Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

The bookmarklet solution to the password problem

Anyone who makes heavy use of the internet has run in to the password problem: dozens of user accounts on sites with varying degrees of trustability, leading to an unmanageable proliferation of username and password combinations. The temptation is to use the same combination on multiple sites, but doing so opens you up to the horrifying prospect of a security flaw in one site compromising al of your other accounts.

I was burnt by this a few years ago: a small community forum on which I was a member was cracked, and my account was then used to log in to another larger forum to which I had administrator acccess. Thankfully no permanent damage was done, but it taught me a valuable lesson in password security. Since then I’ve maintained a number of different combinations each with a different level of associated trust: if my account on Joe’s random forum is cracked it won’t lead to the compromise of my Amazon account!

Even different tiers of passwords aren’t ideal though, and that’s why Nic Wolff’s Password generator bookmarklet (via 43 Folders) has me so excited. Nic’s bookmarklet pops up a JavaScript prompt box asking for your “master” password, then MD5s it against the domain of the current login page and inserts the resulting hash in to any password fields on the page. A single password can be used for dozens of sites without any risk of a compromise of one account affecting the others. It’s brilliant.

There are a couple of minor flaws in the bookmarklet: the master password prompt is in plain text rather than masking your input with asterisks, and the bookmarklet could leave you high and dry if a site changes the domain on which their login form resides without you noticing. The first could be solved by extending the bookmarklet to append a “master password” field to the page using the DOM, while a solution to the second would require some kind of server-side store of the domains at which the initial accounts were created.

Quibbles aside, it’s an ingenious solution to a pervasive problem.

Posted 6th September 2004 at 7:49 pm

This is The bookmarklet solution to the password problem by Simon Willison, posted on 6th September 2004.

Tagged , ,

View blog reactions

Next: Command line blacklisting

Previous: How to track an RSS feed

27 comments

  1. Mozilla has support for this intern. Somewhere in the advanced options I believe.

    Anne - 6th September 2004 20:03 - #

  2. Mozilla's master password isn't really the same concept: it appears to act something like the OS X Keychain, securing all of the saved passwords from various accounts stored within the browser. The JavaScript bookmarklet generates passwords for every site automatically, while with a password saved within the browser you still have to come up with something every time you create an account. More importantly, a browser-based master password ties you to that browser, whereas the MD5 bookmarklet can be installed on multiple browsers - or calculated manually if bookmarklet installaton isn't possible.

    Simon Willison - 6th September 2004 20:49 - #

  3. I use a similar approach, only different. I don't have a master password, I have an algorithm. Well, it's not so much an algorithm as it is a set of instructions. I generate a semi-unique password (unique in practice) by applying a set of rules, or instructions, based on the name of the website/service/whatever, and what kind of service/membership the login in question is used for (examples: forum, community, shopping, administration, general). That way, if I forget a password, I can figure it out, assuming that I know the name of the website/service and what kind of service/membership it is. Most of the time though, I'll remember the password, even though they are different on each website (I'm surprised). In fact, I usually have a harder time remembering what my login was.

    Tomas Jogin - 6th September 2004 21:21 - #

  4. All of which would be solved far better by sites using http, rather than cookie based, authentication, so that the internal Master Passwords List - IE's and Moz/Fx's - could do their jobs properly.

    Aquarion - 6th September 2004 21:51 - #

  5. Browser stored passwords suck for a couple of reasons. Firstly, you still have to come up with a password for every site (the MD5/bookmarklet thing means you don't have to). Secondly, if you're stuck somewhere without your browser (or God forbid you lose your saved passwords somewhere) you're up a certain creek without a paddle. And as far as HTTP auth goes, it would be fantastic if it wasn't for the fact that no one thought to build logout functionality in to the average browser. Of course, there's a Firefox extension but that isn't of much help to people in internet cafes stuck using IE.

    Simon Willison - 6th September 2004 22:12 - #

  6. Like, if you are not using your own computer (like in a cafe), how useful will be using that kind of stuff with master pass or algorith stuff??

    Kan Chim - 6th September 2004 23:06 - #

  7. Kan: it'll work fine, you'll just have to use the online tool rather than the bookmarklet to calculate the hash.

    Simon Willison - 6th September 2004 23:17 - #

  8. Note that with this approach (MD5ing a master password with the domain), if somebody did somehow get access to your master password they would still be able to log into your account at any domain they want. It would be very important to keep the master password secret. If you were worried that somebody may have found out the master password, you would have no ability to change it.

