• Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 7 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Small utility to store secret information like passwords.

go-hash

IMPORTANT: This project uses the latest crypto technologies to protect your data, but it comes with no warranties. If you find a weakness in the design of the database format or implementation, please create an issue immediately.

Build Status Release

Current status:

  • database format definition
  • database format implementation
  • Create database
  • Load custom database location
  • Generate random password
  • Customize rules for generated passwords
  • Clear clipboard some time after copying content to it
  • CLI entry command
  • CLI group command
  • CLI cp (copy) command
  • CLI cmp (change master password) command
  • CLI goto command

Description

go-hash is a utility to store passwords and other sensitive data safely under a master password.

go-hash was designed to allow users to keep the data safely even when non-secure storage is used.

It is safe, for example, to keep your go-hash data in Dropbox or other cloud services as long as a strong master password is chosen.

However, making sure that no one gets their hands on your data in the first place is the best way to keep it safe. For that reason, I highly recommend using Keybase, a free service (similar to Dropbox, but also has chats and more), that encrypts everything end-to-end, meaning that you can keep all your data encrypted and synchronized between your devices without any more effort than using Dropbox.

The database format used by go-hash was inspired by PWS3 and modified to benefit from the strengths of Argon2. The format is described in detail later in this document.

Installing

Download the appropriate executable for your system from the releases page.

Mac users should use the go-hash-darwin-amd64 file.

If you cannot find the correct file for your system, you will have to build from source. See the Building section for details.

Go developer? Just go get it:

go get -u github.com/renatoathaydes/go-hash

Introduction

go-hash keeps your information safe in an encrypted file. This file is called a go-hash database.

All information in a go-hash database is organised within groups of entries.

A group has a name and may have 0 to many entries that are related somehow.

For example, you may have a work group for stuff releated to work, and a personal group for personal accounts.

Entries contain the information you want to store securely. You can think of groups as directories, and entries as files.

Currently, the following information can be stored on each entry:

  • name a short identifier for the entry. Used to refer to the entry with the entry command.
  • URL the URL of the website this entry refers to.
  • username your username with the given website.
  • password your password with the given website.
  • description a description of this entry.
  • updatedAt last time the entry was modified.

Only name and password are mandatory. go-hash can generate a password for you when you create the entry (or you can enter one manually if you prefer). The updatedAt field is maintained automatically by go-hash.

You can refer to an entry within a group by first entering the group using the group command, or by using the group:entry syntax (e.g. to show the entry called foo in the personal group, type entry personal:foo).

Usage

The first time you run go-hash, a new database will be created in the default location ($HOME/.go-hash).

go-hash

To create a new database in a custom location, just provide the path to the new file for the database:

go-hash /path/to/file

If the file already exists, go-hash will try to load it as an existing database.

go-hash will prompt for the master password if idle for 120 seconds (default) or more.

To change the timeout, start go-hash with the flag -idle <number of seconds>. Use 0 for no timeout.

go-hash -idle 0 -db /path/to/file

Interact with the go-hash prompt

Once you've created a database, you will be prompted to enter a master password for the database:

Go-Hash version GH00

No database exists yet, to create one, you need to provide a strong password first.
A strong password could be a phrase you could remember easily but that is hard to guess.
To make it harder to guess, include both upper and lower-case letters, numbers and special characters like ? and @.
If you forget this password, there's no way to recover it or your data, so be careful!

Please enter a master password:

Once you've done that, you should enter the go-hash prompt:

go-hash»

While on the go-hash prompt, you can use the commands explained below to interact with go-hash.

Type help to see information about go-hash commands, or hit Tab to see the available commands and auto-complete options.

Quit go-hash by typing quit.

Commands

group

The group command is used to manage groups.

To create a group called personal, for example, type:

# create or enter a group
go-hash» group personal

Or use the -c option to avoid being asked if you want to create it:

# create a group
go-hash» group -c personal

After typing that, you will enter the new group automatically, so you should see the following prompt:

go-hash:personal»

When you enter a group, you can manipulate entries within that group with the entry command (see the next section).

Before you enter a group, notice that you're implicitly within a default group, which always exists (but is not shown in the prompt).

To exit a group (actually, go back to the default group), type exit.

# exit a group
go-hash:personal» exit

To re-enter a group, just type group personal again. As the group already exists, this time you just enter the group instead of being asked to create it.

You can delete a group with the -d option:

# delete a group
go-hash» group -d personal

To rename a group, use the -r option:

# rename a group
go-hash» group -r personal

You will be asked for the new name.

