Password Composer FAQ

What is this Password Composer all about?

The Password Composer gives users the possibility to remember one single password for multiple web sites. In reality, every site gets its own, generated password, transparent to the end user. This means that you only need to remember a single, strong password. Still, a compromised password on one site does not mean they get access to any of your other registered web personalities.

So: Password Composer provides "single sign on" with maximum security between web sites.

Alright, so how does this work for me as a user?

Both the Greasemonkey user script and the Firefox extension put a tiny icon in front of an existing password field. Clicking this icon reveals the Master Password field, where you enter your single Master Password. The Password Composer now generates a new, strong password behind the scenes, and it is this password which is used to register and subsequently login to the web site.

The generated password is different for every website (in fact, for every site's host name). The combination of your Master Password and the specific website always generate the same effective password, however, it is not possible to reverse this process and get your Master Password back from the generated password. No worries about rogue web masters and hacked user databases any more!

How do I set the Master Password?

The Master Password is the password which you choose for using this utility. You should pick one carefully, as this will be used for access to all websites you register with, using Password Composer.
In other words, you do not "set the master password" as such, but rather you think of only one, strong password. This is the password you will be using as the master password. A little complexity here is no problem, because you will only need to remember this single master password from now on.
A good password is not easy to guess by anyone, it should not look like a word that is in any dictionary and ideally there should at least some non alpha characters in it. There are numerous guidelines for creating strong passwords on the internet, Google returns this one as first hit: Creating stronger passwords.
Remember: the master password is what is used to generate all the site specific passwords, this one should not get compromised in any way! Also, see the warning about critical services (do not use this script for those).

Seriously, how do I set the Master Password?

If you mean, how do I make Password Composer remember my strong, single Master Password, then the answer is: you don't.
This password is never, ever stored anywhere for security reasons, see the previous question why. So in this sense you can not "set the master password".
The effect is that you need to remember the self created, single, strong password for all of the sites you want to use with Password Composer.

How safe is this script?

First guideline: you should never blindly trust a script like this without inspection of the actual code . There is no external script involved, all code resides in a static way, in your local user script repository. The design principle is that this script does not step in between the actual web application's security process. Rather, it is put on top of any generic password input field. See it as a helper to assist you to generate secure passwords on the fly.
Overall security depends on:

• Your Master Password; choose it carefully and be sure to remember it!
• The strength of the generated password. These look typically like f49cb43a, which isn't too shabby...
• The password generating algorithm; this is based on a cryptographic method (MD5) which can be considered secure for this purpose.
• Any security impact which normal web forms suffer from, like the use of secure (SSL) servers, traffic sniffing, local exploits and cross site scripting (XSS) amongst others.

Bottom line: use this utility at your own risk!

Should I use this for my on-line banking account?

In one word: NO.
You should follow the instructions you were given by your bank, credit card company and such, instead. Use this script only in those cases where you otherwise were tempted to re-use one of your existing web personalities. In other words, this script fits in the large non critical space between serious web applications where your real world identity is at stake, and those cases where a login can be avoided alltogether. For the last category you might take a look at BugMeNot by the way.

What is the difference between bookmarklet, user script and extension?

1. The bookmarklet version is the easiest to install, and compatible with the largest range of browsers (in fact all modern ones, except MSIE).
2. If the bookmarklet doesn't work for you, just try the Web Form based Online Password Generator
3. The Greasemonkey User Script is simple to install in compatible browsers, provided that you have greasemonkey installed already and/or know how to do it otherwise (in Opera). The big advantage is that the source of pwdcomposer.user.js is fully accessible in clear text, so inspection is relative easy. Also, in general, this will be the most advanced version.
4. The Firefox Extension is based on the greasemonkey user script. Installation is really easy through Firefox's standard extension mechanism, with the additional benefit that updates are found whenever you use the "check for updates" feature of the extension manager. Code inspection is a little bit more tricky, see "How do I open the Firefox Extension for code inspection".

How do I open the Firefox Extension for code inspection?

