Every so often, a Firefox plugin looks so nice and shiny to me that I consider switching from Camino to Firefox as my primary browser. For the last couple of weeks, the password hashing plugins have had my eye:
- Password Hasher
- SecurePassword Generator
- Magic Password Generator
- PasswordMaker
- Password Composer
- And the one I’d actually be likely to use: PwdHash
These all basically do the same thing. Create a hash of a password and the domain name of the site you’re logging in to. This allows you to use a different password at each site, but only have to remember a single password. And of course, having this built-in as an extension makes it all the easier.
I like PwdHash because it also provides a web interface for generating passwords. Handy for those times you’re using a foreign browser. Also, Blake Ross is a developer whose work I have respect for and one of the first blogs I subscribed to.
Additionally, the source is available (and Open Source) so I was able to build my own version of the web tool. My version has four changes from the Stanford version:
- If there is a referring URL, I auto-populate the domain field (works with the bookmarklet).
- I set focus to the domain or password field (whichever is appropriate) for you when the page loads.
- After generating a password, the generated password is selected in the field for easy copy/paste.
- It’s a sight prettier. 😉
Anyone is welcome to use my version of the web tool. Just like the Stanford version, the hashed password is created in your browser with JavaScript and not passed on to my server. They did all the work, I just repackaged it a little. 🙂
I also created a little bookmarklet1 for times when I’m at random computer. The bookmarklet does a little JS to give me a link to my password page from the page I need to log in to. This way I can auto-populate the domain field with the referring URL. Not sure if I’ll really use this or not.
When/if I make the change, I’ll be choosing a new general password to use with the hashes too. These techniques keep passwords from being stolen over the wire or from a service, but don’t help much if the main password used to create them is compromised.
I’m also curious about 1Passwd, an extension that allows you to use the OS X Keychain to store passwords instead of the Firefox password manager2. However the posted reviews aren’t exactly glowing.
In reality, not having the passwords filled in for me3 might be a good reminder to change my password for the site to a new hashed password.
Note to Tasks Pro™ and Tasks™ users: I was concerned that this wouldn’t work properly with the code that I use in Tasks Pro™ and Tasks™ to obscure passwords before they are sent, but it does – yay!
- Tested with Camino, Firefox and Safari. [back]
- Looks like this will likely be built-in in the future. [back]
- If I switch from Camino to Firefox. Camino stores passwords in the OS X keychain while Firefox uses it’s own password manager. [back]
This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.
am i correct in assuming that if you’re using the hashes for these sites, you’re going to need access to the same plugin to get the hashed password? i.e. if you’re on someone else’s machine, you won’t be able to return the password?
ok, ok, so i just skimmed the first part like an idiot 😉
still not sure i’ll switch, but interesting.
Stephen, that’s what the web version Alex mentions is for. It uses the same algorithm as the Firefox extension.
You might want to try out Pafwert (http://xato.net/bl/2[...]r-passwords/) you can make strong passwords that are actually easy to remember.
I’m not sure why you want to go to these extremes to just keep passwords. Something I do is use Google’s Browser Sync which syncs bookmarks, cookies, passwords, history and a browser restoration (like what’s already built into firefox but across multiple computers). You can always pick what you want to sync rather then all of the above features but it’s really nice to use if you’re using multiple computers. I’m regularly on 3 macs a day and a couple linux and windows boxes over the week and it helps tremendously, passwords and bookmarks in particular.
Security wise, it uses “encryption” to sync but I’m more concerned with a local intrusion so I make sure to keep a master password on all my firefox installs and the browser sync asks for a login when you switch systems automatically.
This works a bit differently from PasswordMaker, which is what I’ve been using, as well as other implementations of the same concept: most tools I’ve seen create a hash from a masterpassword+url+username. PasswordMaker is nice because it stores the username for you, and lets you upload/download from a server (but not full sync yet).
The password+url+username seems a bit safer than simply password+url. Also, because sites vary a lot in terms of username requirements, it is nice to have that information saved. Sometimes its harder to remember usernames than passwords!
Having said that, however, the simplicity and ease-of-use of PwdHash have be considering switching over …
Sxipper is also looking nice, but I use it more for forms than passwords:
http://www.sxipper.com/
PS: PasswordMaker also has a web interface. (In both full and mobile editions.)
[…] doing very well, I finally decided to switch to Firefox in order to use the PwdHash extension (as previously […]
am just wondering what happens if the mail provider is changing the login address
from http://mail.domain.com to maybe http://mail2.domain.com
especially when i don’t remember the former URL.. i’ll never be able to login again, right?
marco – Perhaps you should read the PwdHash documentation more closely.
[…] – I’ve talked about this at […]
[…] Now they just sold all the data. – FriendFeed – also another reason why you should care about your […]
[…] is one of those situations where it’s no fun to be […]
[…] strongly agree and have made the same argument numerous times (though haven’t actually done any […]