I keep all of my passwords in a password manager. My password manager of choice is Keepass. I used because it’s open-source, free and doesn’t require me to be locked into a cloud-based server. If I require syncing across devices then I can use Google Drive or iCloud services I’m already using.
This means the only password I need to remember is the master password for my database. To keep this secure I make it a long passphrase with quirks. Quirks are like weird little rules I make to make my passphrase more secure.
For example, I start with the passphrase “TheQuickBrownFoxDiedPainfully.”, it’s memorable and very long making it hard to crack. I add a couple of quirks, for example
This means my final password is “Th3QuickbROWNF0xDi3dpAINULLY” This an even harder password to crack and still easy… relatively… to remember. You just need the Phrase and to know the rules.
This worked for me for the longest time, until it didn’t.
I change my password every few months and since upgrading my Mac Book Pro I started using the biometric scanner. In other words, I was no longer constantly typing in my password.
You can already guess what happened right? I forgot which quirks I had assigned to my current password. Bummer. I still knew the passphrase and a general idea of which quirks I had assigned, only I couldn’t remember exactly. This meant that I had a number of potential passwords that I needed to check.
I tried guessing using educated guesses but that was taking too much time. Then I decided to automate, after all I’m a programmer, I’m too cool to be trying a bunch of passwords repeatedly!
Let’s over engineer this shall we!
I wrote a script to generate a list of potential passwords. It uses a simple template where the characters in between [] represent different potential options, e.g. p[aA]ssword will generate “password” and “pAssword”. It worked a little too well since it gave me ±5000 potential passwords.
The first idea was to use something like pykeepass, to test each password. That would have worked, but it would take too long and ain’t nobody got time for that.
The solution I ended up with was to use extract the hashed master key then check the generated passwords against it.
To extract the master key I used John The Ripper, ps, do not use the python version because it gets some wrong values.
./JohnTheRipper/run/keepass2john database.kdbx > database.hash
I had to remove the file name from the start of the hash file. Then to check the passwords I used Hashcat.
./hashcat -a 0 -m 13400 database.hash word_file.txt
After a few minutes, I had my password.
Not bad for an hour’s worth of work right? I changed the password and made the quirks easier to remember. Next, I disabled my touch id for Keepass, now I’m typing in my password just so as to not forget it again.
Today I am working on a summation problem made to look like building a tower out of cubic bricks. It’s fun to brute force sometimes.
Coming back to Rust code after a bit of a hiatus with a simple problem… The Two-sum problem. Finding numbers in an array. Yay, fun.
King Pinn: I Salute You. I’m driving halfway across the country and this song is on repeat. Rest in Peace Tonderai Makoni. You were awesome.
After a few weeks off I’m back to business. This is just an update post detailing plans for the rest of the year.
At last we finally have the great reveal, our mystery project was implementing RSA encryption in rust.