- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
In my last post, I explained how you can sync your KeePass password safe with the cloud and access your credentials on your Android phone. Storing passwords in a database, even an encrypted one, is risky. Syncing passwords with the cloud is riskier. Loading your password safe on your phone—a phone that you can lose at any moment—is the ultimate risk that password management has to offer. However, many of us online junkies are willing to take the risk because, nowadays, managing your entire IT infrastructure from a phone has the ultimate cool factor.
A slave password generator is an alternative to a password safe because it also allows you to access all your passwords from everywhere. Its major advantage is that it doesn’t have to store the password in a database. Furthermore, what isn’t stored in a database doesn’t have to be synced, and what doesn’t have to be synced can’t get into the wrong hands. Notice that I just came up with the term “slave password generator” because the term “master password tool,” which many seem to prefer, can easily be confused with password safes that also require a master password. Also note that I wasn’t the first one who had the idea.
The method isn’t new, but, thanks to some new tools, it is gaining popularity. The concept is simple. As with a password safe, you memorize one secure master password. All your other passwords (let’s call them slave passwords) are generated whenever you need them. For this, a slave password generator mixes your master password, the name of the service, and the corresponding user name into a hash algorithm that miraculously always spits out the same slave password. When you set the password for a particular service the first time, you use the master password tool to generate the slave password. You can then forget the slave password and just generate it again when you sign into this service.
This works because it is mathematically impossible to calculate the master password if you have the slave password, the user name, and the service name. Thus, if one of your slave passwords has been compromised, say because the service provider stored its users’ passwords in clear text and hackers gained access to its database, you don’t have to worry that your other passwords will fall into the hands of some reckless hacking kids.
Several slave password generators exist. Most are for phones, which makes sense because these gadgets have essentially become bodily organs that are always with us. I tried the free MasterPassword app for Android, and I like the tool.
MasterPassword can store the user name and a description of the service in its database. You can configure the password length, the character set, and the variation. The latter is an important feature because it allows you to change the password. If you want to set a new password for particular service, you just increment the variation by one and re-generate the slave password.
MasterPassword - User editor
MasterPassword also allows you to generate a secret answer. Many online services require you to configure a secret answer in case you forget your password. After you enter your master password, the tool loads a search box where you can start typing the name of the service to which you want to sign on. It is possible to assign multiple accounts for a particular service.
Searching a service in MasterPassword
A tap on the user name generates the slave password. You can then copy the password to the clipboard or directly open another app to which MasterPassword sends the password. The latter didn’t work with all apps in my test.
MasterPassword generates the slave password
Master Password project ^
A major drawback of a phone, compared to a hand or a brain, is that you can forget it. Until our engineers take this final hurdle and overcome the phone–brain barrier, a slave password generator tool that isn’t dependent on one device could prove to be useful when your phone sits idly on your nightstand while you try to remember your new login password at work. Because the miraculous trick of generating the same slave password for a particular service only works if the tool uses the same hash algorithm, you can’t use just any slave password generator to re-generate your passwords.
The open source project Master Password solves this problem by offering its tool for all popular operating systems. Actually, since Master Password is also available for Java, the tool works on essentially any device. Windows machines belong to this category because, currently, no native Master Password implementation exists for the PC OS. There is even a web version. However, I am unsure if it really makes sense to enter your master password in a web form.
The Android version is only available as a beta and isn’t listed in Google Play. You have to upload the APK file to your cloud drive and manually install it from there on your phone. Note that you first have to allow the installation of apps from unknown sources in the security settings of your phone.
Master Password on Android
A downside of Master Password for Android is that it doesn’t allow you to store user and service names. This can be a real issue if you intend to use the tool for services that you only use every now and then. Security purists could object that you get maximum security only if you don’t store any information about your credentials. The objection is valid, but for me it means that I can’t use the tool because I have too many different user names.
The Java version appears to be able to store user names and sites, but this didn’t work when I tried the app on Windows. But, as you can see in the screenshot below, it generates the same slave password as the Android tool.
The Java app of Master Password on Windows
I think the Master Password project is interesting. The current version of the tool is very simple, if you compare it to a mature password safe such as KeePass. With Master Password, you can essentially create the slave password, and that’s it.
And KeePass? ^
The best solution would be if I could use my password safe, which in my case is KeePass, to generate slave passwords. Password safes pride themselves on the ability to create random passwords. But this method might be less secure than creating non-random passwords in combination with the option of not storing the slave passwords in the database.
If an attacker gains access to the database contents, say if he steals your laptop while your KeePass database is unlocked, all your passwords are compromised. Of course, if you use a password safe as a slave password generator, you have to enter the master password whenever you generate a password. The advantage of using a password safe in combination with non-random password generation is that you can store additional information, such as login URLs, with your credentials.
Keepass2Android, which I reviewed last time, offers a plugin that allows you to generate non-random passwords. However, the current version number is 0.1 and it appears to be not ready for use in practice. The installation and configuration instructions, which presently are only available in German, are quite complicated and didn’t work on my Android 4.3 test system in a VirtualBox VM.
An alternative solution could be to always generate your passwords with a slave password generator and store them in your KeePass database together with the metadata of the service. On your phone, which is probably a more vulnerable device, you only use the slave password generator. That method eliminates the need to store your KeePass database in the cloud.
What’s your point of view? Password safe or slave password generator?