narvi is a deterministic password generator, similar in concept to PwdHash. The goal is to help you reduce the number of passwords that you have to remember while still providing a different password for every account.
To use it, you provide narvi with an account identifier, such as you@mail.com, and your "master" password. narvi will produce an account-specific password based on a hash of the combination of the account identifier and your master password. Changing the account identifier, or salt, while keeping the master password the same will yield a different account password. narvi does not store the passwords; it generates them each time you need them.
- Uses scrypt as its hashing function, with configurable hashing parameters.
- Arbitrary, user-defined account identification (salt).
- Supports multiple word schemes to support various password policies.
- Portable command line utility written in Python that runs on any system with
Python (2.7 <= v < 3). - Distributed as a single, OS-agnostic file (zipped Python).
- Includes fast, native scrypt libraries for Windows, Mac, and Linux, with a pure Python implementation for other systems.
When run with no parameters, narvi will prompt you for a salt, for which you can use any value, but which should typically be some account identifier, such as you@yourbank.com. If it is a salt that narvi recognizes, it will prompt you for the master password, generate the hash, and "output" the account-specific password. On Windows and Mac, narvi will make the password available in the clipboard for eight seconds. On Linux, narvi will output the password to stdout.
If the salt is not one that narvi recognizes, it will prompt you for the configuration for that salt:
- The hash scheme (defaults to scrypt with N=2^18, r=8, p=1)
- The word scheme (defaults to a 16-character base64-encoded password using ! and @ as the extra characters, with at least one lower case, one upper case, and one digit)
- A description (default is none)
Consider using a six-word (at least) Diceware passphrase.
Start with USERNAME @ WEBSITE, such as you@yourbank.com. This will make it easier to remember the salt if you switch to a new computer or otherwise lose your remembered salts.
If a service requires that you regularly change your password, append a date:
USERNAME @ WEBSITE # DATE
you@yourbank.com#2014
you@yourbank.com#3Q14
If a service requires security questions, consider using a narvi-generated password for these as well. In this way, you will not be providing the same answers to multiple services.
USERNAME @ WEBSITE , QUESTION
you@yourbank.com,mothersmaiden
The author is not a subject matter expert in cryptography. Read the paper, convince yourself (or not).
scrypt is designed such that even if an attacker knows: your salt, the scrypt hash function parameters, and the hash output, then discovering your master password is still "hard". The security lies in the scrypt key derivation algorithm and the entropy in your master password, not in the secrecy of your salts.
Scrypt is described in detail in Stronger Key Derivation via Sequential Memory-Hard Functions.
Using one-way hashes as service-specific passwords is not new. See, for example, A Convenient Method for Securely Managing Passwords and Stronger Password Authentication Using Browser Extensions.
- To generate the password for a salt given on the command line:
narvi hash SALT - To list the remembered salts:
narvi list - To forget a remembered salt:
narvi forget SALT - To list available hash schemes:
narvi lshashschemes - To list available word schemes:
narvi lswordschemes - To view the license:
narvi license
narvi stores its saved configuration in ~/.narvi/config as JSON. This file will be created the first time you tell narvi to save a salt. In addition to holding your salt definitions, there are some global settings that you can edit:
clipboard-time(integer) The number of seconds that narvi will keep the generated password on the clipboard. Default is 8.default-hashscheme(string) The default hash scheme for new salts. Default isscrypt-18-8-1-512.default-wordscheme(string) The default word scheme for new salts. Default isbase64-16-!@-aA1.