It's simple common sense that using a unique password for every site you sign up to decreases the severity of someone discovering your password (it'll only work on one site). Yet hardly anyone does this, because it's so damn hard to remember them all. Sure, you could use some special software that stores all your passwords under a master password, but that's extra effort as well.
Nic Wolff has come up with an amazingly simple, easy and effective solution. Essentially, you take the domain of the website, append your master password, and then use the MD5 Hash of this string as your password.
For the non-technical among us, suffice to say that the resulting password is almost always unique for each domain, and contains no trace of your original master password...
If you're still not following, have a gander over here for a narrated visual run-through of the process.
Through the wonder of modern browsers (sorry IE users ;)), you can have the entire code for this in a javascript bookmarklet. Simply click it, enter your master password, and it'll generate the corresponding password for the domain you're currently visiting. I've made a couple of small changes to the bookmarklet that Nic provided, as follows:
- It doesn't fill in text boxes called "password", only real password fields. This just seems a bit safer to me.
- If no password field is found, it shows you the result in a prompt (so you can copy it manually).
- It shows you the domain it's using
- In the second version, you can specify the domain (for if the login page is on a different domain to the signup page).
Not terribly huge improvements, but I felt they were needed in some cases. Actually, the hardest part was turning the javascript into a bookmarklet. Damn escape sequences :/
Drag either of the below two links to your bookmark bar to save it as a bookmarklet, or just click it for a demonstration of what it does:
Update: I've improved this script a whole heap and posted it here. It hides the password (just like a regular password input box), and is much nicer in general. It doesn't seem to work in Safari yet, which is why I've left these versions up.
6 Comments:
A good find, and well done on the improvements, particularly since the source is fairly obfuscated by the look of it.
(Although all JavaScript code looks obfuscated to me ;))
Nah, the source isn't that scary. All the escaped characters can be unescaped very easily, and then it's just a whole lot of regular code bunched up onto a single line...
Is there a way that the 'master password' is in * when we type it in? Nice work. keep up the good work.
Tejas: Indeed there is, follow the link in the newly added upadate :)
Looks good,
Is there a version that doesn't need to poll back to your site to run the password.js script, as in the labs.zarate.org version and (I assume, I haven't unescaped and checked it yet) yours?
Could I store and run the .js locally?
Absolutely. When you put the javascript link in your bookmarks, it contains the entire contents of the script (yank out your network cable and try it if you don't believe me ;)). This is the case with mine and the zarate.org version.
The only reason that some of the scripts poll back to the site is to accommodate for IE's limit on bookmark length. And yes, if you need it to work on IE you can store a .js locally, and simply change the bit of bookmarklet that refers to this file.