#!/usr/bin/env python3

# my (almost) state-less password manager

#

# usage: passgen <domain_of_website>

# It will prompt you for your master password, and then your site-specific password will be printed.

#

# the rough algorithm is PBKDF_HMAC_SHA256( master_password + "/" + domain_of_website )

# which should be secure.

#

# By default it truncates the password to a reasonable length (most websites won't accept passwords that long)

# And it transforms the first 4 characters into an uppercase, lowercase, number, and symbol, respectively,

# which will satisfy the requirements of 99% of websites. For websites that have other weird requirements, or

# specifically ban symbols, etc. you can disable or modify this behavior on a site-specific basis (see below)

#

# the only stateless parts are:

#

# * a site-specific config that describes weird password requirements of various

# websites so that the password-generator can adjust the password to meet those

# requirements, (passgen.site.yaml) -- this can be publicly stored

#

# * a user-specific config that stores the Nth password used on a website -- this can

# be theoretically publicly stored, though out of precaution i'd throw it on a cloud

# storage somewhere

#

import hashlib, os, re, sys, base64, time, yaml

script_path = os.path.realpath(__file__)

try:

# try hard

from getpass import getpass

except ImportError:

# stop complaining and try harder

os.system("pip3 install getpass")

from getpass import getpass

# domain name in question, e.g. google.com

domain = sys.argv[1]

# load parameters for different sites' nitpicks about password requirements

params = {}

with open(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'passgen.site.yaml'), 'r') as f:

try:

params = yaml.safe_load(f.read()).get(domain, {})

except:

print("Error loading passgen.site.yaml")

with open(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'passgen.user.yaml'), 'r') as f:

try:

params_user = yaml.safe_load(f.read()).get(domain, {})

except:

print("Error loading passgen.user.yaml")

# have user input master password

master_password = getpass()

# nth password used on site

if 'n' not in params_user:

params['n'] = 0

else:

params['n'] = params_user['n']

# tack this onto the end of a password

# useful if a site requires a use of a particular restricted set of symbols

if 'tail' not in params:

params['tail'] = ""

# ensure an uppercase character

if 'ensure-upper' not in params:

params['ensure-upper'] = True

# ensure an lowercase character

if 'ensure-lower' not in params:

params['ensure-lower'] = True

# ensure a number

if 'ensure-number' not in params:

params['ensure-number'] = True

# ensure a symbol

if 'ensure-symbol' not in params:

params['ensure-symbol'] = True

# length of password

if 'length' not in params:

params['length'] = 16

# generate password

thehash = hashlib.pbkdf2_hmac(

'sha256',

(master_password + "/" + domain).encode('utf-8'),

b'',

200000 + params['n'],

)

password_text = bytearray(base64.b64encode(thehash)

.replace(b'+', b'')

.replace(b'/', b'')

.replace(b'=', b'')

)

if params['ensure-upper']:

password_text[0] = 0x41 + (password_text[0] % 26)

if params['ensure-lower']:

password_text[1] = 0x61 + (password_text[0] % 26)

if params['ensure-number']:

password_text[2] = 0x30 + (password_text[0] % 10)

if params['ensure-symbol']:

password_text[3] = 0x21 + (password_text[0] % 10)

password_text = password_text.decode()

if "exclude-chars" in params:

for char in params["exclude-chars"]:

password_text = password_text.replace(char, "")

password = password_text[0:params['length']] + params['tail']

print(password)