Mozilla users can make this even more seamless with Pwd Composer.
No offense to Johannes la Poutré, who I am sure is a perfectly upstanding citizen, but if you check that GreaseMonkey script, all it does is include a script from his website into the current page. What’s stopping him from replacing that script with a sniffer?
It looks like somebody just copy & pasted his bookmarklet into a GreaseMonkey script. The only reason for dynamically loading it from his site was because bookmarklets are limited in length. The same is not true of GreaseMonkey scripts, so a secure version can easily be created by simply including the main script instead of adding it dynamically.
Gute Ideen sind manchmal so einfach und naheliegend, dass man sich am liebsten in den Hintern beissen möchte, weil man nicht schon längst selbst darauf gekommen ist: Simple and effective single sign-on to websites. [via Sam Ruby]...
A very simple but delightfully ingenious take on single sign-on: Password generator from Nic Wolff. Jon Udell’s done a 2.75 minute, works-on-dialup! screencast which demonstrates it in action. (spotter: Sam)...
Oh well, nice trick, but... I fail to see the real difference between a “one pass to rule them all” approach instead of a “use one pass combined with a dns name and make md5”.
I think that the only pro is that the information sent is in some ways encrypted. So, it adds a bit of protection in the send-password part of the client-server communication.
But... since on a good server system the password are already hashed (or crypted) and on the other side the pass is still one single key... if someone stole my pass... well, all my identities are gone as well. Since, we all know, is the user the weaker side ;)
I’m asking myself if I’m not missing something... and if I’m right... are the pros really worth the loss of time of using a tool like that?
Sam Ruby links to Nic Wolff’s javascript password generator. While it’s super cool and all — I mean, there’s a screencast! By Jon Udell! — the actual password algorithm is kinda stupid, in that it generates only 4bn unique passwords. That may seem......
[more]
I’m very embaressed not to have noticed what Jim points out, that the PWD Composer script has some very serious security flaws. Since this script manipulates passwords you need to really really trust it. The script faces a challenge. It needs a...
Sam Ruby and Jon Udell points to Nic Wolff’s password generator as a simple ingenious simple single sign-on (SSO) solution. It’s a neat technique but the core idea is definitely not a new one. For example, Dan Boneh and Stanford students used it in...
The password generator is worthless. Its simply taking the combination of the username and sitename and running that through MD5. That means anyone who knows your username for a particular site can get your password.
Folletto: not all servers are “good”. The nice thing about MD5 hashes is that they are not (currently) reversible. So even if you know the password for one site, you can’t reverse engineer the master password, meaning that you can’t generate a password for another site.
ryan: no, the scripts prompt for a master password and run that, combined with the site, through the hash function.
Who says you have to enter ‘www.nytimes.com’ for "Site"? You could enter ‘nytimes’ or ‘com.nytimes.www’ or whatever you want that allows you to remember that site. You make up a personal memorization scheme if you’re that worried about security, and you still have the master password being used in the hash as well.
How can I make this mobile? How can I employ this same technique if I am working on a public computer and want to enter a site that I have already generated a password for?