Jon Udell: Today’s 2.75-minute screencast features Nic Wolff’s ingenious solution to the vexing problem of single sign-on to websites.
Another example of the Long Tail Of Software Development, a.k.a., pushing integration to the edges.
Things to note:
Related: Situated Software.
Mozilla users can make this even more seamless with Pwd Composer.
No offense to Johannes la Poutré, who I am sure is a perfectly upstanding citizen, but if you check that GreaseMonkey script, all it does is include a script from his website into the current page. What’s stopping him from replacing that script with a sniffer?
It looks like somebody just copy & pasted his bookmarklet into a GreaseMonkey script. The only reason for dynamically loading it from his site was because bookmarklets are limited in length. The same is not true of GreaseMonkey scripts, so a secure version can easily be created by simply including the main script instead of adding it dynamically.
Oh well, nice trick, but... I fail to see the real difference between a “one pass to rule them all” approach instead of a “use one pass combined with a dns name and make md5”.
I think that the only pro is that the information sent is in some ways encrypted. So, it adds a bit of protection in the send-password part of the client-server communication.
But... since on a good server system the password are already hashed (or crypted) and on the other side the pass is still one single key... if someone stole my pass... well, all my identities are gone as well. Since, we all know, is the user the weaker side ;)
I’m asking myself if I’m not missing something... and if I’m right... are the pros really worth the loss of time of using a tool like that?
The idea is definitely not new. I have used this a couple of times in the past (made by Niels Provos)
Stelios
Folletto: not all servers are “good”. The nice thing about MD5 hashes is that they are not (currently) reversible. So even if you know the password for one site, you can’t reverse engineer the master password, meaning that you can’t generate a password for another site.
ryan: no, the scripts prompt for a master password and run that, combined with the site, through the hash function.