Dave’s Lab

SuperGenPass: Clicking Your Way to Better Passwords

Aug 27 2008

For the first few years of my life on a computer, I knew almost nothing about security. I built my first desktop PC at age 15 and I loved it. I was cheap, so I put Windows XP Home on it, ignoring the warnings of my older and wiser geek friend about XP Professional vs Home. I turned it on, happily clicked the seemingly-smiling blue E icon on my desktop, and blazed about the interweb on my 56K connection. I paid no intention to passwords, firewalls, antivirus software (I knew about it, but remember, I was cheap), or anything resembling safe browsing habits. Several nasty trojans and something called the “Zlob worm” later, I started to take what you might call a mild interest in security.

Almost 7 years later, I have become a security freak and find myself evangelizing about the latest and greatest security practices and products. Security Now on the TWiT Podcasting network is one of my favorite podcasts and an excellent resource for the security-concious. However, it was only until recently that I started taking the notion of secure passwords seriously. While I have certainly changed my outlook on the value of computer security, I have stayed cheap, and I have been extremely reluctant to spend money on a good password generation and management application such as RoboForm or 1Password. Yet, as of late, I have found a great way to manage and create secure passwords within one’s browser. And it is free.

The utility I speak of is called SuperGenPass. It is a Javascript bookmarklet that runs in almost any browser, and generates a secure password for each site that you visit. It uses something called an MD5 hash, which is a function that, at its most basic level of explanation, takes in an input and generates a unique output. You can input all kinds of data into an MD5 hash, including files and strings of text. Furthermore, an MD5 hash has the advantage of not being reversible, i.e. there is no algorithmic way to find out the input source of a hash from its output. That makes this function perfect for password generation. Well, the way that SuperGenPass works is that it takes a master password of your choosing and combines it with the TLD, or “top level domain”, of a website and creates a hash of that string. A TLD, by the way, is just the highest and simplest URL of a website. For example, the TLD of this website is “daves-lab.com”. So after it creates that hash, it then takes the hash of that hash and repeats the process at least 9 more times and until it meets the requirements of being a well-formed password (see pseudo-code explanation here). Finally, it presents you the password and allows you to enter it into a website form just by double-clicking on it.

All those glorious technical details aside, let’s talk about what this pragmatically means. I’ll give you an example. Let’s say that I head over to a great website like Lifehacker.com and I want to register an account with them so I can comment on a post. I could just use one of my handful of sort-of-secure and random-ish passwords that I made up from phrases, or I could use just one master password with SuperGenPass to create a great password. Let’s say that I use an old password of mine, as a real example, such as “latetotheparty”. That password in combination with the TLD “lifehacker.com” would generate the default password of “qNvSm68yL6″. Well. That is a secure password. By the way, when I say “secure”, I mean that the password is not easily guessed by a human or robot and that it is unique to the site on which you use it. Uniqueness and guessability are both very important criteria for a password because so many of the attacks on our online accounts are often brute force, i.e. basically guessing thousands upon thousands of combinations of usernames and passwords. It is also extremely important to use secure browsers like Firefox 3 or Internet Explorer 7 with the most up-to-date patches, but that is a subject for another day.

In my experience so far with this great utility, I have found several key advantages that make it worthwhile:

• My passwords are now unique to every single site. I don’t have to worry if one of my passwords is cracked on a site and then having multiple other accounts cracked.
• I can use only one password! I just use one really, really secure self-made password from a phrase and I can rest easy knowing that it is combined with the site’s TLD and then hashed.
• The User Interface is easy and helpful. Just enter in your master password and double click the password field and you’re all set.
• No need for password managers! Since your password is generated by an algorithm, you don’t need to ever remember it as long as you have a copy of the bookmarklet (more on this later). Furthermore, I can use it between browsers and even between operating systems!
• It is one more step in the way of keyloggers. Keyloggers, if you didn’t already know, are malicious programs that record your keystrokes. Unless you have an extremely personalized and sophisticated keylogger that knows you’re using SuperGenPass, it would be almost impossible to get your actual password, though it would get your master password.

Now, hopefully you are fairly excited about SuperGenPass. I certainly am. However, there are some disadvantages, which are actually quite minor but worth mentioning:

• If you aren’t running Firefox, it uses remote script execution. This isn’t really such a big deal, since the creator of SuperGenPass hosts the file freely for use, but if it ever goes down, you’re out of luck. Though there is a fix, so hold tight. Of course, you could just use Firefox and then you wouldn’t have a problem .
• In theory there is no way to go backwards from an MD5 hash to the original input but there projects out there that are seeking to simply making giant databases of hash strings, kind of like a Google of hashes. If these projects take off, it might be technically possible to figure out your original master password from the hash, but the odds are extremely low. So I wouldn’t worry for now, but it is worth mentioning.
• If you use these web passwords in some desktop applications, such as between Twitter.com and a Twitter client like Spaz, you will have to open a web browser and point it to the right website to regenerate your password for use in the desktop app. This, however, is a small inconvenience and usually isn’t a problem.

Overall, I am extremely impressed by the simple yet powerful idea of SuperGenPass. I think the defaults of the utility are great, but here are a couple of tips that I would recommend when creating the bookmarklet:

• Change the default password length. The default on the webpage is a password of length 10 characters. Very few sites nowadays limit the length of your password, so for safety’s sake, I would recommend changing it to 15 or 18 characters.
• If you are going to use only one master password, I would recommend clicking the “verify it with a hash” option. If you don’t, then all it takes is one instance of mistyping your master password and you will be in a bind. I use only one master password, as I mentioned before, but I check it with a hash in my bookmarklet.
• And FINALLY, go to the SuperGenPass mobile site at http://supergenpass.com/mobile/ and in your browser click the “Save Webpage As…” option in “File” in the menu bar. If you save the webpage as “Complete Webpage”, you will have a permanent copy of the SuperGenPass generator, so even if the website goes down or the developer trashes the project you’ll have a way to get your passwords.
  
  

So that is my take on SuperGenPass. No longer do I have to sit around remembering passwords. I now can trust that my online identity is just a little bit safer. Any questions on using it? Just email me at askdave@daves-lab.com or leave a thought in the comments. I’d especially love to know what you all think of SuperGenPass.