Freitag, 21. November 2014

PwdHash on the command line

PwdHash is a way to generate different passwords for different sites based on the same master password. Many plugins and adoptions exist for different browsers and also implementations for Android. Apple sucks: there is no way to have browser plugins on an iPhone. Who cares for the dead?

But sometimes it is useful to be able to generate the password hashes on the command line without using a browser. This can be done with a JavaScript engine like SpiderMonkey. The following script shows how to fetch the JavaScript code from pwdhash.com for SpiderMonkey to generate a password.

#! /bin/bash

URL=$1; shift

read -s -p "Password: " PW
echo

get () { curl -sSL https://www.pwdhash.com/"$*"; }

scripts () { get | sed -n 's/.*script src="\(.*\).js".*/\1/p'; }

smjs <(
  for JS in $(scripts); do get "$JS".js; done
  echo "print(new String(new SPH_HashedPassword('$PW','$URL')));"
)

Of course it would be better to extract the script names with an XPath expression like /html/meta/script[@type="text/javascript"]/@src but unfortunately the HTML code of pwdhash.com is currently broken and can neither be parsed by xmllint nor by SaxonHE. Normally I would not suggest to use sed to parse HTML but in this case it seems to be simpler.

On Debian you need the packages curl and spidermonkey-bin.

apt-get install curl spidermonkey-bin libnspr4

3 Kommentare:

Anonym hat gesagt…

Vielen Dank für das nützliche Skript! verwende das Skript zusammen mit mcabber (Konsolen-Jabber-Client), um mein gehashtes Jabber-Password zu generieren.

Noch ein Hinweis für Ubuntu-Nutzer: Auf Ubuntu 14.04.2 LTS heißt das zu installierende SpiderMonkey-Paket "libmozjs-24-bin" und der Befehl für die JS-Shell heißt "js24" statt "smjs"; Einfach im Shell-Skript ersetzten, dann läuft's.

Anonym hat gesagt…

Ah this is an English post!
So here's my hint for ubuntu-users in English: For Ubuntu (14.04.2 LTS) the SpiderMonkey-package you need to install is called "libmozjs-24-bin" and the command for the JS-shell is called "js24" instead of "smjs"; just replace it in the shell-script, then it should work.

Anonym hat gesagt…

Sadly the script is surprisingly slow: takes ~10s to generate the pwdhash. I'm no expert so I don't know if it has to do with the unnormal usage of "sed".