Simple password generator. Given a passphrase and the name of a service, returns a strong password for that service. You only need to remember your passphrase, which you do not give to anyone, and this program will give a different password for every service you use. The passphrase can be any text you like.
Given the same passphrase and service name, the program will generate the same result every time, so you can use it to 'look up' those impossible-to-remember passwords when you need them.
According to Dropbox's zxcvbn password strength measure,
if your dictionary English password takes about a second to crack, those
vault take over a million times the age of the observable
universe to crack by brute force.
I have a terrible memory and like keeping my stuff safe. Strong service-specific passwords are hard to remember, and many services have stupid restrictions on passwords. I want to remember one phrase and have a machine deal with making my passwords strong.
npm install -g vault
The most basic usage involves passing your passphrase and the service name; when
you pass the
-p flag you will be prompted for your passphrase:
$ vault google -p Passphrase: ********* 2hk!W[L,2rWWI=~=l>,E
You can set the desired length using
$ vault google -p -l 6 Passphrase: ********* Tc8k~8
You can control the character types present in the output, either to disable certain types or make sure they are present. For example, to get a password with no symbols in it:
$ vault google -p --symbol 0 Passphrase: ********* Bb4uFmAEUnTPJh23ecdQ
To get a password containing at least one dash and uppercase letter:
$ vault google -p --dash 1 --upper 1 Passphrase: ********* 2-[w]thuTK8unIUVH"Lp
Available character classes include:
lower: lowercase letters,
upper: uppercase letters,
number: the digits
space: the space character
dash: dashes (
-) and underscores (
symbol: all other printable ASCII characters
Finally, some sites do not allow passwords containing strings of repeated
characters beyond a certain length. For example, a site requiring passwords not
to contain more than two of the same character in a row would reject the
ZOMG!!! because of the 3
! characters. Vault lets you express this
--repeat; this option sets the maximum number of
times the same character can appear in a row.
$ vault google -p -r 2
Saving your settings
If you like, you can store your passphrase on disk;
vault will save it in a
.vault in your home directory.
.vault file is encrypted with AES-256, using your username as the key by
default. You can set your own key using the
VAULT_KEY environment variable.
You can also change the location of the file using the
for example you might set
VAULT_PATH=Dropbox/.vault to sync it using Dropbox.
If you do this, make sure any files containing the key are NOT also exposed to
To save your passphrase, pass the
$ vault -c -p Passphrase: ********* $ vault google 2hk!W[L,2rWWI=~=l>,E
You can also configure character class settings this way:
$ vault -c --upper 0 $ vault google -p Passphrase: ********* =hk|,;,>=r'}k=p-u>1p
Both the passphrase and the character class settings can be overridden on a per-service basis:
$ vault -c twitter --upper 1 --symbol 0 $ vault twitter -p Passphrase: ********* Z2juOG1Z31BX1A9ET8Cn $ vault google -p Passphrase: ********* =hk|,;,>=r'}k=p-u>1p
If you'd like to get a plain-text copy of the encrypted settings file, or import
a previously exported settings file, you can use the
--export writes the contents of the
.vault file to the given path,
--import reads the given file and stores it encrypted in your
file. This can be used, for example, to change the encryption key:
$ VAULT_KEY=oldkey vault --export settings.json $ VAULT_KEY=newkey valut --import settings.json
Or, you can use it if Vault changes its encryption algorithm in the future. Just use your current installation to export the settings, upgrade, then import.
$ vault --export settings.json $ npm install -g vault $ vault --import settings.json
How does it work?
vault takes your passphrase and a service name and generates a hash from them
using PBKDF2. It then encodes the bits of
this hash using a 94-character alphabet, subject to the given character
constraints. This design means that each password is very hard to break by brute
force, and ensures that the discovery of one service's password does not lead to
other accounts being compromised. It also means you can tailor the output to the
character set accepted by each service. The use of a deterministic hash function
means we don't need to store your passwords since they can easily be regenerated;
this means there's no storage to sync or keep secure.
(The MIT License)
Copyright (c) 2011-2012 James Coglan
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.