envkey
zxcvbn
envkey | zxcvbn | |
---|---|---|
9 | 59 | |
599 | 14,712 | |
7.8% | 0.7% | |
7.0 | 0.0 | |
2 months ago | 3 months ago | |
TypeScript | CoffeeScript | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
envkey
-
Show HN: Envkey-VSCode – Autocomplete/type-checking for env vars in 46 languages
envkey-vscode is a VSCode extension that provides autocomplete, type checking, and peek-on-hover for environment variables in 46 different programming languages. Instead of a typeless, error-prone blob, the environment now acts like a strongly-typed object in every language you work in.
I’ve been using this extension myself for a couple weeks now and it feels like a pretty significant upgrade to my development workflow, especially when working on integrations across multiple languages, so I thought it was worth showing you all.
envkey-vscode relies on EnvKey, an open-source, end-to-end encrypted configuration and secrets manager that is focused on security and ease-of-use. It’s cross-platform, can integrate with any language or host, and can be cloud-hosted or self-hosted. Getting a project integrated normally takes a couple minutes.
More on EnvKey: https://www.envkey.com
Building and testing it has been an interesting process, as I relied quite heavily on ChatGPT/GPT-4 to cover languages that I’m not very familiar with. It helped me to develop regexes to cover the common forms of environment access in each language, as well as to produce small test cases and Dockerfiles that can run them. While it took a lot of passes and tweaking to root out hallucinations and get each language right, I don’t think there’s any way I could have built a tool like this in a reasonable amount of time. Having a single `test` command that runs examples in dozens of languages is pretty amazing—sort of like a rudimentary version of Replit that runs locally.
All the code for the extension lives in EnvKey’s monorepo here: https://github.com/envkey/envkey/tree/main/public/sdks/tools...
I’m planning to write up a blog post on this process and what I’ve learned about how to get the most out of GPT on a polyglot coding project like this. If you’re interested, you can sign up to get notified here when this post is live: https://envkey.us15.list-manage.com/subscribe?u=623039cd8518...
-
PHP library for EnvKey: an open source, end-to-end encrypted configuration and secrets manager
envkey-source code is here: https://github.com/envkey/envkey/tree/main/public/sdks/envkey-source
-
Show HN: Gut – An easy-to-use CLI for Git
If anyone needs help keeping secrets out of git, you could give EnvKey[1] a look (disclaimer: I'm the founder). It aims to keep all secrets out of the repo completely so that you can't be burned by forgetting to add something to .gitignore
It takes a few minutes to install and then all your secrets and config will be in the environment, and will stay automatically up-to-date when there are changes.
Might be a way to cut out that particular failure mode when using Gut (which looks interesting btw--kinda like Git: the good parts).
1 - https://github.com/envkey/envkey
-
Bitwarden Design Flaw
We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.
Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.
That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.
The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.
1 - https://github.com/envkey/envkey
2 - https://github.com/dropbox/zxcvbn
-
Seriously, Stop Using RSA
EnvKey[1] moved from OpenPGP(RSA) to NaCl for its v2, which recently launched.
It’s causing a difficult migration for our v1 users. Moving to a new encryption scheme is not fun for a product with client-side end-to-end encryption.
But within a year or so after releasing the v1, it seemed like the writing was on the wall for OpenPGP and RSA. I didn’t want to go down with a dying standard.
NaCl is so much better. In spite of the migration headaches that will likely cost us some users, I’m very happy I made this decision. It’s so much faster, lighter, and more intuitive.
It’s legitimately fun to work with, which I never thought I’d say about an encryption library after cutting my teeth on OpenPGP.
1 - https://github.com/envkey/envkey
-
Show HN: EnvKey 2.0 – End-To-End Encrypted Environments (now open source)
The process management code lives here: https://github.com/envkey/envkey/blob/main/public/sdks/envke...
Basically the command you pass in to envkey-source is run via:
exec.Command("sh", "-c", c)
(c is the command you passed as a string.)
Stdout/stderr is piped through, and .Wait() is called on the command. If envkey-source is in watch mode, it will send a SIGTERM when the environment is updated, then re-run the process once the initial process has died. I can verify that, for example, if a server listening on ports is restarted in this way, the process will die and the ports will be cleared before the new process is started (this has been well-tested).
Do you see a problem with this approach? We will prioritize making all this bulletproof.
- EnvKey End-to-End Encrypted Environments Is Now Open-Source
zxcvbn
-
Show HN: A lightweight PHP library for checking password strength
Lightweight is an understatement here.
A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)
1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...
2: https://github.com/dropbox/zxcvbn
- Zxcvbn: Low-Budget Password Strength Estimation – Usenix (2016)
-
I updated our famous password table for 2023
use zxcvbn to check your password strength more thoroughly
-
I hope the common password whitelisters at Microsoft still get therapy benefits to share the unobfuscated language they were subjected to.
source if anyone wants the whole list https://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt
-
How long can a password be with the new login system?
Password strength is evaluated based on the zxcvbn library.
-
How hard could it be? Sorting words alphabetically in Rust
In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.
- Zxcvbn: Low-Budget Password Strength Estimation
-
TIL There's Another YAML
> except for ZXCVBN
You mean the Low-Budget Password Strength Estimator?
https://github.com/dropbox/zxcvbn
Yeah, that name is totally legit.
-
Which tool can crack this password so fast?
For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).
-
Bitwarden Design Flaw
We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.
Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.
That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.
The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.
1 - https://github.com/envkey/envkey
2 - https://github.com/dropbox/zxcvbn
What are some alternatives?
vault-exfiltrate - proof-of-concept for recovering the master key from a Hashicorp Vault process
SecLists - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
tini - A tiny but valid `init` for containers
monkeytype - The most customizable typing website with a minimalistic design and a ton of features. Test yourself in various modes, track your progress and improve your speed.
Vault - A tool for secrets management, encryption as a service, and privileged access management
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
dumb-init - A minimal init system for Linux containers
dumb-password-rules - A compilation of sites with dumb password rules.
gut - An alternative git CLI for Windows, macOS, and Linux
Next.js - The React Framework
gitless - A simple version control system built on top of Git
Material UI - Ready-to-use foundational React components, free forever. It includes Material UI, which implements Google's Material Design.