Something, such as merchandise or literature, that is inferior or poorly made.
Schlock is a fork of Swaylock for use on touchscreens: instead of using keyboard entry and the user's regular password, it provides an onscreen numeric pad on which you can type your PIN. You choose a PIN while configuring the program: it is not connected with your regular Unix password.
"[It] is both good and original; but the part that is good is not original, and the part that is original is not good." - Samuel Johnson, attrib.
This is a pre-release which is published on Github mostly so I have a backup of the code. Don't trust it. It has not been security-audited. There will be bugs. There is dead code. You should read the Security section.
The installation process is unchanged from Swaylock, save for the additional library dependency on Libsodium
For Nix users, you should be able to run
nix-build -E 'with import <nixpkgs> {} ; callPackage ./. {}'
in this directory.
Generate a PIN file by running
mkpin > $HOME/.config/schlock.pin
chmod 0400 $HOME/.config/schlock.pin
(This is not a suggested pin file location, just an example)
Start schlock with schlock --pin-file $HOME/.config/schlock.pin
-
The threat model is "my five year old child picks up my phone and starts pressing things at random". If your attacker is older than five (or is especially precocious) this app may not address your needs.
-
The security of customer-chosen banking PINs by Joseph Bonneau, S̈oren Preibusch, and Ross Anderson finds that we should expect a competent attacker to guess one in around every 15 customer-chosen PINS. My takeaway from reading that is that you should generate a PIN randomly instead of choosing a "memorable" one, and you should reject the PIN and generate another if it appears in their suggested blocklist (Appx B).
-
Even an arbitrary four or six digit numeric PIN is always going to be more guessable than a long alphanumeric password. Schlock tries to mitigate this for online attacks by enforcing a timeout between failed attempts, and for offline attacks by hashing the secret using Argon2 (via libsodium).
-
Swaylock is mature code. There has been significant effort (by other people) on Swaylock and the Wayland protocols/libraries to fix bugs like "plugging and unplugging the keyboard may crash the locker", most of which work this app benefits from. I may have introduced more bugs in the new bit, of course.
-
remove some debug logging
-
scale to screen size (or to thumb reach? may need this to be configurable)
-
more aesthetic "wrong password" signalling, e.g. add some padding around the red background area
-
refine the backoff timings. maybe you get three attempts before the delay cuts in but then the delay is longer.
-
enhance mkpin: ("good first PR" :-)
- generate random PINs
- check PINs against blocklist
- write the output file, so it can set the umask