    Additionally, it is my understanding of bookmarklets that they run their Javascript code in the same scope as the web page. So, it might be possible for a malicious web site to use Javascript to grab the password when you enter it, or at least to spoof the bookmarklet by using the same Javascript as the bookmarklet.

    mmj - 7th September 2004 01:40 - #

  9. mmj, when Simon says that there his password for the minor forum was compromised, I don't think he meant that somebody convinced him to spill the beans but that the password list for that site was stolen/cracked. If he had been using the MD5 bookmarklet, the crackers would have found his password to be something like 430d4a32aa7887c5487a889cb4f15a66, not very useful for cracking his Amazon account. The point of the MD5 bookmarklet is that the master password is never transmitted from the browser to a site; the only way to obtain this master password is through social engineering (assuming the online tool uses https, or another sufficiently secure encryption mechanism).

    Micah - 7th September 2004 04:48 - #

  10. Actually the online tool does not need encryption, It is just a page with the JavaScript built it rather than using a bookmarklet. For that very odd case where one has no access to JavaScript, one could write a CGI script that returns the generated password, but it would still not be linked to a user account for the site.

    I like the idea of using the DOM to add a master password field. My first thought was a 'horrid' pop-up form (like the online tool without the domain field) but beloved pop-up blockers could get in the way. I guess the ideal solution would be to replace the password field with the master password field and register an onSubmit event handler that would conver the password before sending the form. Actually if one could register the onSubmit safely, there would be no need for manipulating the password field until the form is submitted. I've never written a bookmarklet, so I don't know how feasible these solutions to the plain text masterpassword field are. I'd probably implement this with levels of security passwords personally, then the right master password would be needed.

    David Robarts - 7th September 2004 08:15 - #

  11. Love it - a great idea and excellent use of JavaScript. Just used it to sign up to a couple of sites, and it seems to work like a charm. Opera users will have a problem using it - it needs to be run through a URL decoder before it will work - but otherwise a truly excellent tool.

    Dave Child - 7th September 2004 11:37 - #

  12. FYI, there's a program called PasswordSafe that was created for the creation and management of passwords in a secure fashion. It was first created by Bruce Schneier of Counterpane. Check it out at http://passwordsafe.sourceforge.net.

    Casey - 7th September 2004 15:07 - #

  13. There is a little problem: all of these tools would have to use a same algorithm (basic) that could be implemented in the greater possible amount of languages. Thus there wouldn't be problems to create a Firefox's extension, or a desktop application (that we could take in an USB device), all of them universal ones, and that gave the same result.

    For it, it's necessary an "open algorithm" in which to be able to support those that we want to do some of these applications.

    xoan - 7th September 2004 23:27 - #

  14. The open algorithm used in this implementation.

    Jeremy Dunck - 8th September 2004 00:05 - #

  15. Annother advantage of this password system is that it would be impossible to send the correct password to a phishing scheme.

    David Robarts - 8th September 2004 06:48 - #

  16. I do not talk about to algorithm MD5 in himself, but to the used method to obtain a specific password for each site.

    Something like (in PHP, e.g.):

    <?
$master_pass = 'pass';
$site_name = 'site'; //doubt (case-sensitive or not?)
$conc = ''; //e.g. ':' or empty
$length = 6;

$site_pass = substr(md5($master_pass.$conc.$site_name), 0, $length);
?>

    This is a possible method :P. For that reason, if I wanted it to implement, it would have something to which to take hold to me.

    xoan - 8th September 2004 18:31 - #

  17. I had been working on something similar last year. The site I was hosting it at is down right now, but a archive.org mirror is available. It also used the username to seed the hash (to make it more difficult to find the master password), and a change counter (for places that require you to change your password). I have a javascript bookmarlet implementation that I use.

    Brian Harnish - 9th September 2004 00:34 - #

  18. This is a couple lines of Python if you're away from a computer. 
    #!/usr/bin/env python
# see http://angel.net/~nic/passwdlet.html and http://angel.net/~nic/passwd.html
# by Lenny Domnitser - this is in the public domain
# this doesn't handle quirky URLs, but it does the basics (usefuls)
import getpass, md5, urlparse
passwd = getpass.getpass('Master Password: ')
site = raw_input('Site: ') # domain name or URL
print md5.md5(passwd + ':' + urlparse.urlparse(site)[':' in site and 1 or 2]).hexdigest()[:8]
    Bonus points to whoever takes input from a QUERY_STRING to make a CGI script.