To list all groups, just type group:

# list all groups
go-hash» group

entry

The entry command is used to show, edit, create and delete entries within the current group or a specified group.

Notice that you do not need to create a group explicitly, go-hash uses a default group if you do not create one.

To see all entries within the current group, just type entry.

# show all entries in the current group
go-hash» entry

To create an entry, give the name of the new entry, say google, as an argument to the entry command:

# create or show an entry called "google" within the current group
go-hash» entry google

If the entry does not exist, you'll be asked if you want to create it, similarly to the group command. To avoid the prompt, use the -c option:

# create an entry called "google" within the current group
go-hash» entry -c google

You will be asked to enter the details about the entry.

Now that you've created the entry called google, typing entry google will show its details.

For example:

go-hash» entry google
  google:
    username:        [email protected]
    URL:             https://mail.google.com
    updatedAt:       2017-12-29 17:34:52
    description:     My email account.

An entry's password is never displayed. go-hash only allows you to copy the password to the clipboard, as explained later.

To edit the entry, use the -e option:

# edit an entry within the current group
go-hash» entry -e google

You will be asked for the new details. To keep a value, just hit Enter without typing anything.

To rename an entry, use the -r option:

# rename an entry within the current group
go-hash» entry -e google

You will be asked for the new entry's name.

To delete an entry, use the -d option:

# delete an entry within the current group
go-hash» entry -d google

To refer to an entry in a different group, use the group:entry syntax:

# display the entry called 'foo' in the 'top-secret' group
go-hash» entry top-secret:foo

goto

The safest way to login to a website is by using the goto command to open it in your default browser.

When you created an entry, you should have provided a URL... that URL is used by the goto command to know where to go, so there's no way you might accidentally give your credentials to the wrong website.

Suppose you've created an entry called google, as explained in the entry command section. You can now go to the URL associated with that entry as follows:

# go to the URL associated with the "google" entry in the current group, copying the password
go-hash» goto google

Phishing attacks are the number one way that attackers use to steal credentials! You may think that you would never fall for a phishing attack, but evidence suggests that even the most tech-savvy of us can and often do fall for phishing attacks without even knowing it! Attackers might just redirect you to the real website, so you think that you're safe, while they have plenty of time to use your credentials in whatever way they see fit without you realizing it for months.

The goto command automatically copies the entry's password into the clipboard, ready for you to paste it into the login form!

If you do not want the password to be copied automatically, use the -n option:

# go to the URL associated with the "google" entry in the current group, do not copy the password
go-hash» goto -n google

cp

The cp (copy) command can be used to copy an entry's username and password to the clipboard, so that you can easily paste it into login forms.

To copy the password to the clipboard, use the -p option:

Notice that go-hash automatically cleans up the clipboard after 1 minute, so sensitive data does not remain in the clipboard indefinitely.

# copy the password for the "google" entry in the current group
go-hash» cp -p google

To copy the username to the clipboard, use the -u option:

# copy the username for the "google" entry in the current group
go-hash» cp -u google

Or just omit any options:

# copy the username for the "google" entry in the current group
go-hash» cp google

cmp

The cmp command can be used to change the opened database's master password.

Just type cmp and you will be prompted for the old and new passwords.

Database format

go-hash uses the following database format:

version | salt | B1 | B2 | B3 | B4 | HMAC | E

where:

  • version (4 bytes) version of the database ("GH00" or "GH01").
  • salt (32 bytes) random sequence used to hash the user's master password.
  • P (32 bytes) Argon2-hash of the user's master password. Notice that the hash is calculated based on the user's master password and the salt.
  • K (32 bytes) random key used to encrypt the database entries.
  • L (32 bytes) random key used to calculate the HMAC of the database.
  • B1 (32 bytes) the least-significant half of the K key after AES encryption with P used as key.
  • B2 (32 bytes) the most-significant half of the K key after AES encryption with P used as key.
  • B3 (32 bytes) the least-significant half of the L key after AES encryption with P used as key.
  • B4 (32 bytes) the most-significant half of the L key after AES encryption with P used as key.
  • HMAC (64 bytes) The HMAC of the salt followed by the unencrypted, serialized version of the database entries, with SHA512 as the underlying hash function using L as the key.
  • E the encrypted database entries. Encryption is performed using AES256 with K as the key.

The Argon2 parameters used to hash the master password are part of the database format version used, and for the current version, GH01, are:

  • time = 8
  • memory = 32 * 1024
  • key length = 32
  • threads = 4

For version GH00:

  • time = 8
  • memory = 32 * 1024
  • key length = 32
  • threads = number of CPUs (which means it was not reproducible across machines)

The encrypted length of the database proper (excluding metadat) is limited to 64 MB.

