Reliably generates secure passwords based on system hardware information. These passwords are not stored anywhere on the machine but will persist between boot cycles if hardware remains unchanged.
ReadMe.md - This file. It's a ReadMe. Come on, man.
SysPass.py - Back-end bulk operations. Has a main function mostly for debug purposes, but will print hardware-generated passwords as configured.
Window.py - The intended main program. GUI for hardware-based password generation. Nothing too fancy, just some built-in tkinter functions.
words_alpha.txt - The English dictionary. Scrabble readiness not guaranteed. Pulled from https://github.com/dwyl/english-words
https://xkcd.com/936/ - Password Strength.
Online password generators exist that meet the concept Monroe illustrated here, however (presumably) they select passwords randomly for users to then save to their hard disks. This poses a vulnerability in that passwords cannot be recovered if the saved file is lost, and the user's own machine's security becomes the chief limiting factor for the password's integrity, rather than the entropic size of the password itself.
Munroe suggests that the concept of utilizing four random words presents (on average) 44 bits of entropy, and thus 2^44 (average) guesses required to break a password.
Because this program pulls from the English dictionary with no guarantee about the size of the words, I don't have an estimation on hand for the expected password length (though substantial preliminary tests have all been >30 characters).
In terms of collisions, however, the dictionary this program works with features 370,103 words. Concatenating four of them together provides 370,103^4 (no duplicate detection) possibilities of word combinations. This is well in excess (by a factor of nine digits) of the the 2^44 figure posed by Munroe, but again, his figure is an average.
-
Collect System Information as plaintext string.
-
Hash this string using the BLAKE2 algorithm (waiting for python's hashlib package to include BLAKE3). See here: https://www.blake2.net/
-
Split this hash into four equal chunks.
-
Convert each chunk into an English word.
-
Combine the results and return them to the user.
Is it safe? Maybe.
Out of the box? A little iffy. The plaintext string mentioned above in Step 1. of the process tried to involve info about a system that would remain static between boots but variable enough from user to user. That being said, is it totally impossible for two users to share hardware info? No. It's highly unlikely (because a GPU UUID is used), but it's not impossible.
Theoretically if malicious actors get access to your machine and can acquire hardware info, that's it for the security of passwords generated by this program. That being said, in such a situation you've likely got bigger fish to fry. It's not impossible for malicious websites to theoretically get this info about your machine, however, and such a circumstance would be far less noticeable on the user-end.
The idea of 'splitting' a hash into four chunks rubs me the wrong way but algorithmically the end result should be the same given that the chunks of the hash are substantially larger than the size of the English dictionary.