Jump to content

Start using (more) secure passwords online


Neil P

Recommended Posts

SuperGenPass (see second post for update)

 

The above link gives you an easy tool for creating secure passwords, though they are only usable online. You provide a master password, and it will then take that, combine it with the domain of the site, and creates an md5 hash of it. You can select options like the case of the password (I don't see a reason to pick anything other than "mixed", unless the site specifically requires a certain case), the length, and several other things. It can generate your passwords online, or you can create a bookmarklet that will do the same thing for you, but not require the website. In either case, your information is not transmitted back to his (or any other) site. So, all you have to do to start using this today is: go to the site, find the "build your bookmarklet" section, look through the options (the default are fine, but I changed the generated length from the default of 8 to "ask each time", and the case to "mixed"; be careful changing the length, if you use different numbers on each site, you might forget what you used on a particular site!). Then hit the "Build Bookmarklet" button, and add the bookmarklet to your browser. I added it to the bookmarks toolbar so it's always a single click away.

 

Who this will help: Anyone who uses the same password for every website. If you're already using different, secure passwords at each site, then more power to you (that is difficult; the more secure a password is can generally be linked to how random the password is--along with other things like length and what the set of characters used is--so if you're remembering multiple secure passwords, you've got a great skill!)

 

How this will make you more secure: Using a single password everywhere is dangerous. With this tool, you are using a different, totally random password at every site you visit. They can't be reverse engineered, i.e., a hacker could not take your generated password and figure out your master password from it.

 

What this does NOT do: - If your master password is compromised, your password can be compromised. Of course, a malicious user would still have to know that you used this particular generator.- If your physical machine is compromised, particularly with the bookmarklet, particularly if your master password is encoded in the bookmarklet (I changed it to ask each time), you are not safe. You can turn off the browser's automatic storing of passwords, but that could get very cumbersome. If you are extra-paranoid, you can change your master password at a certain interval. And, to be honest, it probably wouldn't hurt to do that anyway, even with the randomness of this. A nice feature of this particular generator is that it is available online. If you lose the bookmarklet, if you get a new computer, whatever, you can find it at that site. If you're even worried about the site going offline, you can (in theory, I didn't try this) store the page locally, burn it to a few CDs, and even store one in a safe deposit box. I don't think I'll go that far though.

 

A note for IE users (note 4/14/2012: this may not apply to newer versions of IE, I'm not sure):

Some browsers—most notably, all versions of Internet Explorer, some older versions of Safari and Opera, and many smartphone browsers—place a severe limit on the length of bookmarks. Use the Internet Explorer version of SuperGenPass for these browsers. It circumvents the limit by downloading this JavaScript file each time you use SuperGenPass (though it will likely be cached to reduce bandwidth usage). Only generic JavaScript code is downloaded, and no information is ever transmitted to this or any other Web site. (Internet Explorer may prompt you with a security message when you add SuperGenPass to your favorites. This is typical of all bookmarklets and can be safely ignored.)
Link to comment
Share on other sites

  • 1 year later...

I just wanted to reply to this very old topic here to say that the guy who made GenPass has since made an updated version, aptly named SuperGenPass. It's available at http://supergenpass.com, still with an easy to use bookmarklet. However, it is not compatible with GenPass passwords.

Link to comment
Share on other sites

  • 2 years later...

I'm still using this generator to make my passwords. However, since switching back to Chrome I've found this fantastic extension: SuperGenPass for Google Chrome™ by Denis. It basically eliminates the need for a bookmarklet. You install the extension and then go into the options. Here you type in the password(s) you want to use, the length of the password (10 by default, you can make it anything though) and a note. That's it for setup! Once you encounter a webpage where you want to sign in, you get to the password box, and press "1" (by default; you get to pick what you use). Upon your first try after launching Chrome, you'll have a window popup where you enter your master password to "unlock" it. For all subsequent uses in that session (i.e., until you close Chrome) you just hit the number key and it automatically populates the field for you! However, I still have the mobile site, http://supergenpass.com/mobile bookmarked for the sites that it doesn't work on. Mainly those sites are Flash sites.

Link to comment
Share on other sites

  • 8 months later...

I came across a fantastically detailed explanation page for zxcvbn, a password strength measuring tool. Here's a demo of it.

 

All of my currently in-use passwords that I've tried have displayed "centuries" to crack. There are still improvements to the tool to be made (check some of the comments) but I think it's a great tool already.

Link to comment
Share on other sites

  • 1 month later...

I used Chrome's "manage saved passwords" link (wrench -> settings -> show advanced -> under passwords and forms) to review my saved passwords. I discovered that 13 of my passwords that I had stored were identical--and they were my master password that I use for supergenpass. That is pretty terrible security!

 

In light of the LinkedIn password hacking, I am auditing my passwords. In my case, the LinkedIn password I was using was generated by SGP--so I didn't lose anything but that password. I have since changed it. It would be wise if anyone using LinkedIn did the same! And any passwords that are the same as your LinkedIn password (if you were using SGP, you wouldn't have that issue!) are potentially in jeopardy too. The article says it's not clear if email addresses or usernames were included along with the passwords, but it says bundling them together is common.

 

YOUR EMAIL PASSWORD SHOULD ALWAYS BE UNIQUE

 

When account information is lost, MOST of the time your username and/or password will be mailed to you (or you click a link to change them, usually a password is not sent plaintext). If you lose control of your email account, you can lose control of most other website accounts too!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...