Secure web passwords with SuperGenPass
I have blogged in the past several times about passwords, and I am here to do it again today.
I believe the following when it comes to passwords for the web:
- No one should have to remember more than a single password.
- No one should use the same password on more than 1 web site.
You might read these rules and think that they cancel each other out. However that is not the case.
Enter SuperGenPass. SuperGenPass is an updated version of the GenPass bookmarklet that I previously praised, written by Chris Zarate.
If you have never used a bookmarklet before, they are super easy. You save them in your browser's Bookmarks (or Favorites) like you do when you bookmark a web page, however when you click on them they run JavaScript commands against the page you are currently viewing opposed to taking you to a new page.
SuperGenPass will populate any password form fields on the current web page with an auto generated password that is unique to that web site. It does this by having you first enter your "master password", then it takes that master password and uses it to perform multiple MD5 hashes (one-way encryptions) of the domain name of the web site you are viewing until it has a nice string of letters (lower and upper case) and numbers - a perfect, secure, password.
This method requires that you only remember your single master password, and even though you enter it in your browser when using SuperGenPass, it is never saved in the browser and never transmitted over the Internet/network. The result is unique passwords for every web site you visit.
If a database containing your password is ever stolen, or if the owner of some random web site ever decided to try and use your password for his web site against your web based e-mail account (or checks to see if you have an Amazon or PayPal account, etc.) they would be SOL because each and every web site has a different password.
I think I have said enough on how it works and why you should use it. It's time for you to start using SuperGenPass on your own.
Full explanation, instructions, things to know before using it can be found on the SuperGenPass web page: http://labs.zarate.org/passwd_new/.
SuperGenPass works in Mozilla Firefox, Internet Explorer, and Opera. I of course use Firefox and love how I can save SuperGenPass to the Bookmarks Toolbar which makes it readily available for easy access at all time.
SuperGenPass bookmarklet in my Firefox Bookmark Toolbar
SuperGenPass bookmarklet in my Firefox Bookmark Toolbar
For the best security, use the default SuperGenPass that requires you to enter your master password each time, and have your browser set to not save passwords for web sites. However, if you feel that your computer is safe (not going to get stolen, not shared with other users), there is a SuperGenPass bookmarklet builder where you can customize SuperGenPass to save you clicks after entering your master password on each page, or to completely forgo having to enter your password at all.
One last thing, if you are concerned about not having access to your passwords if you are at a friends house, the library, Internet cafe, at a ColdFusion conference, etc... you are on your toes as that is definitely something you need to be thinking about. Chris has created a mobile version of SuperGenPass that you can run directly from his web site (no need to add the bookmarklet to the browser you are using, as that is not always an option). You can copy the mobile version to your own web site so you can have easy access to it there, save it to your hard drive, carry it around on a USB thumb drive - your options are endless.
Enjoy!
5 Comments
User Comments
Thursday, February 8th 2007
Ok, fine. You convinced me. I currently have a password scheme that allows me to create an easy to remember unique password for each site. It has some problems though, when sites have stupid password requirements like, "Your password is too long", or "A character in your password is illegal".
Thursday, February 8th 2007
It's possible that SuperGenPass might create a password that is too long as well (default is 10 chars, the bookmarklet generator lets you change the length to something else if you think 10 is too long, or too short).Chris says that he purposely left out extended chars so that the passwords would be more compatible... however, some sites might so as far as to *REQUIRE* non-alphanumeric chars. Or that you rotate your passwords every 6 months. In these rarer cases, he flat out says: "just don't use SuperGenPass for this particular website".
He also gives instructions on how to add in extended chars to the bookmarklet manually.
You can pretty much tailor this to your needs.
Thursday, February 8th 2007
Well, I'm giving it a try. So what happens when you've got a site that needs 'special attention', like extra characters or a shorter password. I wouldn't want to tell SuperGenPass to have 6 char passwords for ALL of my sites, but how would it know that I need that for one particular site?
Thursday, February 8th 2007
I personally have never needed to have a special case password, except for 1 site which I think had a 6 or 8 char limit.So here is what you can do:
If you need a special char: Run SuperGenPass, then add one or more special chars (&,$,%,@,etc.) to the end, or beginning, something easy for you to remember in those special cases.
The same goes for cases where the password might have the requirement to use multiple numbers, as SuperGenPass I *think* usually generates password with only 1 numeric char (but always at least 1). You can add an additional number to the generated password.
When a site requires a shorter password there are a couple of options. SuperGenPass has an additional options screen that can be brought up by clicking on the "+", and you can change the length on this one site to 6 (you would have to do this every time you use SuperGenPass on this site).
Also, if the site HTML is setup correctly with a maxlength attribute, the generated password should automatically truncate to 6 chars, so SuperGenPass should work out of the gate. Otherwise, run SuperGenPass as normal, then manually truncate to 6 chars.
In the case of rolling passwords, run SuperGenPass, then add a rolling number to the end of the generated password, maybe the current month number, or quarter number, depending on the frequency that you need to rotate your password.
An alternative would be to add the rolling number to your master password before running SuperGenPass, this would generate a very unique end password that would still be 10 chars (rather then appending numbers causing a longer password).
Also, in all these cases, you could replace the end (or beginning) chars of the generated passwords with your special case characters (numbers, extended chars, etc.) instead of appended them so you don't push your password over any length limits that might be in place.
Hope these tips prove useful.
Thursday, February 8th 2007
Ah, good points. I'll remember these tips when/if I come across problems.OT: It would be nice if your blog's "new comment" notification email contained a link to the relevant entry.