Password Maker Bookmarklet

2004-10-31 01:14 - Bookmarklets

Yes, they're everywhere, websites with passwords. Sometimes, they are websites you give your credit card information to, sometimes they're just discusson boards, or a million other things. But you have to use a password for every one! I bet you use the same password for every one! I know I usually do. I keep 3 passwords. The really simple one I give away to really untrustable site, the middle one I give to most places, and the big complex one I save for the places that are more sensitive.

Of course, that still leaves me somewhat vulnerable. It wouldn't be hard for someone that took my password from one of the many places that share it to log in as me at the rest of them. It's just not safe! But what can we do, I can't possibly remember a different password for every site! Well, that's where the magic of the computer comes in!

There's an amazing little tool that's been around a long time called a bookmarklet. Yeah, they're old enough to be from the Netscape era, and thus called bookmarklets, though some people use the term Favelet (eeew, IE). There's a truly great set of them over at Jesse's Bookmarklet Site. I especially love the "Up" bookmarklet, the first in the Miscellaneous category. Very useful, one of the few things I missed (from the google bar) in IE that's not in Firefox. I also found one day a "password generator bookmarklet." A truly genius idea, a bookmarklet that takes the current site's domain name, your master password, and a bit of cryptography magic to turn it into a unique series of letters and numbers. Or, a strong password!

I started using it, and I was enjoying it. I felt safer, and I lost no convenience. But before long, I noticed problems. He says right on his site that it's not compatible with IE. I hate and I don't use IE, but some people have to. He has a link to a site with a workaround, which is up now but wasn't available when I first found it. It's also a bit hacky forcing you to save the javascript as a file on your computer. It also, though running the whole MD5 script, chops off the result at 8 characters. Who knows how good MD5 really is when you only use a quarter of the output.

But worst of all is the way it relies on domain name. I very nearly lost my ~6 year old well established ebay account thanks to it. Ebay of course uses multiple domain names: www.ebay.com, signin.ebay.com, scgi.ebay.com and more. It would gerenate a different password for each one. Or, as I expereinced, definetly a different one for where you change your password, and where you sign in.

So I thought about it for quite a while, then I worked on it for quite a while, and bam! I came up with a password maker bookmarklet inspired by the one linked above, but with none of those restrictions. It hit me when I stumbled upon a web page describing some hash functions. I had been looking into it a bit, but could only find very complicated hashes like MD5, used in the above linked script. The MD5 algorithm takes about 9k of code in javascript. I was really hoping to fit into 508 bytes, the maximum IE (6 win) can use. Well that page there showed three very simple hash functions.

Simple isn't good when it comes to a password. But, in this instance, it's not truly bad. The intent of this is really just to protect you a bit, by making sure that you don't use the same password for each site. It's not a "strong" cryptographic hash like MD5 or SHA. It's a rather weak one to fit in 508 bytes in javascript. But it does it's job. You should consider using other, strong, passwords for important logins like banks or e-commerce sites.

Enough blabbering, here's some code! First, the bookmarklet: MyPass. Drag that onto your links toolbar, your bookmarks menu, your favorites menu. Right click and choose add bookmark, add favorite, whatever. Like any bookmarklet. Then, just click it and enter your "master password." The master password, which you can safely keep the same for all sites, is taken along with the top level domain name (for this site, it would be arantius.com) and hashed to give you an 8 character letters and numbers password. It is filled into any password-type form field, or text-type form field named password.

Here's a little demonstration. You can type into the small form below your master password and a domain name, and get out the password for any site. This really runs in your browser, I never get your passwords =) Save it to your hard drive and unplug your internet connection if you're paranoid. Plus, you can read all the source code right there in View Source.

I hope you enjoy this! You can play with the form above and see that each different domain name makes a very different password, even with the same master password.

