Help me decode this javascript which generates a passsword based on a master password and a website's name

Question

Hi all! There's a website that generates a password by joining a master password with the website's name (e.g. master password=abc and site=google) then hashing that with SHA1 and then coding the resulting hash with Base64. I've been trying to implement that in Bash, but I can't. I mean I can but my results are extremely different from the ones in the website. Help?

The website that generates the password using JavaScript is at http://angel.net/~nic/passwd.sha1.html

And here is my bash script:

#!/bin/bash

CUT=8

echo -n "Enter your master password. "
read -s MASTER
echo -en "\nEnter the site's name. "
read SITE

PASS=$(echo -n $MASTER$SITE | sha1sum | sed -e 's/[ -]//g' | base64 | cut -b 1-$CUT)

echo $PASS | sed -e 's/[\/+=]//g'

I'm new to Stack Overflow so tell me if I'm breaking any rule, etc...

Answer 1

For what I can tell by

password.value = b64_hmac_sha1(master.value, site.value).substr(0,8);

It doesn't exactly concatenates and computes SHA1, but rather computes HMAC-SHA1 for key and message.

I do not know any command-line equivalent for HMAC calculation, but if you don't mind invoking perl that would be something like

perl -MDigest::HMAC_SHA1 \
 -e "print Digest::HMAC_SHA1::hmac_sha1('$SITE','$MASTER')" \
| base64 | cut -c1-8

Answer 2

the script uses the hmac-sha1 algorithm rather than a direct sha1 hash. it then returns only the first 8 characters of the base64-encoded result.

you can find a bash/openssl implementation of hmac-sha1 here or you can call out to php's hash_hmac function.

in php, you can do something like this:

password=`php -r "echo substr(base64_encode(hash_hmac('sha1', '$SITE', '$MASTER', true)), 0, 8);"`

Answer 3

You can use the openssl command to compute an HMAC digest, and to convert to base64, as follows.

echo -n $SITE | openssl dgst -binary -sha1 -hmac $MASTER | openssl base64 | cut -c1-8