[Unix][Crypto] Simplest possible password manager

Once I was happy with Password Safe, but I wanted something even simpler.

Here is my solution I use daily. You only have to memorize your master password. The following script can be publically available to anyone. Run it, enter master password and your generated password is pushed to clipboard(s).

#!/usr/bin/env bash
read -p "Enter the master password: " MASTER
ACCOUNT=dennis.yurichev
HOST=gmail.com
# To be incremented if you have to change this password
# For example, if compromised:
SALT=1
# Dashes here are only for readability. May be omitted.
TO_BE_HASHED=$MASTER-$ACCOUNT-$HOST-$SALT
echo To be hashed: $TO_BE_HASHED
# https://superuser.com/questions/601894/how-to-get-sha1sum-to-output-binary
# md5sum is OK, even since it's broken
# sha1sum as well, but will make the resulting password longer
# other alternatives: sha224sum, sha256sum, sha384sum.
# Warning: sha512sum may have multiline output
# tr used to remove trailing '=' characters - they don't add any security
PW=$(echo $TO_BE_HASHED | md5sum | xxd -r -p | base64 | tr -d '=')
echo $PW
# Copy generated password to both XWindows clipboards:
echo -ne $PW | xsel -i -p
echo -ne $PW | xsel -i -b
echo Password is copied to both clipboard

They only problem is that master password leak will reveal all other passwords for your accounts.

Some aditional tinkering may shorten the length of password without loss of security It may be a good idea, because there are always online services that don't allow too long passwords, or truncate them silently. See: Uuencoding, Ascii85.

This is to be fixed in my next blog post.

(the post first published at 20220511.)


List of my other blog posts. My company.

Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.