One Shall Pass for Command-line

Published in category Project and Security
on Christian Mayer's Weblog.

As a big fan of Password Managers I have used several of them in the past 8 years. Beside KeePassX I’m currently using oneshallpass.com since July 2015. One Shall Pass is awesome because you don’t need to save the passwords to a file (or cloud). But you always need to trust the software you putting your password into. Open Source Software counteracts this problem a bit. Of course there is always the chance that your password(s) are leaked to Black Hats in certain ways.

I wrote an implemenation of oneshallpass.com (maxtaco/oneshallpass) for command-line: https://github.com/TheFox/osp. From the technical point of view it’s the same. So I rather built the command-line interface for the user than the security concept behind. But it’s not compatible to oneshallpass.com because some variables differ. Means, you don’t get the same password on each software even using the same email address, password and options. (As on oneshallpass.com) you have the option to save an encrypted version of the hosts database to a file on your local hard disk drive. No email address or passwords are stored.

I’m not a mathematician, security professional and I also don’t know cryptography very well: so it’s recommended not to trust this software for production usage. I don’t neither. If you have the chance to read the source code of a software you should read the source code. Open Source Software!

More Technical Details

One Shall Pass for Command-line is not compatible to oneshallpass.com because the ID OneShallPass v2.0 of oneshallpass.com, to generate host specific passwords, is not used. Instead TheFox-OSP is used. Furthermore, the maximum password size of 32 is used instead of 16. This affects on the behavior on how the host passwords are generated by the algorithm. Of course you can make it compatible to oneshallpass.com by changing the ID and PASSWORD_MAX_SIZE variables in osp.rb, but consider this next time on upgrading to a newer version. It’s not recommended to change variables until you know what you doing.

More Resources

Recent Posts

About the Author

Christian is a professional software developer living in Vienna, Austria. He loves coffee and is strongly addicted to music. In his spare time he writes open source software. He is known for developing automatic data processing systems for Debian Linux.