GenPass is a simple password manager that easily synchronizes between devices and can restore passwords from a seed in case your device is damaged, lost, or stolen.
Unlike other password managers, GenPass does not store passwords in any form -- not even encrypted. Instead, passwords are deterministically generated from a secret seed and a not-secret tag. One side effect of this is you cannot choose your own passwords. (Most of the time, this is a good thing because humans are very bad at choosing strong passwords.) Passwords generated by GenPass are 43 characters long and use various upper and lower case letters, numbers, and symbols.
After creating a seed and doing the setup, you can generate a password by running genpass
on the terminal. It will ask you for a tag and for your master password. It will then generate the password and print it to the console. To instead put the generated password in your clipboard, use the -c
option. To print a list of all available options, use the -h
option.
The tag is just a unique identifier for each password. For online accounts, I like to use the domain name of the website as the tag; for example, "twitter.com" would be the tag for my Twitter password. There is little to no benefit to keeping your tags secret.
Make sure to use a different tag for each password or online account. If you use the same tag, then GenPass will generate the same password, and using the same password across two or more online accounts is not safe.
To install GenPass, simply copy genpass.sh
to /usr/local/bin/genpass
.
To make it more secure, make sure the file is owned by root:
chown root:root /usr/local/bin/genpass
(Alternatively, if you don't have super-user privileges, you can copy the script to $HOME/.local/bin/genpass
, but I don't recommend this since it's less secure.)
Make sure it is working properly:
genpass -h
If this fails, make sure /usr/local/bin
is in your PATH.
Import the seed to GenPass:
genpass --create <your seed file name>
Alternatively, if you don't want to imprint your HDD or SSD with the unencrypted seed, you may use ramfs or a pipe to import your seed. This is recommended, though I haven't written up instructions for this yet; you can look up online how to use pipes or ramfs. If you choose to store your seed on a HDD or SSD unencrypted, then I recommend using the shred utility to erase it. Do not specify your seed directly on the command line because this may be viewable by another user or service looking at running processes or it could be saved in a log file or in the bash history.
GenPass will ask for a new master password and confirmation of the password.
I like to set a keyboard shortcut (alt-G) to run GenPass in a new terminal window, so that I can generate passwords quickly and easily. How to set this up will vary from system to system, so it is not covered here. Search online for how to set a custom keyboard shortcut for your system.
If you want to change your master password, use
genpass --change
Before trusting all your online accounts to GenPass, I recommend giving a quick look at the source code to verify for yourself that I'm not doing anything fishy (like opening a tcp socket to send your seed). Even if you don't code, you should be able to see if something fishy is going on.
GenPass uses a seed, a salt, and a tag to generate your passwords. Additionally, a master password is used to encrypt your seed.
The seed is the most important part. It is basically the master password that unlocks all of your passwords. It is stored encrypted in $HOME/.genpass/seed
. You should absolutely back this up and keep it private. If your device is damaged, lost, or stolen, you can recover all your passwords as long as you have the seed.
The salt is a very long string that makes brute force attacks more difficult. The salt is set to the word "salt" repeated 25 million times with no spaces. A longer salt makes brute force attacks more difficult at the cost of making GenPass a bit slower. You may change the salt if you like, but I do not recommend it. If you do, then you must use the same salt when restoring your passwords.
A tag is a unique identifier for each generated password. I like to make my tags based on the domain name that the password is for. For instance, my tag for Twitter might be "twitter.com". The most important part of a tag is that it is unique for each password and that you can remember it. It does not have to be random or secret. A list of your tags is stored unencrypted in $HOME/.genpass/tags
. I recommend backing up this file in case you forget any of your tags and your device is lost, damaged, or stolen.
These three components (the seed, the salt, and a tag) if they are the same, they will generate the same password -- every time. This is done by concatenating the seed, tag, and salt (in that order), and hashing that with sha256. This hash is then encoded with base64 to generate the password. It's dead simple and yet secure.
