Strong password generator for humans - rpass - Strong password generator for humans

commit 96ec770e5bc06d1be5ef807226fc7f6ee474366a
Author: Tim Kuijsten <tim@netsend.nl>
Date:   Tue, 25 Apr 2017 16:24:44 +0200

Strong password generator for humans

Non-existing three-letter words that are both visually and
phonetically unambiguous and easy to pronounce.

Furthermore, the passwords are case-insensitive and blanks can be
inserted at arbitrary places.

Diffstat:
A Makefile  | 22 ++++++++++++++++++++++
A README.md  | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A rpass.1  | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
A rpass.c  | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

4 files changed, 231 insertions(+), 0 deletions(-)
diff --git a/Makefile b/Makefile
@@ -0,0 +1,22 @@
+PROG=   rpass
+
+USRDIR=  /usr/local
+BINDIR=  $(USRDIR)/bin
+MANDIR=  $(USRDIR)/man
+
+INSTALL_DIR=  install -dm 755
+INSTALL_BIN=  install -m 555
+INSTALL_MAN=  install -m 444
+
+rpass: rpass.c
+	cc -Wall -std=c99 -o rpass rpass.c -lm
+
+.PHONY: clean install
+clean:
+	rm -f ${OBJS} ${COMPAT} rpass
+
+install:
+	${INSTALL_DIR} ${DESTDIR}${BINDIR}
+	${INSTALL_DIR} ${DESTDIR}${MANDIR}/man1
+	${INSTALL_BIN} ${PROG} ${DESTDIR}${BINDIR}
+	${INSTALL_MAN} ${PROG}.1 ${DESTDIR}${MANDIR}/man1
diff --git a/README.md b/README.md
@@ -0,0 +1,72 @@
+# rpass
+
+Strong password generator for humans.
+
+Features:
+* Both visually and phonetically unambiguous
+* No shift or alternate keyboard needed when typing
+* Blanks can be inserted at arbitrary places to enhance visual representation
+
+
+## Examples
+Random password from a 40 bit key space:
+```sh
+$ rpass
+jikmus xuzjex
+```
+
+Random password from a 60 bit key space:
+```sh
+$ rpass 60
+loltuk zahxok takrep
+```
+
+Usage:
+```sh
+$ rpass -h
+usage: rpass [bitlen]
+```
+
+
+## Install on macOS
+```sh
+$ make && sudo make install
+```
+
+
+## Install on OpenBSD
+```sh
+$ make && doas make install
+```
+
+
+## Key space requirements
+The 40 bit default relies on strong storage of the password, i.e. bcrypt(3) with
+sufficient rounds. If your password is going to be stored using a weaker
+cryptographic construct, you have to use a bigger key space. E.g. say you want
+to generate a password you can use for one year and is stored using sha256(1).
+Furthermore your adversary has $20,000.00 to spend. According to [8x Nvidia GTX
+1080 Hashcat Benchmarks] as of 2016 the adversary can try 230 billion hashes per
+second, this makes that you'll need a key space of 64 bit (hashes per second *
+3600 * 24 * 365 * 2).
+
+## License
+
+ISC
+
+Copyright (c) 2017 Tim Kuijsten
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
+[8x Nvidia GTX 1080 Hashcat Benchmarks]: https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
diff --git a/rpass.1 b/rpass.1
@@ -0,0 +1,55 @@
+.Dd Apr 25, 2017
+.Dt RPASS 1
+.Os
+.Sh NAME
+.Nm rpass
+.Nd strong password generator for humans
+.Sh SYNOPSIS
+.Nm
+.Op Fl h
+.Op Ar bitlen
+.Sh DESCRIPTION
+.Nm
+is a strong password generator for human beings. The generated passwords are both visually and phonetically unambiguous. There is no alternation between keyboards when typing the password. And blanks can be inserted at arbitrary places to enhance visual representation.
+.Pp
+.Bl -tag -width Ds
+.It Fl h
+Print usage.
+.It Ar bitlen
+Use a key space of the specified bit length.
+.El
+.Pp
+By default
+.Nm
+uses a 40 bit key space.
+.Sh EXIT STATUS
+.Ex -std
+.Sh EXAMPLES
+.Pp
+Random password from the default key space:
+.Bd -literal -offset 4n
+$ rpass
+jikmus xuzjex
+.Ed
+.Pp
+Random password from a 60 bit key space:
+.Bd -literal -offset 4n
+$ rpass 60
+loltuk zahxok takrep
+.Ed
+.Sh BUGS
+.Nm
+relies on strong storage of the password, i.e.
+.Xr bcrypt 3
+with sufficient rounds. If your password is going to be stored using a weaker hashing mechanism, use a bigger key space. E.g. say you want to generate a password you can use for one year and is stored using
+.Xr sha256 1 .
+Furthermore your adversary has $20,000.00 to spend. According to
+.Dq 8x Nvidia GTX 1080 Hashcat Benchmarks
+as of 2016 the adversary can try 230 billion hashes per second, this makes that you'll need a key space of 64 bit (hashes per second * 3600 * 24 * 365 * 2).
+.Sh SEE ALSO
+.Xr sha256 1 ,
+.Xr bcrypt 3 ,
+.Lk https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 8x Nvidia GTX 1080 Hashcat Benchmarks
+.Sh AUTHORS
+.An -nosplit
+.An Tim Kuijsten Aq Mt tim@netsend.nl
diff --git a/rpass.c b/rpass.c
@@ -0,0 +1,82 @@
+/**
+ * Copyright (c) 2017 Tim Kuijsten
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <math.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+/*
+ * Dutch three letter "words" that are both visually and phonetically
+ * unambiguous.
+ */
+static const char first[] = "bdfhjklmnprstvwxz"; /* drop c, g, q, y = 4 bpc */
+static const char secon[] = "aeiou";             /* vowels, 2.3 bpc */
+static const char third[] = "fhjklmnprstxz";     /* drop b, c, d, g, q, v, w, y = 3.7 bpc */
+
+int
+main(int argc, char **argv)
+{
+  int c;
+  double bits, fbpc, sbpc, tbpc;
+
+  while ((c = getopt(argc, argv, "h")) != -1)
+    switch (c) {
+    case 'h':
+    case '?':
+      fputs("usage: rpass [bitlen]\n", stdout);
+      exit(0);
+    default:
+      fputs("usage: rpass [bitlen]\n", stderr);
+      exit(1);
+    }
+  argc -= optind;
+  argv += optind;
+
+  fbpc = log2(sizeof first - 1);
+  sbpc = log2(sizeof secon - 1);
+  tbpc = log2(sizeof third - 1);
+
+  if (argc)
+    bits = strtol(argv[0], NULL, 10);
+  else
+    bits = 40.0;
+
+  if (bits <= 0) {
+    fputs("usage: rpass [bitlen]\n", stderr);
+    exit(1);
+  }
+
+  /* make three letter words */
+  c = 0;
+  while (bits > 0) {
+    putchar(first[arc4random_uniform(sizeof first - 1)]);
+    bits -= fbpc;
+
+    putchar(secon[arc4random_uniform(sizeof secon - 1)]);
+    bits -= sbpc;
+
+    putchar(third[arc4random_uniform(sizeof third - 1)]);
+    bits -= tbpc;
+
+    if (bits > 0 && c++ % 2)
+      putchar(' ');
+  }
+
+  putchar('\n');
+
+  return 0;
+}

A	Makefile	\|	22	++++++++++++++++++++++
A	README.md	\|	72	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	rpass.1	\|	55	+++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	rpass.c	\|	82	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++