Simple Single Sign-on
Jon Udell: Today’s 2.75-minute screencast features Nic Wolff’s ingenious solution to the vexing problem of single sign-on to websites.
Another example of the Long Tail Of Software Development, a.k.a., pushing integration to the edges.
Things to note:
- This address a very real (a.k.a., "enterprise") problem
- Mozilla users can make this even more seamless with Pwd Composer.
- Jon’s use of “screencasting” as the only training required
Related: Situated Software.
Mozilla users can make this even more seamless with Pwd Composer.
No offense to Johannes la Poutré, who I am sure is a perfectly upstanding citizen, but if you check that GreaseMonkey script, all it does is include a script from his website into the current page. What’s stopping him from replacing that script with a sniffer?
It looks like somebody just copy & pasted his bookmarklet into a GreaseMonkey script. The only reason for dynamically loading it from his site was because bookmarklets are limited in length. The same is not true of GreaseMonkey scripts, so a secure version can easily be created by simply including the main script instead of adding it dynamically.
Posted by Jim atSingle Sign-on
Gute Ideen sind manchmal so einfach und naheliegend, dass man sich am liebsten in den Hintern beissen möchte, weil man nicht schon längst selbst darauf gekommen ist: Simple and effective single sign-on to websites. [via Sam Ruby]...Excerpt from Das A1 Weblog at
Password generator
A very simple but delightfully ingenious take on single sign-on: Password generator from Nic Wolff. Jon Udell’s done a 2.75 minute, works-on-dialup! screencast which demonstrates it in action. (spotter: Sam)...Excerpt from Raw at
Very useful: single sign-on simplified
Simple Single Sign-On [Sam Ruby]...Excerpt from TorstenR 's not only blogging space at
Oh well, nice trick, but... I fail to see the real difference between a “one pass to rule them all” approach instead of a “use one pass combined with a dns name and make md5”.
I think that the only pro is that the information sent is in some ways encrypted. So, it adds a bit of protection in the send-password part of the client-server communication.
But... since on a good server system the password are already hashed (or crypted) and on the other side the pass is still one single key... if someone stole my pass... well, all my identities are gone as well. Since, we all know, is the user the weaker side ;)
I’m asking myself if I’m not missing something... and if I’m right... are the pros really worth the loss of time of using a tool like that?
Posted by Folletto Malefico atPassword Generator
Sam Ruby links to Nic Wolff’s javascript password generator. While it’s super cool and all — I mean, there’s a screencast! By Jon Udell! — the actual password algorithm is kinda stupid, in that it generates only 4bn unique passwords. That may seem...... [more]Trackback from ((meatspace)) at
Ouch That’s not good.
I’m very embaressed not to have noticed what Jim points out, that the PWD Composer script has some very serious security flaws. Since this script manipulates passwords you need to really really trust it. The script faces a challenge. It needs a...Excerpt from Gibbon's Garage at
Password Hashing Revisited
Sam Ruby and Jon Udell points to Nic Wolff’s password generator as a simple ingenious simple single sign-on (SSO) solution. It’s a neat technique but the core idea is definitely not a new one. For example, Dan Boneh and Stanford students used it in...Excerpt from Don Park's Daily Habit at
FYI, a version of the GM script which doesn’t download an external file is now available.
Posted by Jeremy Dunck at
The idea is definitely not new. I have used this a couple of times in the past (made by Niels Provos)
Stelios
Posted by Stelios G. Sfakianakis atThe password generator is worthless. Its simply taking the combination of the username and sitename and running that through MD5. That means anyone who knows your username for a particular site can get your password.
Posted by ryan king at
Folletto: not all servers are “good”. The nice thing about MD5 hashes is that they are not (currently) reversible. So even if you know the password for one site, you can’t reverse engineer the master password, meaning that you can’t generate a password for another site.
ryan: no, the scripts prompt for a master password and run that, combined with the site, through the hash function.
Posted by Sam Ruby atWho says you have to enter ‘www.nytimes.com’ for "Site"? You could enter ‘nytimes’ or ‘com.nytimes.www’ or whatever you want that allows you to remember that site. You make up a personal memorization scheme if you’re that worried about security, and you still have the master password being used in the hash as well.
Posted by MJ at
How can I make this mobile? How can I employ this same technique if I am working on a public computer and want to enter a site that I have already generated a password for?
Posted by doans at
Have a web page which is under your control contain a copy of the password generator?
Posted by Michael Finney at
Very useful: single sign-on simplified
Simple Single Sign-On [Sam Ruby]...Excerpt from TorstenR 's not only blogging space at
Very useful: single sign-on simplified
... [more]Trackback from torsten's .NET blog at