Updated password prompting mechanism

samveen · samveen · commit 3a6f3ed4e60e · 2023-04-27T01:30:03.000+05:30
diff --git a/ICDe@dPp.jpg b/ICDe@dPp.jpg
diff --git a/README.md b/README.md
@@ -24,34 +24,61 @@ Generates Time-based One-Time Password's (TOTP) using MicroPython, Raspberry Pi
 - Open an interactive session on the Pico and encrypt the `codes.json` and `WifiSecrets.json` as below:
 ```
 >>> import cryptor
->>> cryptor.encrypt('codes.json','mypasswd')
->>> cryptor.encrypt('WifiSecrets.json','mypasswd')
+>>> key='your8chr'
+>>> cryptor.encrypt('codes.json',key)
+>>> cryptor.encrypt('WifiSecrets.json',key)
 ```
 - Remove the unencrypted `WifiSecrets.json` and `codes.json` from the Pico W storage
 - Copy main.py to the Pico
 - Reset the Pico W
 - Enter your password at the initial password prompt.
-- Fix datetime at prompt if Wifi doesn't work.
+- Fix datetime at Date time prompt if Wifi doesn't work.
 - Now you can cycle through your TOTP's using Key0 of the Pico-Oled-1.3.
 - Key1 of the Pico-Oled-1.3 toggles the display ON/OFF.
 
-# Updating secrets
+## Password length, range and security
+
+The secrets are encrypted using a simple scheme using an 8 character password. However valid characters are any ASCII
+character with *the following exceptions*:
+- Space and non-blocking space
+- Quotes: `"`, `'`,`` ` `` (including backquote/backtick)
+- backslash - `\`,
+- Hyphen: `-`
+
+The password is taken as a 8 pairs of 2 digits, each pair representing the ordinal of a character of the password. Each digit takes
+a seperate input, leading to quicker input with just increment/decrement keys (worst case is 12 keypresses per characters encoded as
+numbers, as compared to 46 with incrementing characters)
+
+<img src="ICDe@dPp.jpg" />
+
+The SHA256 digest of this key is generated and used as the encryption key for the secret files.
+
+There are 89 valid characters (128 - 32 - 2 - 5) and so 89^8 possible passwords, so it's around a day's worth of effort to crack this scheme.
+
+However, additional security can be achieved by taking another number as input, and then running those many rounds of hashing on the hash results to generate the final hashed key.
+
+But that's future work for the paranoid forker.
+
+
+## Updating secrets
 
 - Connect to the REPL
 - Press CTRL-C to stop the code and bring up the prompt
 - Run the following code to dump the secrets files to console as plain text:
 ```
 >>> import cryptor
->>> print(cryptor.decrypt('codes.json.encoded','mypasswd').decode())
->>> print(cryptor.decrypt('WifiSecrets.json.encoded','mypasswd').decode())
+>>> key='your8chr'
+>>> print(cryptor.decrypt('codes.json.encoded',key).decode())
+>>> print(cryptor.decrypt('WifiSecrets.json.encoded',key).decode())
 ```
 - Copy the outputs into `codes.json` and `WifiSecrets.json` on your workstation, and update with new secrets as required.
 - Push the updated `codes.json` and `WifiSecrets.json` to the Pico W.
 - Encrypt `codes.json` and `WifiSecrets.json` and overwrite previous encoded files as below:
 ```
 >>> import cryptor
->>> cryptor.encrypt('codes.json','mypasswd')
->>> cryptor.encrypt('WifiSecrets.json','mypasswd')
+>>> key='your8chr'
+>>> cryptor.encrypt('codes.json',key)
+>>> cryptor.encrypt('WifiSecrets.json',key)
 ```
 - Remove the unencrypted `WifiSecrets.json` and `codes.json` from the Pico W storage.
 
diff --git a/password.py b/password.py
@@ -3,9 +3,10 @@
 
 def get(display):
     # year, month, day, hours, minutes, seconds)
-    password=[0,0,0,0,0,0,0,0]
+    # 8 2-digit numbers
+    password=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
     # Rollover limits
-    chars=b'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+=/?[]{};:,.<>|~'
+    chars=b'!#$%&()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~'
     clen=len(chars)
     selected_idx = 0
     max_idx=len(password)
@@ -18,7 +19,6 @@ def get(display):
     display.text("Dec", 0, display_height - 9)
     display.text("Next", display_width - 30, display_height - 9)
 
-    display.text(" C C C C C C C C", 14, display_height // 2 - 15)
 
     changed=True
 
@@ -30,26 +30,47 @@ def get(display):
             if display.is_pressed(display.KEY0):
                 changed=True
                 password[selected_idx] += 1
-                if password[selected_idx] == clen:
-                    password[selected_idx] = 0
+                if selected_idx%2:
+                    if (password[selected_idx-1]*10+password[selected_idx]) >= clen or (password[selected_idx-1]//10 < clen//10 and password[selected_idx]>9):
+                        password[selected_idx] = 0
+                else:
+                    if (password[selected_idx]*10+password[selected_idx+1]) >= clen:
+                        password[selected_idx] = 0
             if display.is_pressed(display.KEY1):
                 changed=True
                 password[selected_idx] -= 1
-                if password[selected_idx] < 0:
-                    password[selected_idx] = clen-1
+                if selected_idx%2:
+                    if password[selected_idx] < 0:
+                        if password[selected_idx-1]//10 < clen//10:
+                            password[selected_idx] = 9
+                        else:
+                            password[selected_idx] = (clen%10)-1
+                else:
+                    if password[selected_idx] < 0:
+                        if password[selected_idx+1] >= clen%10:
+                            password[selected_idx] = (clen//10)-1
+                        else:
+                            password[selected_idx] = (clen//10)
         else:
             if display.is_pressed(display.KEY0):
                 break
 
         if changed:
-            display.fill_rect(0, display_height // 2, display_width, 9, 0x0000)
+            # Clear from (0,display_height//2 - 20),till (display_width, display_height // 2 + 10 + 7)
+            display.fill_rect(0, display_height // 2 -20, display_width, 37, 0x0000)
             display.text(
-                " ".join("%s%c" % (">" if idx == selected_idx else "", chars[sep])
-                         for idx, sep in enumerate(password)),
-                21, display_height // 2+5)
+                " ".join("%c" % chars[j] for j in [i[0]*10+i[1] for i in [password[k:k+2] for k in range(0,len(password),2)]]),
+                14, display_height // 2 - 20)
+            display.text(
+                "".join("%02i" % (i[0]*10+i[1]) for i in [password[k:k+2] for k in range(0,len(password),2)]),
+                (display_width-16*7)//2, display_height // 2)
+
             if selected_idx < max_idx:
                 display.fill_rect(0, 0, 21, 9, 0x0000)
                 display.text("Inc", 0, 0)
+                display.text("^", (display_width-16*7)//2 - 1 + selected_idx*7, display_height // 2 + 10)
+                display.rect((display_width-16*7)//2 - 1 + ((selected_idx>>1)<<1)*7, display_height//2 - 2 ,15,1,0xffff)
+
             else:
                 display.fill_rect(0, 0, 21, 9, 0x0000)
                 display.fill_rect(0, 0, 14, 9, 0xffff)
@@ -60,4 +81,4 @@ def get(display):
         time.sleep_ms(100)
 
     display.clear()
-    return "".join(chr(chars[sep]) for idx, sep in enumerate(password))
+    return "".join(chr(chars[j]) for j in [i[0]*10+i[1] for i in [password[k:k+2] for k in range(0,len(password),2)]])
