rnhmjoj/scat
1
0
Fork 0
mirror of https://github.com/redelmann/scat synced 2025-01-09 22:24:19 +01:00
Code Issues Releases Wiki Activity

Updated the README.

Browse Source
This commit is contained in:
Romain Edelmann 2013-08-12 19:21:01 +02:00
parent b14cf29657
commit e3faa0e264
1 changed files with 64 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
README.md
View File

@ -2,38 +2,37 @@
# scat
`scat` is a *password scatterer*. It allows the generation of unique passwords for each service,
website, email address or account you might have, all from a single password.
## Disclaimer
`scat` is not the best one can achieve in security. If you are interested in a more secure system, look at [pwsafe][pwsafe] for instance.
The system is potentially vulnerable when an attacker can gather generated keys.
That being said, if you tend to reuse the same password everywhere and do not want to store all passwords in a database,
you might be better off using `scat` than to keep using the same password or a slight variation for each website.
website, email address or account you might have, all from a single password and a secure code you keep.
## Motivation
Nowadays, accounts for many services such as Facebook, Twitter, Reddit, Google, Amazon, your bank account, etc. are needed.
In a perfect world, all those accounts would have different passwords, so that, if someone gets to know, let's say, your Facebook password,
they don't gain access to your bank account and your money as well. But, on the other hand, who would like to remember dozens and dozens of different passwords?
they don't gain access to your bank account and your money as well. But, on the other hand, who would like to come up with dozens and dozens of different passwords? Moreover, if you ever lose access you key chain, how can you recover all your passwords?
`scat` is the solution to this problem. It allows you to safely generate for each website or service you suscribe to a unique password. All you have to do is remember a single, as strong as possible, password.
`scat` is the solution to this problem. It allows you to safely generate for each website or service you suscribe to a unique password. All you have to do is remember a single, as strong as possible, password and securely keep a long random code.
Given the same service and password, `scat` will always generate the same password, so you don't have to remember them or note them down!
Given the same information, `scat` will always generate the same password, so if you were to completely lose your entire key chain,
you can always retrieve them.
Passwords generated by `scat` are very secure and independant of each others. If by misfortune one of the generated password is compromised, all other passwords are still safe, and so is the password you used to generate them.
## How to use
`scat` is a secure password generator. It does not replace your favorite secure key chain, but it should be seen as a completement to it. Use `scat` to generate a different password for each of the service you suscribe to, and use your key chain (such as [pwsafe][pwsafe] for instance) to keep the generated passwords.
## Example
To use `scat`, simply call it specifying which key, or service, it must generate a password for.
Then, simply enter your password (which is, in this example, `pony1234`):
Then, simply enter your password (which is, in this example, `pony1234`, and code, `AGDE2-DGXA4-33DLQ-WEDAP-GYPQ9`):
```
> scat -c -k "github"
> scat -c -S "github"
Password:
Confirm:
Code: AGDE2-DGXA4-33DLQ-WEDAP-GYPQ9
Generated password:
p3sz\x9vUsn{"Kjzxt
k2'8n?QXwmptbJ7D44
```
> Note that `pony1234` is **not** your github password. It's the original password you use to generate other passwords.
@ -42,29 +41,63 @@ p3sz\x9vUsn{"Kjzxt
Let's say that you now want to generate a Facebook password:
```
> scat -c -k "facebook"
Password:
> scat -c -S "facebook"
Password:
Confirm:
Code: AGDE2-DGXA4-33DLQ-WEDAP-GYPQ9
Generated password:
6yorHvhrpj#8Yce:bl
{g6e2hsKjh#Ra*\ks(
```
The password generated for Facebook is completely different from the one it generated for GitHub.
Imagine now that your are on an other computer, with no access to your keychain, and you would like to login to Facebook (just for 5 minutes).
Imagine now that your are on an other computer, with no access to your key chain, and you would like to login to Facebook (just for 5 minutes).
