Password Composer

Summary

Generate a different, safe password for every site you register with. You only need to invent and remember one strong Master Password.

Quick links:

Introduction - the problem

Once every while, you encounter a website, which has interesting stuff available to you as a registered user only. No big deal, you just create an account and there you go. However, over time, the many, many user accounts with their passwords become hard to remember. You'll just forget the cleverly crafted variation eventually, to find you struggeling again with yet another "forgot password" service variation.

A common solution is to have just one password for all of those sites, which are considered of low to medium risk if broken into. The problem with this is, that a rogue site owner might go out and impersonate as you, once they find out about other sites you may hang out with the same account. A little "social engineering", and you can be in big trouble.

The solution

Now there is nothing wrong with a single, strong password, as long as it is not used literally. Enter the concept of a Master Password that generates a strong password, unique for every web site where it is used. Password Composer does just that!

Based on Generate Password by Nic Wolff, this bookmarklet generates an unique password per site. The password is based on a md5 hash of your single master password and the site's host name. So one thing to keep in mind: slashdot.org will get a different password than www.slashdot.org, just be consistent!

The advantage of this version - apart from the nifty panel rather than a bland Javascript popup - is that your master password is not exposed in clear text. Picture this: you are in a seedy Internet Cafe somewhere downtown, and that suspicious guy is looking over your shoulder while you happen to need to login your account...

The concept is really well demonstrated by Jon Udell in his Screen Cast (Flash movie) Simple Single Sign On, you should really look at this to get the idea.

How it works

The password generator bookmarklet displays a little panel with a an empty password field for your Master Password and an "OK" button. Just before the password field is an icon, which lets you change the password fields on the original form into plain text. This is useful when you register and want to write the generated password down somewhere (hmm...).
Just below the password field, the effective domain name for generating a password is displayed. This domain name is editable, see below.
When you click the OK button, the current page is searched for input fields that look like a password field, and these fields are pre-filled with the customized password for the current website.

Just fill out your user name where needed and login - there you are, no need to remember more than one "semi secure" password. Still, a rogue site-owner is not able to login to any other of your accounts, because the generated password will always be different for different web sites (well, the host name part of the URL to be precise - you can tweak this manually).

Update (v1.04): in order to make this work for sites which have different host names for different applications, you have the option to edit the domain name used for calculating the password. This makes it possible to register with "reg.example.com" and login to "app.example.com"; simply edit the domain to look like "example.com".

Demo Form

Use this form to try the script/bookmarklet/extension after you installed one of these.

Password Composer Demo
Account name (unaffected):
Password field*:
Password (plain text):

*) If you see a little red icon here, you have the greasemonkey script correctly installed. Click on the icon to try it out!

Credits

$Id: PasswordComposer.html 99 2007-04-26 06:38:19Z joe $