pwdhash 0.3.2 → 0.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: bb0a326c401db28d80926db611907417abd26c83
-  data.tar.gz: 6e0c010c435d13f50b3c4e7d582f72ce47140ef1
+SHA256:
+  metadata.gz: 80965617c1934a63980a9dc44272917781ed932ede352980404899742b786166
+  data.tar.gz: f4f462e26e0af2defbd9d8d011e959fc3edac2c4601d991741685e7161fe6dd7
 SHA512:
-  metadata.gz: c4ff8c1cb1d94d97176abd54c4997a44750d85d4942f83acb5ac232a907560021af99cb7fad637ecc1d2edce8d10cc2473e18d50916e9fba8abc2c4d33b9f96c
-  data.tar.gz: e1d4f23b0bac24fb7e9b2e7cf2ddab0a7b1627b57b04b06ac492ef9d95e3417ee4fb29d3aa0f47c494eedc3c44169e30ca0058fcbd40175b0d28b39ea2c9c402
+  metadata.gz: ba69797cbb0fad88fdaa469c17f3b21e3d5d532bb71e9070ece6c1178e135e550578e81a982f83f9f3ae82d7be633bdbf6c225479b597b56323a53cd8f9de9b5
+  data.tar.gz: 778b565e64c59a764ac6bab2ca5592336afcb71cdfc1a446c8ddc035e28acc34698f554f88b4675425efed318c5f0e660cac0b1759856cd32770f0c9ea75c750

data/README.markdown

@@ -6,7 +6,7 @@ Generates PwdHash passwords from the command line.
 
 This is a simple Ruby command line tool to generate hashed passwords, using PwdHash's algorithm.
 
-PwdHash was written as a browser plugin, but sometimes we'd like to extend its use to desktop applications too. e.g. IM clients, Dropbox, etc. just to name a few.
+PwdHash was written as a browser plug-in, but sometimes we'd like to extend its use to desktop applications too. e.g. IM clients, Dropbox, etc. just to name a few.
 
 This tool is essentially a *straight* copy of [Chris Roos' implementation][chris-roos-impl], with a couple of command line interface improvements:
 
@@ -28,17 +28,41 @@ This tool is essentially a *straight* copy of [Chris Roos' implementation][chris
     Password for example.com:
     5NBoCKraALBs
 
-    $ pwdhash example.com | xcilp # Put generated password to X clipboard
+    $ pwdhash example.com | xclip # Put generated password to X clipboard (paste with middle-click)
+    $ pwdhash example.com | xclip -selection c # Put generated password to X clipboard (paste with CTRL+V)
     $ pwdhash example.com | pbcopy # Or in OS X
     > pwdhash example.com | clip # Or in Windows
     $ pwdhash example.com | putclip # Or in Cygwin
 
+## PwdHash2
+
+Some vulnerabilities of PwdHash have been exposed in [Cracking PwdHash: A Brute-force Attack on Client-side Password Hashing][cracking-pwdhash], along with a [proof-of-concept][pwdhash-poc] update to PwdHash. The updated algorithm (with PBKDF2-SHA256 + salt + multiple iterations) has been implemented as a Firefox Add-On at [GWuk/PwdHash2][gwuk-pwdhash2].
+
+The corresponding algorithm can be used with:
+
+    $ pwdhash2 URI [SALT] [ITERATIONS]
+
+    $ pwdhash2 example.com ReplaceThisSalt 50_000
+    Password for example.com (salt = 'ReplaceThisSalt', iterations = 50000):
+    IHC8WhmO40v
+
+*SALT* can be defined in `PWDHASH2_SALT` environment variable.
+
+*ITERATIONS* can be defined in `PWDHASH2_ITERATIONS` environment variable.
+
+    $ pwdhash2 example.com | xclip -selection c # Put generated password to X clipboard (paste with CTRL+V)
+
 ## Attribution
 
 The library part of this tool is a *straight* copy of [Chris Roos' implementation][chris-roos-impl]. The reason this git repository is set up is because: a) Chris Roos decided to put the code in an obscure corner in a pile of code which makes it hard for people to find and b) GitHub uses git :p
 
-The PwdHash plugin and the PwdHash algorithm is contributed by [Stanford PwdHash][stanford-pwdhash].
+The PwdHash plug-in and the PwdHash algorithm is contributed by [Stanford PwdHash][stanford-pwdhash].
+
+The PwdHash2 algorithm is contributed by [David Llewellyn-Jones and Graham Rymer][pwdhash-poc].
 
