PasswordMaker
29 Sep 2005 
in the late afternoon 
Matt Winckler
I stumbled across an interesting application today called PasswordMaker. It’s is an extension for Firefox/Mozilla/Netscape, a Konfabulator widget, and they say they’re working on an extension for Internet Exploder. In essence, all PasswordMaker does is take certain input parameters and generate a hash (using any of 10 different hash algorithms, including MD5, SHA-1, SHA-256, and so forth) which you then use as your password. One of the input parameters is the website you want to use the password for–so for instance, to generate a password for GMail, I might put in my GMail account name, the gmail.google.com url, and then my “master password” (which is used as an input to generate all other passwords), and it will generate a hash for me to use as my GMail account password.
There are several advantages with this system that are worth pointing out. Firstly (and perhaps most importantly), unlike other “password-remembering systems”, your account passwords are never stored anywhere–they’re generated on the fly using the one-way hash algorithm that you choose. And because the hash is one-way, it is not feasible for a hostile to descramble them with currently available computing resources. Additionally, the hash is generated using a total of nine input parameters that you specify, instead of something simple like URL+master password.
The second big advantage is that it makes it very easy for people to use completely distinct, very strong passwords for each site they visit. I like to think I’m one of the more paranoid/secure computer users out there, and I always use random numbers/letters/symbols as passwords, but even I repeat passwords across websites because I am lazy. And furthermore, because I am paranoid, I don’t want to write my passwords down anywhere. Most people have very cryptographically weak passwords and repeat them all over the place, so almost anything is an improvement.
The third big advantage is that because the PasswordMaker extension uses the URL as an input, it automatically defeats most attempts at phishing. So when the email sends you to paypa1.com instead of paypal.com, even if you are not paying any attention at all and try to login, PasswordMaker will generate the wrong password (since it’s the wrong URL) and your real one will remain safe.
The fourth minor advantage is that PasswordMaker also helps defeat keyloggers–if you store your master password in an encrypted file on the hard drive, you only type it once. And the generated passwords are automatically inserted by the extension, so they are never typed at all.
I’ve been trying to think of significant disadvantages to this scheme, and so far I’ve only thought of one. That one is that in a certain sense, a lot does hinge on your single master password, and so it becomes the single point of weakness. However, this drawback is mitigated by the fact that you can specify the other input parameters that PasswordMaker uses to generate hashes, some of which are date-based, and so a hacker would have to guess at those in addition to your password.
The only other disadvantage I’ve thought of is that it becomes nigh impossible to login to a website when you’re at someone else’s computer, since they probably won’t have PasswordMaker installed. Here again, this is mitigated by the fact that PasswordMaker has an online version, but I note that their online version isn’t even on a secure server. (!) If I were a cracker, I know where I’d be sniffing network traffic… Update: As was pointed out to me below by quixin, the online generator actually only uses JavaScript to generate passwords, and therefore nothing is transmitted over the network when you use it. My mistake!
Aside from those, I’m having a hard time finding disadvantages. (Anybody else think of any?) This is definitely something I’ll be trying out in the next few days to see if it stands up to real-world usage.
Actually, the online version of passwordmaker does not transfer any information over the network, it is a java applet that only runs locally on your machine. If you open the page and read the description at the bottom, there is a very good explanation about how this works. http://passwordmaker.org/passwordmaker.html
Good catch! You’re right, and I wasn’t paying enough attention. I didn’t see the explanation on the bottom of the page. I’ll update the post to reflect this info. Thanks!
Another point on keyloggers…
Even if you don’t store your Master Password (in memory or on disk), and are prompted for it every time - if a keylogger happens to be running on your computer, all they would get would be the Master Password, which is useless all by itself. The hacker would have to know that you were using PasswordMaker, and to guess at the settings you used.
This is also a very good reason to change the Default settings - which your Custom Accounts will then inherit. Just be sure you know what Settings you used (and they are very easy to back up and restore too).
all wonderful and compelling…
but I can’t see the import feature in PasswordMaker on-line version, to keep synchronized my home computer with others.
where is it?
please help me!
tank in advance.
giuseppe
I would suggest four things: this, this, this, and this, in that order, and don’t start any of the steps before having completed all the ones before it.