This format is based on the paper by Paolo Gasti and Kasper B. Rasmussen on The Security of Password Manager Database Formats and adapted from PasswordSafe's PWS3 format.

Future work

  • Make passwords expirable.
  • Support custom rules for generated password (to work around websites that contrain the password format).
  • Create cross-platform GUIs for non-techies.
  • Create browser extensions for Chrome, FireFox, MS Edge, Safari.

Building

The releases page contains executables for several platforms but if your platform is not included or you want to build from source, just clone this repository and build it as explained below.

Clone this repo

  • Using git:
git clone [email protected]:renatoathaydes/go-hash.git
cd go-hash
  • Using Go:
go get -u github.com/renatoathaydes/go-hash
cd $GOPATH/src/github.com/renatoathaydes/go-hash

Build using make

The easiest way to build is with make. From the root directory, just run it:

make

This will get anything else required to build, then build, install and run the tests.

To run the benchmarks:

make bench

To create a local release for all of the selected targets:

make release

The local release files go in the releases folder.

To see a list of all targets, in a shell that supports it (most shells), just type make and hit Tab. Otherwise, see the Makefile.

Releasing

make release creates binaries for all platforms. This is used by the TravisCI integration to create a new release on GitHub when a new tag is pushed via git.

The description of the release must be entered manually.

Build with just go

Make is not necessary to build, it's used just for convenience.

If you don't have make or just don't want to use it, here's how to build go-hash without it:

# install dep if you don't have it
go get -u github.com/golang/dep/cmd/dep

# sync dependencies
dep ensure

# build or install
go build

Run tests with:

go test ./...

More Repositories

1

spock-reports

This project creates a global extension to Spock to create test reports.
Groovy
264
star
2

rawhttp

HTTP library to make it easy to deal with raw HTTP.
Java
201
star
3

LogFX

LogFX is a simple Log reader supporting color highlighting and able to handle giant files.
Java
193
star
4

Automaton

Simple framework which allows the testing of Swing and JavaFX2 applications.
Groovy
96
star
5

kunion

Union types for Kotlin
Kotlin
83
star
6

osgi-run

Osgi-Run - A Gradle plugin to make the development of modular applications using OSGi completely painless
Groovy
53
star
7

actors

Actor Model library for Dart.
Dart
47
star
8

mako-smarthome

Mako Lua Server for managing SmartHome devices based on the deCONZ API
Lua
34
star
9

jvm-alternatives-to-js

Repository comparing JVM alternatives to JS: CheerpJ, GWT, JSweet, TeaVM, Vaadin Flow, bck2brwsr (bonus: React, Dart)
Java
31
star
10

prechelt-phone-number-encoding

Comparison between Java and Common Lisp solutions to a phone-encoding problem described by Prechelt
Java
30
star
11

kotlin-hidden-costs-benchmark

A JMH benchmark of Kotlin hidden costs.
Java
29
star
12

wasm-on-jvm

A Gradle Plugin to compile WASM to JVM easily
Kotlin
24
star
13

ceylon-gradle-plugin

A simple Gradle plugin to manage Ceylon projects.
Groovy
22
star
14

jersey-guice-app

Application demonstrating a web app which provides a RESTful API through Jersey. It uses Guice as its Dependency Injection framework.
Java
18
star
15

osgiaas

OSGiaaS - OSGi as a Service
Java
17
star
16

jgrab

Runs Java code without a build system, grabbing dependencies declared in the Java file itself.
Java
17
star
17

structured_async

Structured concurrency for the Dart Programming Language.
Dart
16
star
18

magnanimous

The simplest and fastest static website generator in the world!!
Go
16
star
19

zig-common-tasks

Zig common tasks (code samples)
Zig
15
star
20

dartle

A simple build system written in Dart.
Dart
14
star
21

javanna

A Java library to create and introspect annotations at runtime.
Java
14
star
22

jbuild

JBuild is a intentionally simple, small build tool for Java.
Java
14
star
23

raw-jse

Vanilla Java: Using Java SE as a Framework
Java
13
star
24

CeylonFX

Ceylon interface for JavaFX
Ceylon
13
star
25

wasmin

A programming language that is a thin layer over pure WebAssembly (WASM).
Dart
13
star
26

specks

Specks enables a different way to check that your Ceylon code works
Ceylon
13
star
27

