Back to Top

Saturday, October 28, 2006

Creating random passwords - the easy way

Passwords are used as the main authentication method in almost all of the current websites. They are easy to implement (from the websites owner point of view), however the user must consider several conflicting goals if s/he wants to stay safe:

  • Passwords should be long
  • The user must be able to remember the password
  • It should not be composed out of words which can be found in the dictionary
  • It should be different for every website / location so that if a location is compromised, the attacker can not use the obtained password to log in to other places.

Here is my solution to the problem: choose a master password and for each site generate a password from it using the password combinator (requires javascript). The advantages of this script are:

  • Uses Javascript, so it runs 100% at the client side with no server communication (other than the initial page load). The server never sees any of the entered data, you can use it in offline environments (if you download it from here) and you can view the source code to make sure that it does what it claims it does.
  • It can generate passwords of any length and complexity so you can tune it to what a site is able to accept.
  • The generated password is completely deterministic (meaning that given the same inputs and settings it will always generate the same output), however it is very unlikely that based on the output somebody could determine the master password even if the modifier is known, since the generation is based on the SHA1 algorithm.

As I've mentioned above, you can use obvious things for the modifier, like the websites domain and even then the only practical attack against your master password is bruteforce. By taking a step further I've implemented a feature in the script which enters automatically anything after the # sign in the modifier text box, so you can head over there and generate a password for digg directly. To make it even easier, you can use the following bookmarklet (by dragging it to your Bookmarks toolbar) and when you click on it it use some javascript magic to open the password combinator with the current site already entered: SitePass

Stay safe. And remember, you can always use the random password generator to generate secure passwords which fit your needs.

One final remark: you might ask: why is this hosted on a free server? And isn't using the bookmarklet a privacy risk, since it communicates the server what page I want to generate the password for? The answer is: I use a free server because I don't have money currently to pay for a hosting service. Because this runs 100% client side (and again, you can look at the source to make sure of this), there is no data transmitted back to the server which would compromise your security. As for the case when you use the bookmarklet to show a prepopulated version of the page: the server again only sees the fact that you are requesting the page, anything after the # sign isn't sent to the server, but rather interpreted by the browser.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.