It’s just data

Simple Single Sign-on

Jon Udell: Today’s 2.75-minute screencast features Nic Wolff’s ingenious solution to the vexing problem of single sign-on to websites.

Another example of the Long Tail Of Software Development, a.k.a., pushing integration to the edges.

Things to note:

Related: Situated Software.

Very useful: single sign-on simplified

... [more]

Trackback from torsten's .NET blog

at

Mozilla users can make this even more seamless with Pwd Composer.

No offense to Johannes la Poutré, who I am sure is a perfectly upstanding citizen, but if you check that GreaseMonkey script, all it does is include a script from his website into the current page.  What’s stopping him from replacing that script with a sniffer?

It looks like somebody just copy & pasted his bookmarklet into a GreaseMonkey script.  The only reason for dynamically loading it from his site was because bookmarklets are limited in length.  The same is not true of GreaseMonkey scripts, so a secure version can easily be created by simply including the main script instead of adding it dynamically.

Posted by Jim at

Single Sign-on

Gute Ideen sind manchmal so einfach und naheliegend, dass man sich am liebsten in den Hintern beissen möchte, weil man nicht schon längst selbst darauf gekommen ist: Simple and effective single sign-on to websites. [via Sam Ruby]...

Excerpt from Das A1 Weblog at

Password generator

A very simple but delightfully ingenious take on single sign-on: Password generator from Nic Wolff. Jon Udell’s done a 2.75 minute, works-on-dialup! screencast which demonstrates it in action. (spotter: Sam)...

Excerpt from Raw at

Very useful: single sign-on simplified

Simple Single Sign-On [Sam Ruby]...

Excerpt from TorstenR 's not only blogging space at

Oh well, nice trick, but... I fail to see the real difference between a “one pass to rule them all” approach instead of a “use one pass combined with a dns name and make md5”.

I think that the only pro is that the information sent is in some ways encrypted. So, it adds a bit of protection in the send-password part of the client-server communication.

But... since on a good server system the password are already hashed (or crypted) and on the other side the pass is still one single key... if someone stole my pass... well, all my identities are gone as well. Since, we all know, is the user the weaker side ;)

I’m asking myself if I’m not missing something... and if I’m right... are the pros really worth the loss of time of using a tool like that?

Posted by Folletto Malefico at

Password Generator

Sam Ruby links to Nic Wolff’s javascript password generator.  While it’s super cool and all — I mean, there’s a screencast!  By Jon Udell! — the actual password algorithm is kinda stupid, in that it generates only 4bn unique passwords.  That may seem...... [more]

Trackback from ((meatspace))

at

Ouch That’s not good.

I’m very embaressed not to have noticed what Jim points out, that the PWD Composer script has some very serious security flaws. Since this script manipulates passwords you need to really really trust it. The script faces a challenge. It needs a...

Excerpt from Gibbon's Garage at

Password Hashing Revisited

Sam Ruby and Jon Udell points to Nic Wolff’s password generator as a simple ingenious simple single sign-on (SSO) solution. It’s a neat technique but the core idea is definitely not a new one. For example, Dan Boneh and Stanford students used it in...

Excerpt from Don Park's Daily Habit at

FYI, a version of the GM script which doesn’t download an external file is now available.

Posted by Jeremy Dunck at

Sam Ruby: Simple Single Sign-on

[link]...

Excerpt from del.icio.us/miyagawa at

The idea is definitely not new. I have used this a couple of times in the past (made by Niels Provos)

Stelios

Posted by Stelios G. Sfakianakis at

The password generator is worthless. Its simply taking the combination of the username and sitename and running that through MD5. That means anyone who knows your username for a particular site can get your password.

Posted by ryan king at

Folletto: not all servers are “good”.  The nice thing about MD5 hashes is that they are not (currently) reversible.  So even if you know the password for one site, you can’t reverse engineer the master password, meaning that you can’t generate a password for another site.

ryan: no, the scripts prompt for a master password and run that, combined with the site, through the hash function.

Posted by Sam Ruby at

Who says you have to enter ‘www.nytimes.com’ for "Site"?  You could enter ‘nytimes’ or ‘com.nytimes.www’ or whatever you want that allows you to remember that site.  You make up a personal memorization scheme if you’re that worried about security, and you still have the master password being used in the hash as well.

Posted by MJ at

Wow, I can’t realize I misread that.

Posted by ryan king at

How can I make this mobile?  How can I employ this same technique if I am working on a public computer and want to enter a site that I have already generated a password for?

Posted by doans at

doans, that’s what I’m wondering.

Posted by Noel Jackson at

Have a web page which is under your control contain a copy of the password generator?

Posted by Michael Finney at

Where it is possible download a demo the version of this product

Posted by Alexandr at

Very useful: single sign-on simplified

Simple Single Sign-On [Sam Ruby]...

Excerpt from TorstenR 's not only blogging space at

Add your comment