Passmash is a new commandline password munger. It has been tested to work on Linux with X and on MacOS. It should also work on Windows.

What is a Munger?

A munger takes a password and turns it into another password, "munging" it. In particular passmash takes

• A password (supplied interactively at the prompt)
• A URL (or other identifier) (supplied as a command line argument)
• A secret key (kept at ~/.ssh/passmash.key)

and returns a password. It has the advantages of a password manager without having to worry about syncing a password database. The key file is static, so simply keep a (possibly encrypted) backup of it. If you loose the key file, you will not be able to recover your passwords.

Example Usage

In most circumstances you will want to use the pm command

$ pm myurlhere.com
Password:

$

This command automatically generates and copies the password to you clipboard. On Linux it uses xclip -selection clipboard, on Mac OS X it uses pbcopy and on Windows it uses clip.

If it is on another operating system (like OpenBSD) it will pretty print the password for easy typing. eg.

$ pm myurlhere.com
We don't yet support OpenBSD for autoclipboard copying
Password:

5KrUw4pBgC89LGxggXEIFtjM41aPc+/GxH+cumCuTo4
5KrUw - 4pBgC - 89LGx - ggXEI - FtjM4 - 1aPc+ - /GxH+ - cumCu - To4

Technical Details

Passmash uses a SHA256 based HMAC with key strengthening.

def mash(key, url, password):
    h = hmac.new(key, password, sha256)
    h.update(url)
    for i in xrange(250000):
        h.update(h.digest())
    return h.digest()

On my machine (a 2.0 Ghz Core2) it takes around 1 second to derive a password using this function. A more secure version of the same utility could make use of bcrypt or scrypt. However, either would add an external dependency.

This password derivation function should provide strong defense against an attacker who has

• A password generated from the function (perhaps obtained from a hacked website).
• The algorithm. (eg. they know you use this program to generate your passwords).

And optionally:

• The key file
• or the "master" password (but not both)

If your "master" password has sufficient entropy then your other passwords generated with the same key should be reasonably secure against a brute force attack.

Happy Munging!

Searching a large corpus of strings is a problem many applications have to solve, whether the application features autocomplete boxes or full-text search. Efficient methods for conducting such searches are not always readily apparent to the algorithm designer. In this series of articles I will present a data structure known as the Ternary Search Trie (TST) which is designed to assist in solving this problem. For this introductory article I will not discuss algorithms in detail but only provide a high level overview of the structure and algorithmic running time for various operations. In the next article I will detail the process of maintaining the structure with insertions and deletions. The final article will discuss different flexible search algorithms and their implementations.

Read the rest of this post »

If you are a pip[1] and virtualenv user you already know how easy it is to install python packages. Unlike the bad old days when I started programming in Python, 9 years ago, it is now easy to add, remove and manage python modules. In fact we can leverage pip to create an update command for a python program, for example and ease of illustration, a shell utility.

Read the rest of this post »

If you are like me, and if you are reading this you may very well be, you spend an inordinate amount of time juggling inane details, like shell environment variables, while programming. Now there is nothing wrong with setting, exporting, and then unsetting variables, mounting and unmounting FUSE partitions, starting routine backups, and so on but it does get tedious after a while. Eventually, you may have written a host of scripts to solve these various problems. Today I present swork (or start work) a command line utility to help manage these little one off scripts with ease.

Read the rest of this post »

Last night I gave a talk at CWRU Hacker Society about formal languages. This is the first talk in a series of lectures I will be giving on compilers. Unfortunately, unlike my regular expression talk I did not get a recording of the audio. I may do a write up of exactly what I talked about later. Until then enjoy my "slides."

Read the rest of this post »

The spring career fair at Case Western Reserve University is coming up next week. Instead of collecting swag from all the employers, we decided to make Hacker Trading Cards to give to companies as CWRU Hacker Society swag! We would like employers looking to hire CS students to give talks at Hacker Society this semester and thought this was a creative way to get their attention.

Read the rest of this post »

Cross-posted from stevejohnson.posterous.com

Over the holidays someone gave me a copy of the first programming book I ever read. In rereading it, I found much more than when I first read it at nine years old.

BASIC Programming for Kids
by Roz Ault

Read the rest of this post »

A person should aspire to live an upright life openly with pride, and this means saying “No” to proprietary software.

        - RMS

Introduction

The Free Software movement which began in earnest twenty-five years ago has become one of the most quietly influential movements of the Internet age. Today, many social phenomenas occurring in our networked world, such as Wikileaks, can be understood more completely by understanding the Free Software movement. The Free Software movement can be usefully analyzed from many perspectives however, this paper will use the lens of religion. Specifically, the movement will be analyzed from the context of selected writing from its founder, Richard M. Stallman, using the categories defined by Mircea Eliade. Through the use of Eliade's categories one understands Stallman to be demarcating the sacred from the profane in an attempt to return to an archaic past.

Read the rest of this post »

Today I figured out how to write a repl prompt with history and editing in python. Normally when you are just using the built-in "raw_input" in a while loop, things don't work quite right. The arrow keys don't necessarily work as expected, and there are other problems. I looked at curses, and a couple other options but ended up writing my own solution.

Read the rest of this post »

B+Trees are complex disk based trees used to index large amounts of data. They are used in everything from file systems, to relation databases, to new style databases gaining popularity today. Sometimes a domain specific application needs to index a large amount of data, but cannot use a traditional database, or one of the NoSQL databases. In such instances the development team needs to roll their own indices. Here is an introduction to the B+Tree (one of the indexes my team created) and lessons I learned while implementing it.

Read the rest of this post »