Password Reconstructor

Version 1.7 beta, developed by Richard B. Tilley (Brad)



HMAC Complex

FAQs as documented by the author

How do I remember multiple passwords?

You might pick a sentence such as Tubby loves TACOS! then in the word field, use a different word for each site you visit. For example, for facebook, your word may be facebook. For twitter, your word may be twitter. Or, you could use an entirely different sentence and word for each site you visit. Whatever scheme you come up with, keep it consistent.

How do I deal with frequent password changes?

Tubby loves TACOS! might be your sentence and BILLS might be your word for an online banking site. When the bank requires a password change, increment the word. For example, your word would change to BILLS1 then during the next password change BILLS2, etc. There are multiple ways to deal with frequent password changes, but this approach is my favorite.

What if a site requires complex passwords?

Use one of the base64 encodings. These generated passwords should have upper, lower, numbers and special characters and they're almost certain to have at least upper, lower and numbers. SHA1_Pass 1.7 has a 'Complex' option that ensures generated passwords contain at least one uppercase English letter, one lowercase English letter, one number and one special character by appended the string '.H0k' to the end of generated passwords. This adds no additional security, but does satisfy most password complexity policies that require 3 of 4 or 4 of 4 character set selection.

How strong is a SHA1_Pass password?

Halves are 80-bits. Wholes are 160-bits. Use wholes whenever possible and only revert to halves when sites you visit cannot accept wholes. When sites cannot accept wholes, send a note to them pointing out their negligence and insufficient password security practices and threaten to discontinue using the site. The bit strength of a SHA1_Pass generated password is only as good as the sentence and the word used to generate that password.

What does HMAC Do?

When enabled, the HMAC option (introduced in 1.5-BETA2) generates HMAC-SHA1 hashes, rather than plain SHA1 hashes. HMAC-SHA1 hashes better resist certain types of attacks should your hash ever fall into an attacker's hands. Use it if you are ultra-paranoid.

How does SHA1_Pass generate HMAC-SHA1 hashes?

The user provided input (sentence and word) is the HMAC key. The string constant SHA1_Pass is the HMAC message. See OpenSSL examples for more details.