Password Composer

Please be sure to read the FAQ about Password Composer before installing! Not sure about the purpose of this script? Start at the Password Composer Introduction first.

Update: Password Composer v. 2.00 is compatible with Safari/Creammonkey and will work for most (if not all) Ajax powered sites. Version 2.01 works for MSIE 6 (some features are missing).

Greasemonkey User Script

Install greasemonkey user script pwdcomposer.user.js - provided that you use Firefox and have Greasemonkey installed, you can either right click for "Install User Script" context menu, or pick this option from the "Tools" menu after loading the script source (click the link).

The greasemonkey script scans each page for password fields. Any password field is then marked as shown in this image:
The password field gets a green outline, and a character "P" on a green bullet in the top right corner.

Double clicking a marked password field opens the Password Composer panel. The top field is for the Master Password (see FAQ), the field below shows the website host-name. Normally, you want to leave this as shown, only in cases where the domain changes between logins (e.g. www2.example.com en www6.example.com) you can use the top domain only, by clicking the minus [-] icon. Enter the password by pressing Return.

If you register for a new account, you will often be presented with two password fields, to make sure you did not make any typing error. Password Composer tries to detect this situation and adds a verification field as well. You can re-type your master password here, the field will color red and the return key will be blocked if the second password doe not match.

Again, the [-] icon can be clicked to strip host name components. This would be a good idea in this example: I'm registering at edit.yahoo.com but will be logging in at mail.yahoo.com (and groups.yahoo.com and so on).

Password Composer is featured in Greasemonkey Hacks (O'Reilly, 2005) - an older version has been published online as a sample: hack #37 (note: link to pdf).

Detailed installation instructions

1. Make sure you have Greasemonkey installed; look here for Greasemonkey and installation instructions.
2. pwdcomposer.user.js pick "Install User Script" from the right-click context menu of this link, or load script and look for the command under the "Tools" menu.
3. There is no step three;-)

Now go back to the introduction page for a demo form, where you can test the user script.

Installation for MSIE 6.0

First, make sure you have GM4IE installed and running. Then download the script wrapper, passwordcomposer.gm4ie. Install this into GM4IE, restart GM4IE and you should be up and running.
Warning: the passwordcomposer.gm4ie wrapper adds an extra layer of obfuscation to the installation process. You should alsway inspect these files to see if the actual user script is retrieved from the URL you expected. Do not use the script if you don't trust this process, it is a serious security risk, especially with a script like Password Composer.

Credits

• Password Composer was inspired by / taken from Nick Wolff's bookmarklet "Generate Password", found at http://angel.net/~nic/passwdlet.html.
• The script makes use of MD5 hash functions (c) Paul Johnston, http://pajhome.org.uk/crypt/md5/.
• Domain name manipulation by Chris Zarate http://labs.zarate.org/passwd/.

Known bugs and limitations

The script works as long as you always login to the service with the same host name. Since version 1.04 you can edit the domain name. Since version 1.05 you can also use the minimum domain name; this option is remembered between sessions if you are using Greasemonkey 0.5 beta or newer.

Version 2.0 now work with dynamically loaded forms (Ajax sites).

Changelog

pwdcomposer.user.js changes

  Version 2.01
	- MSIE 6.0 compatibility, needed lots of branches...
	  expect some more bugs than under Firefox.
	  For installation: see http://gm4ie.com/
	- Safari compatibility through Creammonkey
	- focus double clicked passwd field after completion (fixed)
  
  Version 2.00
	- Ajax compatible (listen for new nodes and node changes)
	- refactored password field detection and open password composer action
	- swapped plus/minus icon for action "use full host/top level"
	- focus double clicked field after completion (buggy)
	- updated second level domain name list


  Version 1.14
	- fix for FF 1.5, where background overlay would not fit the
	  whole viewport if document height was less than window height.

  Version 1.13
	- fixed tabbing order on some host pages (setting tabindex)
	- implemented keyboard shortcut for setting domain handling
	  suggested by Sean Howarth (Shift+Ctrl+Arrow-LEFT/RIGHT)
	- implemented keyboard shortcut to display password in 
	  cleartext vs. original password field (Shift+Ctrl+C)
	New feature: stand alone operation
	- show generated password in pwdcomposer panel if the
	  host page lacks a password field

  Version 1.12
	- bugfixes and work around bugs in GM 0.5.1..3:
	  (GM_registerMenuCommand is not coded correctly)

  Version 1.11
	- fixed transparent background layer height to full page
	- partially fixed wrong pwdcomposer icon offset:
	  defer script execution after onload event.
	- handle window.resize events
	- first shot at adding shortcut key (SHIFT-CTRL-P) through GM menucommand

  Version 1.10 - Deer Park / GM 0.5 compatibility fix
	Changes contributed by Mark Pilgrim (MAP):
	- refactored event handlers
	- other Deer Park compatibility fixes
  
  Version 1.09
	- temporarily suspend site's key events when using pwdcomposer
	- bugfix (test for GM_functions)
  
  Version 1.08
	- position passwdcomposer icon on top 'layer'
	- increase z-index for layer to 9999 (z-index 1000 is found in the wild!)
	- @namespace points at an existing web page
	- UI change: dimmed background, clicking it removes composer panel
	- show 'verify passwd' field only on pages containing such a field

  Version 1.07
	- logging through GM_Log if available (GM 0.3.3+)
	- give focus to first updated password field
	- UI change:  panel has cool rounded corners
	Changes by Christopher Chan-Nui:
	- Added second password entry field to optionally validate entry
	  of password
	- Made ESC abort the password entry frame
	- Made Enter work in any text field
	- Removed OK button
	- Made password field bigger

  Version 1.06
	- Added menu command "Show Password Composer"
	  this is useful whenever the password field is added to the page
	  after the body.onload event; see for example the Backbase login
	  page, which is implemented with AJAX heavy lifting.

  Version 1.05
	- Toggle "ignore sub domains" setting.
	- Setting is saved in Greasemonkey 0.3.x or newer
	
  Version 1.04
	- Fixed bug where revealed passwords were 
	  not discovered on second invocation of the script
	- Display editable domain name
	- Use (edited) domain name for generating passwords
	- still missing user interface to ignore subdomains,
	  based on Chris Zarate's http://labs.zarate.org/passwd/

  Version 1.03
	- Added feature to show or hide generated passwords
	- some cleanup in mpwd_doit()

  Version 1.02
	- The Master Password field is activated by typing RETURN
	
  Version 1.01
	- Initial Greasemonky release
	- GUID {aca5e547-8307-4ac8-8275-5797bdb5f2c1}

About Greasemonkey

Greasemonkey is a Firefox extension, which can change web pages by applying cleverly crafted user scripts after they are loaded in the browser.

Tip! Greasemonkey Hacks by Mark Pilgim.

More Greasemonkey User Scripts

I want to... Create microsummaries for Firefox 2.x. Use one master password for every website Quickly view RSS feed connected with the current web page View thumbnails of remote digicam images Validate links on the current web-page List all external links at the bottom of printed pages Ikea: check for product availability Flickr: Directly link to the original from thumbnails Podshow.com: directly download "Pod safe media" Binsearch.info: improve search results interaction Squirrelmail powered webmail: improve listing interaction Useit.com: modestly sized text MacWorld.com: remove all extraneous fluff from page printouts Linkedin.com: experiment with my relations list Squirrelmail powered webmail: improve listing interaction [NL] Look up distances by NL postal code [NL] Remove clutter from Nationalevacaturebank Resultaat [NL] Improve Nederlands Dagblad Print layout

For more, and a couple of Greasemonkey resources, see Greasemonkey User Scripts.

---