 [chris-roos-impl]: http://chrisroos.co.uk/blog/2007-04-11-getting-to-grips-with-pwdhash
 [stanford-pwdhash]: http://pwdhash.com
 [usenix-paper]: http://crypto.stanford.edu/PwdHash/pwdhash.pdf
+[cracking-pwdhash]: https://www.researchgate.net/publication/316267246_Cracking_PwdHash_A_Bruteforce_Attack_on_Client-side_Password_Hashing
+[pwdhash-poc]: https://github.com/llewelld/pwdhash-poc
+[gwuk-pwdhash2]: https://github.com/GWuk/PwdHash2/

data/bin/pwdhash2

@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'highline/import'
+require 'pathname'
+
+require 'pwdhash/pwdhash'
+require 'pwdhash/extract_domain'
+require 'pwdhash/version'
+
+require 'backports'
+
+def usage
+  puts "pwdhash.rb #{PwdHash::VERSION} - Chris Yuen, Chris Roos (2012) Eric Duminil (2019)"
+  puts "Usage: pwdhash2 URI [SALT] [ITERATIONS]"
+  puts "Example: pwdhash2 https://mail.google.com"
+  puts "Example: pwdhash2 https://mail.google.com SomeSalt"
+  puts "Example: pwdhash2 https://mail.google.com SomeSalt 10_000"
+  puts
+  puts "SALT       can also be defined in PWDHASH2_SALT environment variable."
+  puts "ITERATIONS can also be defined in PWDHASH2_ITERATIONS environment variable."
+  exit
+end
+
+usage if ARGV.length == 0
+
+realm = extract_domain(ARGV[0])
+
+salt = ARGV[1] || ENV['PWDHASH2_SALT']
+iterations = (ARGV[2] || ENV['PWDHASH2_ITERATIONS'] || 50_000).to_i
+
+hl = HighLine.new($stdin, $stderr)
+hl.say("WARNING: Empty salt!") if salt.empty?
+password = hl.ask("Password for #{realm} (salt = '#{salt}', iterations = #{iterations}): ") {|q| q.echo = false}
+
+print get_hashed_password2(password, realm, salt, iterations)

data/lib/pwdhash/pwdhash.rb

@@ -26,7 +26,7 @@ def contains(result, regex)
 end
 
 def apply_constraints(hash, size, nonalphanumeric)
-  startingSize = size - 4 # Leave room for some extra characters
+  startingSize = [size - 4, 0].max # Leave room for some extra characters
   result = hash[0, startingSize]
   extras = (hash[startingSize, hash.length] || "").split('')
   
@@ -46,8 +46,8 @@ def apply_constraints(hash, size, nonalphanumeric)
   return result.join('')
 end
 
-require 'hmac-md5'
 require 'base64'
+require 'openssl'
 
 module PwdHash
   class Hash
@@ -65,12 +65,28 @@ module PwdHash
     end
   private
     def hash!
-      @hash = Base64.encode64(HMAC::MD5.digest(@password, @realm)).strip
+      @hash = Base64.encode64(OpenSSL::HMAC.digest("MD5", @password, @realm)).strip
     end
     def remove_base64_pad_character
       @hash.sub!(/=+$/, '')
     end
   end
+
+  class Hash2 < Hash
+    DIGEST = OpenSSL::Digest::SHA256.new
+
+    def initialize(realm, password, salt, iterations)
+      @salt, @iterations = salt, iterations
+      super(realm, password)
+    end
+
+    private
+
+    def hash!
+      # Based on https://github.com/GWuk/PwdHash2/blob/gh-pages/pwdhash2/hashed-password.js#L44
+      @hash = Base64.encode64(OpenSSL::PKCS5.pbkdf2_hmac([@password , @salt].join, @realm, @iterations, (2 * size / 3) + 16, DIGEST))
+    end
+  end
 end
 
 def get_hashed_password(password, realm)
@@ -78,3 +94,8 @@ def get_hashed_password(password, realm)
   apply_constraints(hash.hash, hash.size, hash.contains_non_alphanumeric?)
 end
 
+def get_hashed_password2(password, realm, salt, iterations)
+  hash = PwdHash::Hash2.new(realm, password, salt, iterations)
+  apply_constraints(hash.hash, hash.size, hash.contains_non_alphanumeric?)
+end
+

data/lib/pwdhash/version.rb

@@ -1,3 +1,3 @@
 module PwdHash
-  VERSION = "0.3.2"
+  VERSION = "0.3.4"
 end

data/pwdhash.gemspec

@@ -20,6 +20,4 @@ Gem::Specification.new do |gem|
   gem.version       = PwdHash::VERSION
 
   gem.add_dependency('highline', '~> 1.6', '>= 1.6.12')
-  gem.add_dependency('ruby-hmac', '~> 0.4', '>= 0.4.0')
-  gem.add_dependency('backports', '~> 3.6', '>= 3.6.4')
 end

data/pwdhash_test.rb

@@ -1,18 +1,72 @@
+require 'minitest'
 require 'minitest/unit'
 require 'minitest/pride'
 require 'minitest/autorun'
 
 require './lib/pwdhash/pwdhash'
+require './lib/pwdhash/extract_domain'
 
