My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated Oct 14, 2009 by bcannon
Labels: Featured
FAQ  
Frequently Asked Questions.

About

What is Oplop?

Oplop is a password generator. It takes a label representing some online account you have along with an ultra-secure master password, and then Oplop consistently generates a unique password for that label using some fancy math.

Portability and acceptance of the passwords Oplop creates are key goals of the project. Portability is addressed by trying to make sure that Oplop is available not only when you are online, but also disconnected from the Internet or away from your own computer.

Acceptance of passwords generated by Oplop occurs from two key requirements for all passwords generated. One is that the passwords are 8 characters long, the most typical length accepted for passwords. Two is that Oplop guarantees there is at least one digit in the password to cover alphanumeric password requirements (because of the algorithm Oplop uses randomness says that at least one uppercase and one lowercase character will end up in the password). The personal experience of the Oplop developers has shown that these requirements are enough to cover a large majority of password requirements found online.

What was the inspiration?

The inspiration for Oplop originates from Alan Karp's Site Password.

What is with the name?

Oplop stands for "One Password equals a Lot Of Passwords". Basically a name was needed to start the Google Code project and "Oplop" was the best that could be thought up in five minutes.

How it works

How does Oplop create your password?

In simple terms, it takes your label and master password, puts them together, does some math on it, and then makes the result readable by humans. All this with a guarantee of having a digit in there somewhere.

Technically, it follows the following steps:

  1. Concatenates the master password and label (in that order!).
  2. Calculates the MD5 hash.
  3. Gets the base 64 representation of the hash.
  4. If there are no digits in the first 8 characters, find the first all-digit substring of the hash and copy it to the front of the hash.
  5. Return the first 8 characters.

Why use MD5 over SHA?

The original plan for Oplop was to write a version to run on S60 cell phones using the port of [http://wiki.opensource.nokia.com/projects/Python_for_S60 Python for S60). Because Python for S60 only supported Python 2.2 at the time it meant SHA was not available while MD5 was.

MD5 is also more widely available for use when creating versions of Oplop.

Should MD5's known weaknesses worry me?

No. You can read about the preimage and collision attacks if you want, but remember that MD5 is being used more for a consistent randomness factor than for its cryptographic abilities. Since Oplop is not used to sign any data, any collision is useless.

And even if MD5 is somehow completely cracked and people are able to work backwards from a hash to the string input, they still do not have enough of the original hash from Oplop to reverse the hash back to your label and master password. Because Oplop only uses 8 of the 24 characters from the hash, there are still 65,536 (216) valid hashes that have the same first 8 characters. And this ignores any digits that were possibly added to the front of the password. In other words it is impossible to reliably take a password generated by Oplop and get the master password and label from it.

Usage

How do I use Oplop?

First thing is to install it everywhere you can. That way you never have to worry about lacking access to your passwords, even if you do not have Internet access to reach Oplop Online.

Next is to choose a master password. It should be a very secure password and something you never write down or tell anyone!

For each account you have, choose a label for it. It should be something you can easily remember for each account. As an example, a label you might use for your Amazon account is "Amazon", "amazon", "amazon.com", etc. Do note that labels are case-sensitive!

With your label and master password, you enter them into Oplop and have it create your password for the account. If you are setting the password for the first time for an account then make sure you entered your master password properly by generating the password twice and verifying they are the same.

What makes a good master password?

Some rules to follow:

Why should I use Oplop instead of ...

... one password for all of my accounts?

Imagine someone getting a hold of your single password by cracking into an account you have online. They now have access to everything! After that they would just need to know where you have accounts and your username to gain access to other accounts.

Oplop avoids this entire issue by creating a unique password per accounts thanks to the use of labels. Oplop never saves your master password, so unless you write it down or tell it to someone the worst some cracker will get from some compromised account is the unique password Oplop created for you for that account.

... a piece of paper listing unique, strong passwords for each account?

A piece of paper can be lost, although you can easily keep a backup copy somewhere in your home. In that instance it becomes a matter of physical security over electronic security. It also requires making sure you keep the piece of paper with you if you ever need access to your passwords when you are away from home.

There is also a convenience factor. When you are sitting at your computer you do not necessarily have your password list easily available as it might be in another room. And if you do leave your password list at your computer you risk a guest on your computer easily accessing your accounts.

But it must be admitted that if you do not use Oplop, please use this approach. But do make sure that each and every password is unique and strong.

... having my browser store the passwords?

Having your browser store your passwords limits you to a specific browser. It also restricts you to one computer to get to your passwords. It also does not work for accounts that you do not access online (e.g. your voicemail PIN).

... other password generators (e.g. Pwdhash)?

PwdHash is a web site and Firefox add-on password generator much like Oplop. It generates passwords using MD5 and requires a digit.

Probably PwdHash's biggest drawback is it doesn't limit the length of the generated password; it is a function of the length of your master password. If you have a long master password it can lead to an even longer generated password (e.g. a 12 character master password leads to a password that is 14 characters long). Long passwords can be a problem on web sites that don't allow more than 8 or 10 characters. And trying to count the first 8 or 10 characters from a password can be error-prone. Having to truncate a password from PwdHash is also an issue thanks to the possibility that the length you truncate it to will not

There is also the problem that PwdHash uses the same label for everyone using the same site. This cuts down on the potential randomness of the generated password between users of PwdHash who have accounts for the same site.

There is also a portability issue as PwdHash requires a web browser either for its web page edition or its Firefox add-on. Oplop has versions for cell phones so that even a computer is not needed to access your passwords.

... storing your passwords electronically (e.g. 1Password)?

A big problem with 1Password is that it is closed-source. Not being able to audit exactly how 1Password works leaves open the possibility that there is a backdoor to the application. Being able to audit the code you are using for your passwords is a powerful and important thing to make sure everyone is being honest.

There is also the issue of storing your passwords in an application. This requires having constant access to your stored files. 1Password tries to handle this by allowing you to upload your passwords to their web site or their cell phone editions. But the web site storage poses the issue in that you have now given a third-party direct access to your password. And if the application was at all written poorly then someone could decrypt your stored passwords. It also assumes good faith on 1Password's part. And the cell phone solution requires remembering to sync your passwords.

1Password is limited to OS X. Oplop, on the other hand, is OS-agnostic. At the bare minimum we support any platform that can execute Python, which includes all major operating systems.

Oplop is also free. =)

... web sites that store your passwords (e.g. Clipperz)?

Clipperz has the issue of trusting a third-party with your passwords. If the encryption is somehow weak then you are exposed to someone stealing your passwords from a place you have no direct control over. To deal with the worry of entrusting your passwords to someone else, there is Clipperz Community Edition. This is an open source implementation of Clipperz that you can run on your own. While this is a nice solution that addresses many of the issues 1Password has, it still requires storing your password somewhere, leaving the threat of someone stealing all of your passwords off of the machine storing the passwords.

Clipperz also requires an Internet connection. Because Oplop doesn't need to store anything it can run without an Internet connection.


Sign in to add a comment
Hosted by Google Code