Very interesting password system
Aug. 10th, 2009 02:16 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johnridleyIn the past few years I've changed my theory on passwords a couple of times. I started out with 3 passwords, one just a word to use on sites like twitter.com or stupid blog sites for commenting where I really didn't give a rip if someone got hold of the account. The ones above that were garbled acronyms (punctuation and mixed case embedded) and one was for most general purpose sites, the other only for higher security sites like banking.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2009-08-10 06:56 pm (UTC)I think I'd want it to be able to sync to a password vault, to make sure that I could always recover my actual passwords, without needing a copy of the program and a list of domain names.
no subject
Date: 2009-08-10 07:06 pm (UTC)I am actually also storing them in password safe right now. But that's as much because I like to have a list of websites that I've set up accounts on as anything else.
I also made a copy of the app on my thumb drive and on my personal website.
no subject
Date: 2009-08-10 07:57 pm (UTC)no subject
Date: 2009-08-10 08:41 pm (UTC)no subject
Date: 2009-08-13 02:36 pm (UTC)This is somewhat similar to the scheme used by S-Key, except that it's not a one-time password.
no subject
Date: 2009-08-19 03:45 pm (UTC)no subject
Date: 2009-08-19 04:34 pm (UTC)First, how the password generator works. It takes the domain of the page you're on; in this case, livejournal.com (even if you are actually on forestweather.livejournal.com, or www.livejournal.com, etc). Then it takes the password that you typed in. Then it runs both of those through a mathematical algorithm called "MD5". The details are not important, what MD5 does is to come up with a longish random looking string that depends on what goes into it.
Changing even a single letter of the input TOTALLY changes the output string, so every domain name (or even adding a single letter to your typed password) will result in a completely different output password.
In addition, MD5 is what's called a "one-way" algorithm. There's no way to directly determine what the input values are even if you know what the output (the password livejournal.com sees) is. So even if someone breaks into livejournal and gets hold of the password that the MD5 generator made for you (say it's "c290d0fb1"), there's no way to know that your master password was "squirrel" and use that to try to log in as you at citibank.com.
WHY THIS SYSTEM is interesting:
There are systems like Password Safe which allow you to use a master password to unlock an encrypted store of passwords. This requires you to have access to that store everywhere though.
There are also online password storage systems. The problem with online password storage systems is that you have to transmit your master password to them to unlock the password store, and someone might be able to intercept your master password that way. Also you're hoping they have good security, and that they won't go out of business.
This approach, on the other hand, is not vulnerable to people intercepting your master password as it travels anywhere, because the whole thing lives on your computer - the bookmark actually contains all the code to do the MD5 - nothing goes "over the wire" where someone could intercept it.
HOW TO USE IT:
You go to a site, you type in your user name and your master password, then you click on the bookmark. It runs some javascript code, determines the domain name and looks on the web page and finds the password you typed in. It does the MD5 magic, generates the new password (the c290d0fb1 string I mentioned AS AN EXAMPLE before), and puts that into the place on the web page where you typed the password before. It puts a little green triangle with a P on it in the places where it did that, so you know what it did.
THE UPSHOT is that you only have to remember one password, but each site gets a different and totally random looking unguessable password.
IF YOU LOSE THE PASSWORD:
There's no way to recover it. You'll essentially have "forgotten" your password on all sites where you used this, and you'll have to go through the recovery procedure they have set up, whatever it is.
...continued
Date: 2009-08-19 04:34 pm (UTC)WARNINGS:
You are still vulnerable to spyware getting onto your system. Nothing can stop that. If you have spyware watching your keystrokes and taking snapshots of your screen, you're just out of luck no matter what system you use.
Also, while there's no way for an attacker who gets hold of one of your site passwords (say, they broke into LiveJournal's database and found your "c290d0fb1" password) to directly find your password, they can still run the same algorithm as you do - they know half of the equation, "livejournal.com" - so they can for instance run a "dictionary attack" - have some software run every word in the dictionary through this and see if any of them result in "c290d0fb1". So it would actually not be a great idea to use the word "squirrel" for instance - it would only take a few minutes to find that.
However, due to the fact that changing it from "squirrel" to "5quirrel" or "squirre1" would COMPLETELY change the output string, it doesn't take much to make a password that would be significantly harder to guess.
Personally I like acronyms. I might think of the phrase "I have a lot of very nice friends" and that would become "Ihalovnf". The only way they're going to find that is by starting with "a", going to "z", then "A" to "Z", then "aa" to "az" to "zz" to "Aa" to "Az".... and that's not even including using punctuation, numbers, etc. It quickly becomes more of a pain than it's worth.
It doesn't take all that much really. Unless you're a very juicy target (you have passwords that give you control of some cool systems, or you have a heck of a lot of money in some accounts), or someone specifically has it in for you, all you have to do is not to be low-hanging fruit. They'll go steal passwords from people infected with spyware, or people using "password" or "swordfish" as their password.
As they say, you don't have to outrun the bear, you only have to outrun the slowest guy in the group. OK, since there are N bears, you have to outrun the slowest N guys.
no subject
Date: 2009-08-19 04:38 pm (UTC)