[dundee] Awesome Password Tricks

Fri Feb 26 11:00:27 UTC 2010

Ok, I was asked last night to post to the list about how I manage my
passwords...

This is a solution to the password security problem, where we want a
different password for every website because if any one site gets
compromised (and they're storing passwords as plaintext) then we've
lost the security on all our accounts!

The big problem doing this is that you have to remember which username
and password you have on each site which can be hard.

So I have adopted a lightweight easy solution to this problem....
Essentially you have a single master password that you remember, but
you assign each account a password which is the SHA1/MD5 sum of the
websites domain name + your master-password.  E.g. assuming the
terrible master-password of 'foobarbaz' and the site www.google.com we
take the MD5 SUM of the string:

foobarbaz:www.google.com

Yielding an MD5 of:

d6194ec9e6037da48c2e4276a01325c1

Unfortunately most sites wont let you have such long passwords, so we
take the first 8 characters of this producing a password of:

d6194ec9

A pretty good password... and every site will now have a different
password...   So how do we make this usable?  Well firstly we can use
this bookmarklet, that follows this algorithm:

http://www.angel.net/~nic/passwdlet.html

This is pretty good, unfortunately the limitations of javascript mean
that the dialog box it presents you with does not hide the passwords
as you enter them.... this means it's useful but susceptible to
shoulder surfing...  To by pass this, there is a HTML page on that
site that will do this for you and start out the passwords...  If you
use this, I'd recommend saving the page onto your own site.

For common use however, one of the best solutions is this greasemonkey script:

http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/

It basically watches for password boxes in HTML pages, and marks them
green...  Double clicking them will pop up a different box, that
allows you to enter your master password... Upon submitting the MD5'd
password is passed to the web form.

In addition I have a small ruby script to do the md5 summing at the
command line... which is occaisionally useful if you generated a
password via a webform, which was then subsequently assigned to a
shell account...   Here's my script:

#!/usr/bin/env ruby

require 'md5'

if ARGV.size != 2
    puts "Usage: password-gen [masterpassword] [domainname]"
else

    masterpassword, domainname = ARGV

    password = Digest::MD5.hexdigest(masterpassword + ':' +
domainname).to_s[0..7]

    puts "Password: #{password}"
end

The combination of all these utilities, basically allows you to cover
all bases... i.e. when I'm on someone elses computer I use the saved
HTML page which is on one of my sites...  When I'm at work or home I
use the greasemonkey script, and occaisionally also the bookmarklet.

I've been using these tools for many years...  They work well, and can
handle most of the common cases... e.g. where you generate a password
on www.yahoo.com but login on login.yahoo.com .  This said, it does
occaisionally present you with minor problems... e.g. when phoning
your ISP and they ask for the 5th letter of your password... and you
don't know.  But the benefits far outweigh the costs.

I suspect (but am not sure) that the greasemonkey script is probably
exploitable by a third party website to get your master password....
This is obviously unlikely but all the same I'd recommend *only* using
this on reputable sites... if in doubt use either the bookmarklet or
the HTML versions.

Anyway, I hope this is useful to some of you!

R.