Dear users of browsers other than Firefox, I’m not talking to you now. Sorry. Dear remaining readers, have you ever disliked having to a) remember all of your different passwords for all websites or b) store them on your local computer so you can’t get at them from other places or c) use the same password everywhere even if that makes the impact of security issues a lot worse? I used to go with option b) but I didn’t really like it. Now I’ve found something else; allow me to share.
Requirements
- You need a single master password that’s rather secure. I’m not going to reiterate the usual password safety advice, I trust you to know about this stuff.
- You need the Firefox extension Greasemonkey.
- You need the Greasemonkey user script I’ll be talking about now.
The general idea here is to avoid all of the problems with the solutions mentioned above. How does that work? You install an extension that generates passwords out of your master password and the domain of each site. This eliminates a) because you only have to remember a single password (the domain of a site doesn’t tend to change, so it can be picked up automatically by the script); it eliminates b) because all you need to give the script is the master password, and you can do that pretty much anywhere because it doesn’t store the master password anywhere; finally, it eliminates c) because each site will get a different password and even if one of them gets compromised, there is no known way to get your other passwords that doesn’t take at least a couple of hundred years.
The script I recommend is called Password Composer, written by Johannes la Poutré and others. It’s rather nice to use; the downside is that the passwords aren’t quite as secure as they could be. I’ve modified the original Password Composer script to improve the password generation algorithm. That means the my version of the script won’t be compatible with any similar software but it will probably be significantly more secure than the original script.
Boring technical details
The original Password Composer uses a formula like md5(<master password>:<domain>) and trims the resulting MD5 hash to eight characters, so you get 4294967296 different passwords.
My script changes this in two ways: it uses a different way of mixing the master password and domain together, and it uses a tighter way of encoding the MD5 hash. The formula goes like md5_base64(<master password>:md5_base64(<domain>:<master password>)). This potentially improves the mixing quality of the overall hash function (it might not, but it can’t really be worse, so what the heck) and it raises the number of different passwords to 281474976710656 (again, eight characters, but this time it’s uppercase and lowercase letters, digits and three symbols).
Instructions and download
I’m not writing a separate instructions page for the script since the user interface is exactly the same as that of the original script. The download link for the script itself is on my Greasemonkey page; here’s a direct link: Password Composer 2.03j
I hope this script will be useful for you. Any feedback (including suggestions for improvement) is appreciated.
Right the best and savest thing is to remember your passwords. I got about a hundred in my head of all my clients. No need for software to remember it.
I use an USB-Stick with Keepass (keepass.info) and an Master-Code on it…
I´ll think it will be ok.
If you take care to a) never lose that USB stick and b) keep backups, that’s totally fine, of course. If you’re happy with what you already have, great!
Like Joern I use to save all of my password on a USB stick with a lock on it but these is also a pretty interesting idea. Thanks for the great post!
I use two tools for passwords, one is PwdHash, which is a browser plugin that hashes a single web password with the domain name to get a secure password that can’t be used by one malicious web admin to log into your account on other web sites. The other is a password-protected database on my smartphone, backed up of course. I use that for PINs, passwords that have to be changed often by policy, etc. It’s a nice combination of tools…
I actually save my passwords and usernames on an excel sheet. I am usually at home so I don’t need any USB to bring along with me. But I’m actually thinking of trying this one. Perhaps this would help. Thanks for the post!