Grasmin

Groovy AST Transformation to allow writing Jasmin code (JVM bytecode) directly on groovy files
Groovy
13
star
28

parcey

A combinator parser for Ceylon
Ceylon
11
star
29

pony-gradle-plugin

A Gradle plugin to build Pony projects
Groovy
9
star
30

gohash_mobile_app

go-hash official mobile app (Android and iOS)
Dart
8
star
31

eventory

An event sourcing-inspired library targeting offline-first use, with automatic synchronization with remote instances when connection is available.
Dart
8
star
32

emacs.d

Personal emacs.d configuration
Emacs Lisp
7
star
33

gohash_mobile

go-hash Flutter Plugin
Objective-C
7
star
34

jb

The JBuild CLI.
Dart
6
star
35

faster-command-line-tools-kotlin

Faster command line applications with Kotlin (blog post backing repo)
Kotlin
6
star
36

ConcurrenCey

ConcurrenCey is a concurrency framework for the Ceylon language
Ceylon
6
star
37

isolate_current_directory

Support for changing the current working directory only within the scope of a function.
Dart
6
star
38

h_view

A wrk2 histogram viewer
Dart
5
star
39

ansi-color

A Racket library to make it easy to colorize terminal output
Racket
5
star
40

OsgiMonitor

This Project provides a set of bundles to allow users to monitor and control an OSGi instance.
Groovy
4
star
41

flattery

Flattery is a library for building HTML elements using Widgets.
Dart
4
star
42

zig-build-c

Zig Demo building and testing C code
Zig
4
star
43

kanvas

Kotlin and Groovy Canvas DSL based on JavaFX
Kotlin
4
star
44

wasmin-lang

A minimal WASM-focused programming language.
Rust
4
star
45

open_url

Dart lib to open a URL on the user's default application.
Dart
3
star
46

vinegar

A collection of functions and macros to help testing Rust code.
Rust
3
star
47

functions4j

Functions4J attempts to provide high-level functional constructs to Java 8+.
Java
3
star
48

vscode-ponylang

VSCode plugin for the Pony programming language.
TypeScript
3
star
49

spark-ws

Spark-WS is a Java Websockets library inspired by Spark for Java (which is inspired by Sinatra for Ruby).
Java
2
star
50

kootlin

Pure Kotlin OOP
Kotlin
2
star
51

rawhttp-tutorial

Source code for RawHTTP blog post.
Kotlin
2
star
52

kyang

A Yang IntelliJ Plugin
Kotlin
2
star
53

swing-selectors

Swing selectors allows declaratively selecting Swing components anywhere in a component tree - a breakoff from the Automaton testing framework
Groovy
2
star
54

dzipper

A CLI utility and library to extract zip file metadata.
D
2
star
55

mergequick

A web app to help manage and merge Pull Ruquests on popular code hosts.
Dart
1
star
56

simple-fx-app

Very simple JavaFX Application. Used for testing Automaton.
Java
1
star
57

MachineLearning

In this project, I implement some machine learning / data mining algorithms. The preferred language is Groovy. Email: [email protected]
Groovy
1
star
58

rpc-examples

Examples of implementations of services based on RPC frameworks.
Java
1
star
59

pathtrie

A Trie implementation specifically designed for paths
Java
1
star
60

ts-parcel

Basic TypeScript Browser App packaged with Parcel
HTML
1
star
61

dart-bf

brainfuck implementation in Dart
Dart
1
star
62

apps-bouncer

Application that keeps track of running processes, snitching bad behaving ones to the user, who can choose to kill them.
Dart
1
star
63

dart-sass-bulma-example

Example Dart Web Project that uses Sass and Bulma
HTML
1
star
64

checker-maven-demo

This project demonstrates the use of the checker framework with Maven.
Java
1
star
65

FxCodeEditor

A source code editor
Java
1
star
66

easy-jetty

Makes it really easy to embed a Jetty Web Server
Java
1
star
67

keepup

Tiny Java app self-updater designed to work with Java 11+ jlink distributions.
Java
1
star
68

protobuf-tcp-rsa-provider

TCP/Protobuffer implementation of Aries RSA DistributionProvider.
Java
1
star
69

ansi-escapes.zig

ANSI Escapes (colors, styles) for Zig Terminal-based applications
Zig
1
star
70

gradle-multi-java-modules-sample

This project shows how to organize Java modules in a Gradle project.
Java
1
star
71

test_report_parser.dart

Dart Model representing the events emitted by the Dart Tests JSON reporter
Dart
1
star
72

ceylon-medical-web-app

Example application in Ceylon using the type system to create reliable, extensible software
Ceylon
1
star