To your great despair, there is no way you can remember your obscure password!
However, as `scat` is fully deterministic, you can simply call it once more, to generate once again the exact same password, this time from another computer.
However, as you always keep your code with you and `scat` is fully deterministic, you can simply call it once more, to generate once again the exact same password, this time from another computer.
```
> scat -c -k "facebook"
Password:
> scat -c -S "facebook"
Password:
Confirm:
Code: AGDE2-DGXA4-33DLQ-WEDAP-GYPQ9
Generated password:
6yorHvhrpj#8Yce:bl
{g6e2hsKjh#Ra*\ks(
```
> **CAUTION** `scat` is not an excuse to use a weak password such as `pony1234`. Always use a strong password (that you can remember) with `scat`.
## Generating a suitable code
There are many ways to generate and store a suitable code. For instance, you can use a key such as [those provided by yubico][yubico-key], which can [generate and store static keys][yubico-static]. Be sure to use the maximal key size!
However, if you do not want to invest in a key, there exists secure solutions at your disposition that won't code you anything.
For this, all you need is two dice that you can differentiate (one red and the other black for instance) and a small piece of paper (for instance of credit card format).
For 25 consecutive rounds, throw the two dice, lookup the result in the table below and report it on the piece of paper.
You may want to put a dash between the various results, or any other separator, to increase readability.
Die 1 | Die 2 | Result | | Die 1 | Die 2 | Result | | Die 1 | Die 2 | Result
:---: | :---: | :----: | | :---: | :---: | :----: | | :---: | :---: | :----:
1 | 1 | 1 | | 3 | 1 | C | | 5 | 1 | O
1 | 2 | 2 | | 3 | 2 | D | | 5 | 2 | P
1 | 3 | 3 | | 3 | 3 | E | | 5 | 3 | Q
1 | 4 | 4 | | 3 | 4 | F | | 5 | 4 | R
1 | 5 | 5 | | 3 | 5 | G | | 5 | 5 | S
1 | 6 | 6 | | 3 | 6 | H | | 5 | 6 | T
2 | 1 | 7 | | 4 | 1 | I | | 6 | 1 | U
2 | 2 | 8 | | 4 | 2 | J | | 6 | 2 | V
2 | 3 | 9 | | 4 | 3 | K | | 6 | 3 | W
2 | 4 | 0 | | 4 | 4 | L | | 6 | 4 | X
2 | 5 | A | | 4 | 5 | M | | 6 | 5 | Y
2 | 6 | B | | 4 | 6 | N | | 6 | 6 | Z
Yet another solution would be to get a set of cards (a deck of 32 cards is sufficient). Shuffle it for some time, and then shuffle it again, just to be sure. Get a piece of paper and note down the order of the cards, using an abreviation for each card. For instance, you can use `KS` for for the King of Spades and `10H` for the 10 of Heart. You can now either keep the piece of paper securely with you, or keep your set of cards in the same order always in your bag and starting over when you need the code!
### What if I lose my code?
If you still have access to the key chain on your computer, no big deal, just generate a new random code and change all your passwords when convenient. If you have ever lose your code, the only consequence is that you can not re-generate a previously generated password.
Now, if you lose access to both your key chain and your code, all your passwords are definitely lost. Sorry.
## Security
By default, `scat` will generate password of length 18, using a mix of lower case letters, upper case letters, digits and various ascii symbols.
@ -84,21 +117,22 @@ If you want, for some reason, an easily rememberable passphrase, for let's say F
which will output 5 words out of the 7776 words of [the Diceware list][diceware].
```
> scat -c -k "facebook" -s diceware
Password:
> scat -c -S "facebook" -s diceware
Password:
Confirm:
Code: AGDE2-DGXA4-33DLQ-WEDAP-GYPQ9
Generated password:
ieee te real sepoy whiff
101 dry whoa foil barb
```
Or, if you prefer Pokémons:
```
> scat -c -k "facebook" -s pokemons
> scat -c -S "facebook" -s pokemons
Password:
Confirm:
Generated password:
Zapdos 27, Vulpix 43, Venusaur 21, Staryu 12
Snorlax 5, Weedle 35, Raichu 27, Alakazam 99
```
### Summary of available schemas
@ -150,6 +184,8 @@ Name | Contributions
:--- | :------------
Romain Edelmann | Initial work on the project.
[yubico-key]: http://www.yubico.com/products/yubikey-hardware/
[yubico-static]: http://www.yubico.com/products/services-software/personalization-tools/static-password/
[pwsafe]: http://nsd.dyndns.org/pwsafe/
[diceware]: http://world.std.com/~reinhold/diceware.html
[haskell-platform]: http://www.haskell.org/platform/