Jan Krüger's blog

Creative Engineering and randomness

Managing your web passwords the portable and secure way

· Read in about 3 min · (528 words)

Dear users of browsers other than Firefox, I’m not talking to you now. Sorry. Dear remaining readers, have you ever disliked having to a) remember all of your different passwords for all websites or b) store them on your local computer so you can’t get at them from other places or c) use the same password everywhere even if that makes the impact of security issues a lot worse? I used to go with option b) but I didn’t really like it. Now I’ve found something else; allow me to share.

Requirements

The general idea here is to avoid all of the problems with the solutions mentioned above. How does that work? You install an extension that generates passwords out of your master password and the domain of each site. This eliminates a) because you only have to remember a single password (the domain of a site doesn’t tend to change, so it can be picked up automatically by the script); it eliminates b) because all you need to give the script is the master password, and you can do that pretty much anywhere because it doesn’t store the master password anywhere; finally, it eliminates c) because each site will get a different password and even if one of them gets compromised, there is no known way to get your other passwords that doesn’t take at least a couple of hundred years.

The script I recommend is called Password Composer, written by Johannes la Poutré and others. It’s rather nice to use; the downside is that the passwords aren’t quite as secure as they could be. I’ve modified the original Password Composer script to improve the password generation algorithm. That means the my version of the script won’t be compatible with any similar software but it will probably be significantly more secure than the original script.

Boring technical details

The original Password Composer uses a formula like md5(<master password>:<domain>) and trims the resulting MD5 hash to eight characters, so you get 4294967296 different passwords.

My script changes this in two ways: it uses a different way of mixing the master password and domain together, and it uses a tighter way of encoding the MD5 hash. The formula goes like md5_base64(<master password>:md5_base64(<domain>:<master password>)). This potentially improves the mixing quality of the overall hash function (it might not, but it can’t really be worse, so what the heck) and it raises the number of different passwords to 281474976710656 (again, eight characters, but this time it’s uppercase and lowercase letters, digits and three symbols).

Instructions and download

I’m not writing a separate instructions page for the script since the user interface is exactly the same as that of the original script. The download link for the script itself is on my Greasemonkey page; here’s a direct link: Password Composer 2.03j

I hope this script will be useful for you. Any feedback (including suggestions for improvement) is appreciated.