Very interesting password system
Aug. 10th, 2009 02:16 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johnridleyIn the past few years I've changed my theory on passwords a couple of times. I started out with 3 passwords, one just a word to use on sites like twitter.com or stupid blog sites for commenting where I really didn't give a rip if someone got hold of the account. The ones above that were garbled acronyms (punctuation and mixed case embedded) and one was for most general purpose sites, the other only for higher security sites like banking.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2009-08-10 07:57 pm (UTC)