Tresor - a deterministic password generator
Tresor is a .net library (.net 4/netstandard 1.3 or newer) to generate passwords in a deterministic way, that is, the same inputs will yield the same outputs, but from simple inputs (Like the service name "twitter" and the passphrase "I'm the best 17-year old ever.") you will get a strong password like "
This helps with the behavior of using the same passphrase for multiple sites, but is also not reliant on a password vault that you don't always tend to have with you (e.g., because it's a file on your computer and you're on the road) or requires you to trust a cloud-service to securely keep your data.
Internet Websites get compromised all the time - so frequently that haveibeenpwned.com has been created for people to get notified whenever their email address shows up in a data breach. Troy Hunt has an amazing blog about web security issues and breaches, and explains why you should use a Password Manager.
Tresor is a port of Vault by James Coglan to .net. When I first discovered Vault, it immediately checked the boxes I was looking for: It works everywhere as long as I have internet access, but it doesn't store any data that can be compromised. All I need to do is remember the service name and settings, and voila, there's my password without having to store it in yet another online database that can be compromised.
For more information about Vault, check the FAQ on https://getvau.lt/faq.html.
Please note that this port is not endorsed or in any way associated with James Coglan.
Tresor.GeneratePassword with the service name, passphrase and a
TresorConfig. For example:
var service = "twitter"; var phrase = "I'm the best 17-year old ever."; var password = Tresor.GeneratePassword(service, phrase, TresorConfig.Default); // password => c;q- q}+&,KTbPVn9]mh
service name is something you pick to uniquely identify services, e.g.,
passphrase is a second phrase that you choose. Usually, this is your password that you use everywhere because you can remember it, but don't want to use everywhere anymore because reusing passwords is highly insecure.
TresorConfig defines how the password is generated. Properties include:
PasswordLength(default: 20) - how long should the generated password be? The longer, the better, but some sites restrict the length, sometimes to something comical like 10 characters
MaxRepetition(default: 0) - how often can a character be repeated. For example, if this is set to 1, then there could be no
nnin the password, as the character
nis repeated 2 times. Do note that
nanis valid, as the character
nis not immediately repeated. The value 0 means that unlimited repetitions are okay.
- Character classes:
Symbolscan be set to one of three modes:
Allowed(default): Characters from this character class may appear in the generated password, though that's not guaranteed
Required: Characters from this character class MUST appear in the generated password
Forbidden: Characters from this character class MUST NOT appear in the generated password
- Character classes are:
_(hyphen and underscore)
Space: A space:
RequiredCount(default: 2): If any character classes are set to
AllowedMode.Require, how many characters of that group must appear in the output?
Example of a more complex TresorConfig:
var config = TresorConfig.Default; config.PasswordLength = 14; // Generated password will be 14 characters long config.Space = TresorConfig.AllowedMode.Forbidden; // The space MUST NOT appear in the password config.Symbols = TresorConfig.AllowedMode.Forbidden; // No symbols must appear in the password config.LowercaseLetters = TresorConfig.AllowedMode.Required; // At least 2 lowercase letters must appear config.Numbers = TresorConfig.AllowedMode.Required; // At least 2 numbers must appear config.MaxRepetition = 1; // Do not repeat any characters config.RequiredCount = 2; // Of every required group, at least 2 characters must appear
Do note that the
RequiredCount is set for all character classes, so you can't say "at least 2 numbers and 3 lowercase letters". Also note that in the above example, the
PasswordLength must be at least 4 because we need space for at least 2 numbers and 2 lowercase letters. Setting the
PasswordLength too small will throw a
System.InvalidOperationException : Length too small to fit all required characters.
Also note that if you set all character classes to
Forbidden, TresorLib will throw a
System.InvalidOperationException : No characters available to create a password.
service name and
passphrase can contain special/unicode characters. The generated password will always be ASCII-compliant - see the character classes above.
Copyright (C) 2017 Michael Stum firstname.lastname@example.org
Adapted from Vault, copyright (C) 2012-2014 James Coglan - https://github.com/jcoglan/vault
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.