Author: David Waring
Source Code: GitHub
Website: Web Implementation
PSWD is a pseudo-random password generator, meaning that it will generate a seemingly random string of letters, numbers and symbols as the final site-specific password. However, when given the same set of input criteria it will generate the same password. Passwords generated using this method don't need to be written down or stored on your computer or using any third-party service. When needed, they can simply be regenerated.
The inputs required to generate a password include:
Optional settings include:
PSWD uses a two-step hashing process to generate the passwords as set forth in the paper A Convenient Method for Securely Managing Passwords (J. Alex Halderman, et. al.; 2005). This implementation uses the SHA-256 cryptographic hash function created by the U.S. National Security Agency.
The first step creates a "user token" by hashing the supplied username and master password. This step is designed to take a significant amount of time (between 30 and 90 seconds) by repeatedly hashing the token 10^7 times. This is done to deter brute force attacks from attempting to learn a master password from a stolen site password. As a compromise for convenience, this user token can be locally cached so it does not have to be computed each time a password is generated.
The second step involves hashing the cached user token, the master password and the domain. The hash function is repeated many fewer times so this step is almost instantaneous. The end result is a site-specific hash using the digits 0-9 and letters a-f.
The final step is processing any of the optional settings (password length, uppercase letters and symbols). When given the same input settings, these options will be applied in the same manner every time. This ensures that the same exact password will be generated each time.
The following implementations are currently available:
Python - This provides a command line interface that should work across different systems.
Android - This is an Eclipse project that includes a fully-functional Android app implementing the PSWD v3 algorithm in Java. The app will cache User Tokens as encrypted strings in the app's SharedPreferences.
Java - These are java functions that are used in the Android application.
Web - This is a web front-end that caches the user token as an encrypted cookie and passes all arguments to the Python script which is run on the server. This uses Twitter Bootstrap v3 and php scripts for encryption and the system call to pswd. This is a copy of https://pswd.davidwaring.net/
The following is the usage of the Python command line script.
The following image details the steps of the PSWD algorithm with the right half showing the generation of an example password for each step. The image is also available as a PDF from here: https://pswd.davidwaring.net/images/algo.pdf
The dark green fields indicate user-entered variables and options. The light green fields indicate calculated variables. The '+' sign shows when two or more variables were concatenated together to form a single variable.