veorq / blueflower Goto Github PK

Two of the regex matches are private[ -_]key and secret[ -_]key. The character range [ -_] matches !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^, so this will match a number of undesired tokens.

I suspect this should be [ \-_] or simply [ _-]

I just discovered blueflower and wanted to give a try (it looks like a pretty cool tool!), but I was surprised to find it doesn't seem to be available on https://pypi.python.org/pypi

can you advise for something simpler working on single files? I would like to install it like a system utility and do something like:

cat somefile.txt | show_secrets

is there something like this already? I find a lot of utilities for git repositories (that doesnt allow you to do anything from outside git, ex: trufflesecurity/trufflehog#92 and https://github.com/awslabs/git-secrets) but nothing unix like, maybe you can add this possibility?

btw I look forward to read your book when I became a bit more serious :)

If I understand correctly, a blueflower hashes file contains a single salt that is used for all the secrets in that file.

An attacker would have to recalculate rainbow tables once (taking into account this one salt) to then efficiently try to reverse the hashes in the file. A salt-per-secret model would be stronger.