-class PwdHashTest < MiniTest::Unit::TestCase
-  def test_passwords
+class PwdHashTest < Minitest::Test
+  def test_passwords_with_domains
     [
       ['v0F0B', 'foo', 'skype.com'],
       ['paZTVGZwtewiq1+uCk', 'a l0ng p4assw0rd', 'google.com'],
       ['nRDL7WNyFODhF29gAkNmpA', 'qwertyuiop0987654321', 'google.com'],
       ['edi6wHWRQVA1rK8o9zaluwAAAA', 'qwertyuiop0987654321bingo', 'google.com'],
+      ['8JyURsRs', 'foobar', 'thetimes.co.uk'],
     ].each do |expected, password, realm|
       assert_equal expected, get_hashed_password(password, realm)
     end
   end
+
+  def test_passwords_with_complete_urls
+    [
+      ['v0F0B', 'foo', 'https://www.whatever.skype.com'],
+      ['paZTVGZwtewiq1+uCk', 'a l0ng p4assw0rd', 'https://images.google.com'],
+      ['nRDL7WNyFODhF29gAkNmpA', 'qwertyuiop0987654321', 'http://google.com'],
+      ['edi6wHWRQVA1rK8o9zaluwAAAA', 'qwertyuiop0987654321bingo', 'https://news.google.com'],
+      ['8JyURsRs', 'foobar', 'https://www.thetimes.co.uk/'],
+    ].each do |expected, password, url|
+      assert_equal expected, get_hashed_password(password, extract_domain(url))
+    end
+  end
+end
+
+class PwdHash2Test < Minitest::Test
+  def test_passwords_with_complete_urls
+    # expected results calculated with https://gwuk.github.io/PwdHash2/pwdhash2/
+    [
+      ['5YrAI', 'foo', 10000, 'SomeSalt', 'https://www.skype.com/en/'],
+      ['r8oIM4CR', 'foobar', 1, 'ChangeMe', 'https://google.com'],
+      ['3PvCifzNoYaTNBMcJzVvDfDBeVK', 'correcthorsebatterystaple', 50000, 'COVwVNWVhwCsd7vlQ2T5BuIJBccYCu1RzR8rQFVHYVkGVQkZXHLkglnttWFQJYIN', 'https://about.google/intl/en/?fg=1&utm_source=google-EN&utm_medium=referral&utm_campaign=hp-header'],
+      ['APC8mNJI', 'foobar', 1000, 'ChangeMe', 'https://google.com'],
+    ].each do |expected, password, iterations, salt, url|
+      assert_equal expected, get_hashed_password2(password, extract_domain(url), salt, iterations)
+    end
+  end
+
+  def test_collisions_with_weak_passwords
+    # => Use a longer password!
+    [
+      ['foo', 1000, 'bar', 'https://manifolds.org', 'https://boxwoods.com'],
+      ['foo', 50_000, 'aYcErTYgi0AoB2tDbP80fwR5GAWwUvg8', 'http://dainty.co.uk', 'http://polemic.com'],
+      ['foobar', 100, 'salt', 'https://abounds.edu.au', 'https://coaxed.co.nz'],
+    ].each do |password, iterations, salt, url1, url2|
+      assert_equal get_hashed_password2(password, extract_domain(url1), salt, iterations),
+        get_hashed_password2(password, extract_domain(url2), salt, iterations)
+    end
+  end
+
+  def test_edge_cases
+    # For testing only! Please always define salt and password. Number of iterations shouldn't be too low and password should be long enough.
+    [
+      ['WWNEC9x1', 'foobar', 1000, '', 'https://google.com'],
+      ['EBr2', '', 1000, '', 'https://google.com'],
+      ['w0WD', '', 1, '', 'https://google.com'],
+      ['w0WD', '', 0, '', 'https://google.com'],
+      ['w0WD', '', -1, '', 'https://google.com'],
+    ].each do |expected, password, iterations, salt, url|
+      assert_equal expected, get_hashed_password2(password, extract_domain(url), salt, iterations)
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pwdhash
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.4
 platform: ruby
 authors:
 - Chris Yuen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-16 00:00:00.000000000 Z
+date: 2019-05-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: highline
@@ -30,51 +30,12 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.6.12
-- !ruby/object:Gem::Dependency
-  name: ruby-hmac
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.0
-- !ruby/object:Gem::Dependency
-  name: backports
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.4
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.4
 description: Command line version of Stanford PwdHash
 email:
 - chris@kizzx2.com
 executables:
 - pwdhash
+- pwdhash2
 extensions: []
 extra_rdoc_files: []
 files:
@@ -84,6 +45,7 @@ files:
 - README.markdown
 - Rakefile
 - bin/pwdhash
+- bin/pwdhash2
 - lib/pwdhash/extract_domain.rb
 - lib/pwdhash/pwdhash.rb
 - lib/pwdhash/version.rb
@@ -109,7 +71,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Command line version of Stanford PwdHash