Glad you want to, and you should! Here's how to do it:

• Download the extension (ending in .xpi) to your local disk
• Open it with an unzipping program: Winzip, StufitExpander, command line unzip...
• Look for javascript.js in the unzipped directory
• Inspect thoroughly; you may compare the script to the Greasemonkey User Script (they should be the same within the same version numbering).

After you convinced yourself all is good, go ahead and install the extension!

I registered with [service] and I can't login?

Some services, like for instance Yahoo!, use a different host name for registration purposes than than they use for logging in to the service. It is an limitation of the original script that whole host name is used, rather than the second level domain name (e.g. billing.mail.yahoo.com vs mail.yahoo.com). There is a solution, however, in generating a password for the login domain manually. You may use Nick Wolff's Generate Password utility. See also: "Can't I just edit the host name on the fly?".

As of version 1.05 there is a clickable icon to use the full host name (+), default, or domain name only (-). Click on the +/- icon to switch. This choice is remembered if you are using Greasemonkey 0.3.x or newer.

The site changed host name, what now?

This situation is comparable to the previous question. A site-owner may decide to move the site to a new (sub-) domain. In this case the script breaks. The solution, again, is to generate the existing password for the old domain manually. Provided that you still know what the domain was. Otherwise you may have to revert to the "forgot password" service which most sites offer. Also see the previous FAQ item.
For example, the official download site for Firefox Extensions just moved from addons.update.mozilla.org to addons.mozilla.org. The solution here was to manually edit the host name (put the "update" part back in the host name) in order to log in. Then change password on the site; the clear text password field option is really helpful!

Can I use the domain, rather than full host name?

As of version 1.05 of Password Composer, there is a clickable icon to use the full host name (+), default, or domain name only (-). Click on the +/- icon to switch. This choice is remembered if you are using Greasemonkey 0.3.x or newer.
This option uses the relevant portion of the domain name to calculate a password, rather than the full site's host name. This is a good solution with those sites which keep redirecting to another random www3.example.com host of their server farm.

Can't I just edit the host name on the fly?

As of version 1.04 you have the option to manually change the host name which is used in the calculation process. Just edit the field labeled "Domain", below the password field. Be sure to remember how you changed the host name, though.

The "domain name only" option is bad with any *.co.uk site!

As of version 1.05, there is an option to use the relevant portion of the domain name, rather than the full site's host name. This is really cool and saves your day with those sites which keep redirecting to another random www3.example.com host of their server farm.
However, what's up with domains like *.co.uk or *.com.au, do they all get the same password!?
This really bugged me enough to not want to mess with this option anyway, until I came accross the solution of Chris Zarate. He modified Nick Wolff's script, taking into account a lot of well known double top level domains. Here is his full list of double top level domains - Password Composer 1.05 uses this list, version of 9 May 2005.

Can I make a backup of the generated passwords?

No, not with this tool. You could always manually write down the passwords somewhere, but why care? As long as you remember your Master Password, the site specific password will be generated for you on the fly. This is the whole purpose of the tool!

MD5 hashing is insecure

There has been a demonstration of MD5 hash collisions. However, for this attack very special cases were used. It is generally not easy to reconstruct just any hash. Please see the next FAQ: "There are better/more secure password solutions".

There are better/more secure password solutions

Quite a few people, who are concerned with security, asked me about the password generating algorithm. I got a couple of suggestions for improvements, for instance using HMAC/SHA-1 plus base 64 encoding instead of the hex MD5 algorithm.
I feel these are valid improvements, however, my primary concern is to keep this utility compatible with the original solutions (see credits). This ensures interoperability and gives you more than one option in case you like another better. Also, you can revert to an existing bookmarklet version whenever you don't have Firefox available.
Regarding security in general, you should use this script only for low risk operations (this is also true for similar scripts and utilities). See "How safe is this script"?

Cool, who can I give credit?

The original bookmarklet was done by Nick Wolff. The password generating script makes use of Paul Johnston's MD5 javascript. The option to reduce host names to the relevant domain only, is taken from Chris Zarate.

Please show, don't tell...

The concept is really well demonstrated by Jon Udell in his Screen Cast titled Simple Single Sign On.