The bookmarklet solution to the password problem
6th September 2004
Anyone who makes heavy use of the internet has run in to the password problem: dozens of user accounts on sites with varying degrees of trustability, leading to an unmanageable proliferation of username and password combinations. The temptation is to use the same combination on multiple sites, but doing so opens you up to the horrifying prospect of a security flaw in one site compromising al of your other accounts.
I was burnt by this a few years ago: a small community forum on which I was a member was cracked, and my account was then used to log in to another larger forum to which I had administrator acccess. Thankfully no permanent damage was done, but it taught me a valuable lesson in password security. Since then I’ve maintained a number of different combinations each with a different level of associated trust: if my account on Joe’s random forum is cracked it won’t lead to the compromise of my Amazon account!
Even different tiers of passwords aren’t ideal though, and that’s why Nic Wolff’s Password generator bookmarklet (via 43 Folders) has me so excited. Nic’s bookmarklet pops up a JavaScript prompt box asking for your “master” password, then MD5s it against the domain of the current login page and inserts the resulting hash in to any password fields on the page. A single password can be used for dozens of sites without any risk of a compromise of one account affecting the others. It’s brilliant.
There are a couple of minor flaws in the bookmarklet: the master password prompt is in plain text rather than masking your input with asterisks, and the bookmarklet could leave you high and dry if a site changes the domain on which their login form resides without you noticing. The first could be solved by extending the bookmarklet to append a “master password” field to the page using the DOM, while a solution to the second would require some kind of server-side store of the domains at which the initial accounts were created.
Quibbles aside, it’s an ingenious solution to a pervasive problem.
More recent articles
- AI for Data Journalism: demonstrating what we can do with this stuff right now - 17th April 2024
- Three major LLM releases in 24 hours (plus weeknotes) - 10th April 2024
- Building files-to-prompt entirely using Claude 3 Opus - 8th April 2024
- Running OCR against PDFs and images directly in your browser - 30th March 2024
- llm cmd undo last git commit - a new plugin for LLM - 26th March 2024
- Building and testing C extensions for SQLite with ChatGPT Code Interpreter - 23rd March 2024
- Claude and ChatGPT for ad-hoc sidequests - 22nd March 2024
- Weeknotes: the aftermath of NICAR - 16th March 2024
- The GPT-4 barrier has finally been broken - 8th March 2024
- Prompt injection and jailbreaking are not the same thing - 5th March 2024