These days with the internet being a part of our everyday lives or in other terms with us increasingly being part of the virtual world, the reliance on computers and internet has increased. There is a surge in the number of services that are being made available at our fingertips. With the lines blurring between the real and virtual worlds, we are exposed to newer experiences and challenges as well. To bring about order among the many services being offered, users security has become a major aspect in building software based services. One of the most popular authentication mechanisms being used in secure software systems even today is the usage of passwords as a method to prove identity. From accessing our bank accounts, checking mails, buying products online or accessing any other software service we are often required to key in our passwords. As you might have experienced, remembering and keeping track of passwords proves quite difficult sometimes. On one hand you should have a strong password to thwart misuse which is often hard to remember and on the other hand repetitive or easy-to-guess passwords pose a security risk.
How can we keep multiple strong passwords without having the difficulty of remembering them? Here again software comes to our rescue in the form of password manager software. We can manage a range of passwords by creating our own password manager using the bash commandline available in popular GNU/Linux operating systems. The GNU/Bash Shell is readily available in Ubuntu/Debian based Linux systems. They can be launched using the terminal application (with the shortcut Ctrl+Alt+T). Windows 10 users can use the Ubuntu on Windows feature to utilise the bash shell. See https://bit.ly/UbuntuOnWin for instructions on how to download this in the Windows 10 environment.
This article will outline the process that goes into creating a password manager.
Let us assume that we have 10 different accounts. Now let us store them in a file called userNmPwd1.txt as shown below where the username and passwords are separated by a '|' delimiter/symbol. (These are fictitious accounts just for representative purposes.)
As you might have observed here the passwords are easy to guess or break into. It is better to generate strong passwords for accounts which are used for day-to-day purposes. So, we will first create a file userNm.txt that stores only usernames of the accounts.
We will write a script genPasswd.sh that generates nine character random passwords for these accounts as shown below by using the mktemp command.
To generate the passwords, we have to run the genPasswd.sh script with userNm.txt file passed as a parameter.
These generated passwords are appended to the usernames separated by a '|' symbol and written to a file userNmPwd.txt. These generated passwords can be used as new updated passwords for your accounts which are now more secure.
This file should be stored in a place which you can access anytime you want. Thus, from now on, there will be no need for you to remember such a complex password. However, if the access to this file is compromised, that is if some unwanted person gains access to this file then all your accounts are compromised. So while storing this file it is better to store it in an encrypted form rather than storing it in plain text form.
For this we will use the OpenSSL utility for encryption and decryption. OpenSSL utility is a community developed software project, which in their own words offers a robust, commercial grade, full-featured toolkit for general-purpose cryptography and secure communication. To get started, first we need to know how to install OpenSSL. Windows users can install the OpenSSL library using the Cygwin utility. A detailed installation procedure can be found here. bit.ly/opensslwindows
The following demonstration is done on a system running Ubuntu 20.04 (Focal Fossa) distribution.
Open the bash terminal and issue the following command as shown below.
You can verify the installation and check which version you are currently running as shown below. You can add -a option to see more details.
The recent release of Ubuntu 22.04 has support for the latest standard OpenSSL 3.0. OpenSSL is not just about encryption but also provides for authentication and integrity checking services as well. It is commonly used in digital certificate generation and verification. In this article we are focusing on encryption and decryption only. Now getting back to our problem we will store userNmPwd.txt in encrypted form. There are several encryption schemes available as part of OpenSSL. We can obtain them by running the following command:
We will use the Advanced Encryption Standard (AES) 256 bit Cipher Block Chaining(CBC) algorithm in this example. AES 256 bit CBC is considered as one of the most secure encryption mechanisms that is hard to break because of its large keylength. Here this cipher will require a password given by the user which later generates a secure encryption key using the PBKDF2(Password-Based Key Derivation Function 2) mechanism.
We generate an encrypted version of the file userNmPwd.txt and store it into a file called secret.txt by running the command below
Now, if we display the contents of secret.txt they do not make any sense as it is in encrypted form. You can see this below.
As we no longer need to store userNmPwd.txt as we have its encrypted equivalent secret.txt, we can delete the userNmPwd.txt file. If required we can re-obtain it by decrypting the secret.txt file by running the command below.
Let’s use this knowledge to build two other small utility scripts, one for securing an account and password information and another to retrieve password of an account. The securePwd.sh script is shown below.
The securePwd.sh script creates the encrypted file secret.txt by taking userNmPwd.txt as input which is shown below.
It also takes care of error handling with regard to the input if any. You should also notice that this script deletes the userNmPwd.txt file after creating the secret.txt file.
Now that we have secured the accounts and passwords, the next script getPasswd.sh retrieves the password for a requested account from the encrypted file secret.txt by applying decryption. Suitable error handling is also provided. The getPasswd.sh script is shown below
A sample execution of the getPasswd.sh script to retrieve the password for an account is shown below.
So here instead of remembering multiple passwords, one has to remember the password used for encryption/decryption which now acts like a master password for all other accounts.
Suppose you want to share some secret information with someone else over mail. You can send the secret information in encrypted form. However, a question still lingers as to how to send the key to the receiver for decryption. Well that would be enough content for writing another article.
The author is a research scholar at the Indian Institute of Technology, Hyderabad
Published - May 19, 2022 07:20 pm IST