    Lenny Domnitser - 9th September 2004 03:31 - #

  19. haha. stupid me. "away from a computer". make that away from a browser.

    Lenny Domnitser - 9th September 2004 03:33 - #

  20. I love urlparse.urlparse(site)[':' in site and 1 or 2] - idiomatic Python at its best :)

    Simon Willison - 9th September 2004 03:49 - #

  21. This bookmarklet has a security hole: a web page can see the password you type by redefining the prompt() function.

    _prompt = prompt; prompt = function (a) { x=_prompt(a); alert("Your answer to '" + a + "' was " + x); return x; }

    Possible fixes:

    • Turn the part of the bookmarklet that prompts for your password into an extension.
    • Somehow get an untainted prompt() function. (Components.interfaces.nsIDOMWindow? Components.lookupMethod?)
    • Hard-code your master password into the bookmarklet and make sure the function into which the password is hard-coded never leaks into the global scope.

    Jesse Ruderman - 11th September 2004 04:40 - #

  22. I still think that this idea is brillaint, but after looking at the code for the bookmarklet, I thought of some improvements:

    1. I would recommend using the b64_hmac_md5(key, data) function from Paj's crypt library or the b64_hmac_sha1(key, data) sha1 call. Reasons:
      • Hashing "domain:password" works, but the hmac function is better for things like that.
      • The Base64 version of the functions give you more possiblities for each letter than the hex version. i.e. the base64 method crams more data into fewer letters..
      • md5 has recently been found to be slightly weaker than originally thought by using a collision attack, but md5 with hmac is not vulnerable. sha1 would probly be better though.
    2. One other improvment would be to use as many characters as the password field will allow. Longer passwords are better,

    Jason Edgecombe - 12th September 2004 17:33 - #

  23. Hi all! Jason mailed me the suggestions in his last comment, and a link back to here. Thanks for your interest in the passwdlet, and your excellent and well-informed comments, none of which I'm likely to take action on soon because I'm in crunch mode on a site rollout. But, I claim no rights to the code so please do anything you want to it.

    Jesse, that overloading hack is mighty clever - I didn't know you could do that! I do generally use a hard-coded master password - are you suggesting that a page could overload the doIt() function and somehow interrogate it for the value of a var declared within? Yikes. And what do you mean by "extension" in that context?

    Dave, can you clarify about the Opera problem? Is it one that could be rectified by my URL-encoding the passwdlet more carefully?

    Nic Wolff - 17th September 2004 01:09 - #

  24. I can see a little problem with using the domain of the current page in the hash. It is possible that one company shares a user DB for two domains (say A9.com and amazon.com). The A9/Amazon example actually works, because the authentication page for A9 is on amazon.com.

    But if you navigate to Nic Wolff's page using angel.net or www.angel.net you get different hashs... which is broken imo.

    Julien Couvreur - 24th September 2004 23:01 - #

  25. I finally got around to toying with this again. I've modified the bookmarklet to read in the master password from the password field itself. I've modified the regular expression to cut out the www. part of the domain if present. And I've called b64_hmac_sha1(key, data) to generate the hash. The result is truncated to the length of the master password and replaces it in the password field. All password fields are cycled through, so this should work for a change password form as well - enter old master password, enter new master password, reenter new master password, run the bookmark. One gotcha is that if the bookmarklet is run a second time the password is changed again. To change a password that has not been hashed, enter the master password in fields to hash, run the bookmarklet, enter the plain password. I would prefer to be able to hash only the field that has focus, but I can't figure out how to do that. For cases where the domain may be different I've made a version that prompts for the domain name.

    David Robarts - 16th February 2005 08:01 - #

  26. @Jesse's overload hack can be prevented in Mozilla by disabling the ability for websites to overload window.prompt by setting the following Mozilla preference in the "user.js" file:

    user_pref("capability.policy.default.Window.prompt .set", "noAccess");

    Nathar Leichoz - 22nd March 2005 09:23 - #

  27. The master password idea is excellent. But, there is a flaw when it comes to password updating. Updating passwords on a frequent basis should be a requirement for any security conscious person. If I update my password on a site, with the current implementation of master password, I need to maintain a list of what the master password was at the time I last changed passwords for a site. With many of us having over 100 sites to maintain password of, it seems to me like we will once again be in the send me my password so I can change it mode that I have seen so many of my clients using.

    Tony Julian - 27th April 2006 07:40 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2004/09/06/problem

A django site