Comments:

Drat!
2004-10-31 01:45 - arantius
Well, after working so hard to get it to work properly even with IE, I failed. Barely. In short, when adding it to favorites IE seems to encode all spaces as %20 (The URL safe encoding for a space character) which bumps it up to 525 bytes, which is 17 too many.
Back to the drawing board!
Success!
2004-10-31 14:10 - arantius
I have just updated the article above to include the source for MyPass version 1.1. The new version is IE6/win compatible, tested on Win98 SE and WinXP SP2.
Note that I find the link cannot be dragged on XP SP2. I must right click and choose "Add to Favorites." And just in case you might need it, here's the wonderful little bookmarklet again:
MyPass
Beta testing
2004-11-04 15:09 - Lieuallen
I am now using it with IE 6.0 under both Win98 and 2000. Works like a charm!
Security vulnerabilities
2004-11-05 18:41 - arantius
I've been advised that technically there are two security vulnerabilities. First, it's a 32 bit hash. Given the knowledge that this script produced it, it's rather trivial to crack the code. I personally believe knowledge of the script is (at this point especially) difficult to have that knowledge though, given a few letters and numbers.
Also, technically, any website you visit has the ability to redefine the prompt() javascript method. This is how the script gets your master password, and in theory the prompt command could be redefined by a site to ask you for the password and then proceed as normal, except also steal the master password. In my opinion this is a very remote possibility, but the chance is nonetheless there.

I'm investigating the possibilities to change this. Neither will end up working with IE if they happen.
New version
2004-11-15 21:23 - arantius
Version 1.2 is released! This is only a slight change but should make it more compatible with various sites out there. And I trimmed off fifteen bytes!! Here it is:

MyPass 1.2
Firefox users: Extension version
2005-07-20 20:17 - arantius

To Firefox users: There's also an extension that makes compatible passwords that I wrote called Magic Password Generator. It incorporates a few new features that are really nice to have.

RE: Security vulnerabilities
2006-05-02 18:32 - LanceHaverkamp

This shouldn't be a huge issue. Most sites are low risk (yahoo, google etc.). On medium-risk sites you can have custom, longer passwords. A good, secure high-risk site should use browser certificates!

I love this plugin/bookmarklet.

Lance

Password Length
2006-09-26 11:05 - opel70

There are a few sites that seem to generate a 7 character password instead of an 8 character one. Most of the time this isn't an issue, but some sites require 8 characters. 'comcast.net' is one of the sites that always seems to generate a 7 character password. Any idea what is going on?

Short Passwords
2006-09-26 11:10 - arantius

Basically, it makes up a number, then converts that number to hexadecimal. It's a 32 bit number, hexadecimal represents 4 bits with each character, therefore it uses 8 characters to represent the number. If, however, enough of the most significant bits are zero, then the converter never gets to that empty space. It doesn't copy the zeros on the left.

iPad Compatible
2010-09-05 18:30 - arantius

I had some problems running this on my iPad, which was causing me strife. So I re-made the bookmarklet, by backporting Magic Password Generator back into a bookmarklet again. This is a monster long bookmarklet, but I've tested it working on my iPad. Edit the my_user and my_email values at the beginning to make it even easier to log in.

MyPass+

iPad Compatible, take two
2010-12-11 16:20 - arantius

I'm not sure why, but the version just above didn't seem to work very well. So I took another crack at it!

MyPass++

Post a comment:

Username
Password
  If you do not have an account to log in to yet, register your own account. You will not enter any personal info and need not supply an email address.
Subject:
Comment:

You may use Markdown syntax in the comment, but no HTML. Hints:

  • An empty line between text will create a paragraph boundary.
  • Use angle braces around a plain URL to auto-link it: <http://www.example.com/>.
  • Use this format to create a link with different text showing: [An Example](http://www.example.com/).
  • Use backticks (``), not leading spaces to enclose a code block.

If you are attempting to contact me, ask me a question, etc, please send me a message through the contact form rather than posting a comment here. Thank you. (If you post a comment anyway when it should be a message to me, I'll probably just delete your comment. I don't like clutter.)