love to see this feature as well! Especially if you allow customizing the wordlist, capitalization, spacing between the words, etc. Check out KeePass's WordSequencer Plugin for some configuration ideas and some wordlist ideas.
+1!!
I've seen different list, with the one from diceware.com probably beeing the first one.
There's a new list made by EFF which has been updated to remove strange words and has longer words on average. It is still suitable for rolling dice and has the same number of words as the original diceware list. They also did a shorter list with shorter words for rolling with fewer dice (with less bit/word of course) but easier to remember.
Of course, @antelle is right about the bloating of the app. But the probably simple workaround is to provide a way to load wordlists either from files attached to password entries or separately. Then everyone can "install" their own wordlist of choice and there is no need to have it as a plugin of any kind.
Since the words in the wordlists are basically just a kind of very big "alphabet", i would suggest to generalize lists in the generator presets: So in addition to uppercase latin letters, lowercase latin letters, numbers, etc. there could be further user-defined lists of symbols or words, each with name and symbol or word list. E.g. "symbols allowed in bank account password" => "!$%&", "names of close friends" => "marvin, todd, julia, francis" for different use-cases (the latter being to remeber the password easier).
Thinking this further, maybe it would be a good idea to introduce optinal password patterns. For instance my bank account requires me to have a password like 837462qidmNreu§ with six leading numbers, then letters including uppercase and at least one symbol of a defined array.
For these patterns on could use character classes like in Regular expressions. So the pattern for my bank could be something like [:digit:]{6}[:alpha:]{8}[:punct:] or [:digit:]{6}[:alpha:]{8}[--bank_symbols--] or the like where "bank_symbols" would be my user-defined list. Similarly ([--diceware--][:punct:]){3}[--diceware--] would be four diceware words seperated by punctuation.
Why not just use the same possibility as already provided by KeePass by using patterns? I used to make pattern like the one on https://www.gaijin.at/olspwgen.php which i'm currently missing. One improvement one could maybe make is by providing own letter classes or overwriting existing ones, but that's just an extra which is not really neccessary.
I'm interested in taking a stab at this feature however not really sure where to implement. Is there documentation on the general design pattern? I've never really worked with Node before.
Design wise: Should this be a plugin? Or directly implemented into KeeWeb? I like the idea of keeping it simple and just allowing the user to upload a flat file (or zip) with a dictionary and pulling from there. That avoids the complexity of language selection or mixed language support (a user is free to provide a dictionary that combines English and German or whatever other languages they want). It also avoids install size concerns.
It should be a plugin, here's a document about plugin support which will appear in the next version: https://github.com/keeweb/keeweb/wiki/Plugins I don't think plugin should ask for some file to upload, it must just work, no matter how, so I would make the dictionary built-in. But since it's a plugin and not core functionality, I have zero opinion and don't insist on any implementation, so it's up to you.
I support the idea that initially we only need files and let the user decide what they contain.
If you store the file outside of the keepass container (on your file system or maybe even online) you would avoid file size concerns for both the plugin and the keepass container; to make sure the file is the one you initially reviewed, there should be a hash of the file and the last used source stored next to the name, e.g. "german.txt - md5:abc123 - pulled from: http://example.com/German.Txt"
Am 14. April 2017 22:52:29 MESZ schrieb Ian [email protected]:
I'm interested in taking a stab at this feature however not really sure where to implement. Is there documentation on the general design pattern? I've never really worked with Node before.
Design wise: Should this be a plugin? Or directly implemented into KeeWeb? I like the idea of keeping it simple and just allowing the user to upload a flat file (or zip) with a dictionary and pulling from there. That avoids the complexity of language selection or mixed language support (a user is free to provide a dictionary that combines English and German or whatever other languages they want). It also avoids install size concerns.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/keeweb/keeweb/issues/210#issuecomment-294234479
I'm interested in taking a stab at this feature however not really sure where to implement. Is there documentation on the general design pattern? I've never really worked with Node before.
Design wise: Should this be a plugin? Or directly implemented into KeeWeb? I like the idea of keeping it simple and just allowing the user to upload a flat file (or zip) with a dictionary and pulling from there. That avoids the complexity of language selection or mixed language support (a user is free to provide a dictionary that combines English and German or whatever other languages they want). It also avoids install size concerns.
Did you ever get anywhere with this?
https://xkpasswd.net/ exists, and it is probably possible to say hullo to its password-generating bit - though this would mean the plugin would make KeeWeb not entirely local for generation. The author has the perl module used up on GitHub with a FreeBSD license: https://github.com/bbusschots/hsxkpasswd, but not having to install/run perl (at ~140MB) seems like a fair trade off for non-local generation (maybe the hardcore would like it as an option though...) Regardless, it seems like a good starting point, and the author may well be open to making changes to accommodate a KeeWeb plugin; seems like a sensible chap.
A word-based password generator would be a great feature, I'm something I really miss from back when I used to use 1Password.
Here's one written in JavaScript (also inspired by the xkcd comic) which might be a good starting point for someone to incorporate - https://github.com/jtwalters/jpgen
I've been using https://oneshallpass.com/pp.html in the interim. Works great. Offers with words to increase entropy.
I'm going to try to implement this using the EFF wordlist(s). Considering the eff_large_wordlist.txt can be deflated to 24KiB if the redundant indices are removed, do you still think it's better suited as a plugin?
@GrantMoyer most likely yes, there's also a suggestion about using different languages here, so it can be more than that.
I've made a working prototype of this plugin at https://github.com/GrantMoyer/keeweb-plugin-passphrase-generator. It uses the EFF's long word list, and there's no way to configure that at the moment.
Also, it doesn't use compression for the word list at the moment. Does KeeWeb still have a deflater? I couldn't find one.
Does KeeWeb still have a deflater?
We have pako in kdbxweb, but looks like, it's not exported, I'll expose a method for it.
Thanks @GrantMoyer for the prototype plugin, that's a great substitute for a fully-featured version of this for now.
Is there any update on KeeWeb supporting this? My SO was using a similar plugin for KeePass and I would love to try the same thing in KeeWeb since I only use the latter now.