Additionally, GenPass uses a master password to encrypt your seed, and you must type this in whenever you generate a password. Your password should be fairly long, but not so long that it takes forever to type. I recommend using at least 15 characters. If someone gets your encrypted seed and is able to guess your master password (like with a supercomputer), then they can unlock all your generated passwords. I hope it goes without saying that you should use appropriate security practices when handling your master password -- don't store it unencrypted, don't write it on a post-it note, etc.
Internally, GenPass uses a seed checksum to ensure you typed the master password correctly and prevent generating faulty passwords. This checksum is stored at $HOME/.genpass/seed_check
and is created automatically when you create a seed with the --create
option.
While I do recommend backing up your seed and your tags, the beauty of GenPass is that even if you lose your backups, you can still recover your passwords as long as you remember your seed and your tags. Your tags should be very memorable (such as "twitter.com" for your Twitter password), and your seed can be memorizable depending on how you choose it.
If you want your passwords to synchronize across multiple devices, simply copy the genpass home directory (at $HOME/.genpass
) from one device to another. This directory contains your encrypted seed, your seed checksum, and your current list of tags. Since you are now using the same seed on both devices, specifying the same tag will generate the same password. There is no need to resynchronize after generating "new" passwords; you just need to confirm new tags the first time you use them on each device.
If you decide to change your master password, you must do so for each device separately or copy the encrypted seed to your other devices (or you can use different master passwords on different devices). If you create a new seed, then you must copy the new encrypted seed and seed checksum to your other devices.
The number one way I recommend choosing a seed is with the password app for the Ledger hardware wallet. The Ledger password app works much like GenPass, and you will be able to recover your seed as long as you remember your 24-word Ledger seed phrase and the name that you gave the password on your Ledger (I recommend giving it the name "genpass"). Even if you lose your Ledger, then you will be able to restore another Ledger device with the same 24-word seed phrase and recover your GenPass seed.
If you do not have a Ledger or you don't want to go through the trouble of using the Ledger password app, then here are a few suggestions.
Random words: You can choose 24 random words from the BIP 39 wordlist. And when I say random, I mean really random. Use your computer, or a calculator, or a 2048-sided die, or flip a coin 11 times to generate a random number from 0 to 2047 and choose the word on the corresponding line of the wordlist. Do this 24 times to get your random words. Simply thinking of words is not good enough. Once you have your random words, put them in a text file delimitated with newlines (including a newline at the end), and use that as your seed.
Random bytes: You can get random bytes in base64 encoding by running head -c32 /dev/random | base64
. Put the base64-encoded bytes in a text file with no spaces or newlines, and use this as your seed. Random bytes can be very hard to memorize, so you may be toast if you lose your backup. Technically, the seed does not have to be text, so you could use raw binary instead of encoding it with base64, but text can be easier to work with in some situations.
It really doesn't matter what you use as your seed as long as nobody can guess it -- even with a supercomputer. You could choose a phrase from a book, a verse from the Bible, or the whole Bible. Though these methods may be less secure than the truly random ones that I recommend.
Whatever method you choose to generate your seed, I recommend it have at least 32 bytes (256 bits) of entropy.
Once you have chosen your seed and have it in a file, then run
genpass --create <the filename of your seed>
to load your seed into genpass. Then shred your unencrypted seed file.
To avoid imprinting your HDD or SSD with the seed, you can use a ramfs or you can pipe the seed into genpass --create
. Do not specify your seed directly on the command line because this may be viewable by someone looking at running processes, or it could be saved in a log file or the bash history.
Careful that you do not have unnecessary bytes in your seed. So much as a missed capitalization, or stray whitespace, or an extra/missing newline will cause the generated passwords to be completely different.
If you forget your seed and don't have a backup, then it is impossible to recover your passwords.
Do not let anyone know your seed or your master password. Not me. Not friends/family. Not anybody. If anyone asks for your seed or master password, then it is 100% a SCAM. Do not fall for it. You have been warned. And it should also go without saying that you keep your device secure with good security practices, malware protection, whatever it takes. If a bad actor gains access to your device without your knowledge, then no password manager can protect you. If you suspect that your device is compromised, then do not type your master password as that is your last line of defense and it can potentially be harvested with a key-logger; instead, use a device you trust to promptly change your seed and master password and update all your online passwords with passwords generated from the new seed.