Use your YubiKey as a consistent password generator
ykpass is a toolset that allows you to use the challenge-response capabilities of your YubiKey to generate consistent passwords, based on a secret pre-programmed into the YubiKey and on a "salt" provided by the program.
ykpass is not a password manager, in the sense that you don't need to synchronize your passwords across devices or back them up somewhere. You only need to backup/remember one password, and the salt/"pin code" which you provide at runtime.
Using the YubiKey Personalization Tool, set up your YubiKey with these parameters:
Keychain Access
and add a new Keychain item called ykpass
. This will contain the salt/"pin code" for your passwords.ykpass.osx.cli
or ykpass.osx.ui
:ykpass.osx.cli
will write the generated password into stdout.ykpass.osx.ui
will type the passwords to the foreground application. It is best to integrate it with some kind of hotkey using Alfred or BetterTouchTool.You should consider implementing a DEFAULT_CHALLENGE script.
Set the environment variable DEFAULT_CHALLENGE to point to a script, whose output will be used as the default site name.
I recommend using Chrome's foreground domain name as the default value; The following works best for me in Mac:
osascript -e 'tell application "Google Chrome" to set theURL to URL of active tab of front window'
There are several password flavors, determined by the suffix of the requested site name / URL:
!
- 16 characters of Base64 (A-Z a-z 0-9 +/
)@
- 12 characters of Base32 (A–Z 2–7
).#
- 8 characters of Base32 (A–Z 2–7
).The default if no suffix is present is 16 characters of Ascii85 (A-Z a-u 0-9 !"#$%&\'()*+,-./:;<=>?@[\\]^_
).
ykchalresp
binary must be setuid to root. I believe the best way to avoid this is to actually use a browser extension.