Passwords

Every so often, a Firefox plugin looks so nice and shiny to me that I consider switching from Camino to Firefox as my primary browser. For the last couple of weeks, the password hashing plugins have had my eye:

These all basically do the same thing. Create a hash of a password and the domain name of the site you’re logging in to. This allows you to use a different password at each site, but only have to remember a single password. And of course, having this built-in as an extension makes it all the easier.

I like PwdHash because it also provides a web interface for generating passwords. Handy for those times you’re using a foreign browser. Also, Blake Ross is a developer whose work I have respect for and one of the first blogs I subscribed to.

Additionally, the source is available (and Open Source) so I was able to build my own version of the web tool. My version has four changes from the Stanford version:

  1. If there is a referring URL, I auto-populate the domain field (works with the bookmarklet).
  2. I set focus to the domain or password field (whichever is appropriate) for you when the page loads.
  3. After generating a password, the generated password is selected in the field for easy copy/paste.
  4. It’s a sight prettier. ;)

Anyone is welcome to use my version of the web tool. Just like the Stanford version, the hashed password is created in your browser with JavaScript and not passed on to my server. They did all the work, I just repackaged it a little. :)

I also created a little bookmarklet1 for times when I’m at random computer. The bookmarklet does a little JS to give me a link to my password page from the page I need to log in to. This way I can auto-populate the domain field with the referring URL. Not sure if I’ll really use this or not.

When/if I make the change, I’ll be choosing a new general password to use with the hashes too. These techniques keep passwords from being stolen over the wire or from a service, but don’t help much if the main password used to create them is compromised.

I’m also curious about 1Passwd, an extension that allows you to use the OS X Keychain to store passwords instead of the Firefox password manager2. However the posted reviews aren’t exactly glowing.

In reality, not having the passwords filled in for me3 might be a good reminder to change my password for the site to a new hashed password.

Note to Tasks Pro™ and Tasks™ users: I was concerned that this wouldn’t work properly with the code that I use in Tasks Pro™ and Tasks™ to obscure passwords before they are sent, but it does – yay!

  1. Tested with Camino, Firefox and Safari. [back]
  2. Looks like this will likely be built-in in the future. [back]
  3. If I switch from Camino to Firefox. Camino stores passwords in the OS X keychain while Firefox uses it’s own password manager. [back]

This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.