Simon Willison’s Weblog


The bookmarklet solution to the password problem

6th September 2004

Anyone who makes heavy use of the internet has run in to the password problem: dozens of user accounts on sites with varying degrees of trustability, leading to an unmanageable proliferation of username and password combinations. The temptation is to use the same combination on multiple sites, but doing so opens you up to the horrifying prospect of a security flaw in one site compromising al of your other accounts.

I was burnt by this a few years ago: a small community forum on which I was a member was cracked, and my account was then used to log in to another larger forum to which I had administrator acccess. Thankfully no permanent damage was done, but it taught me a valuable lesson in password security. Since then I’ve maintained a number of different combinations each with a different level of associated trust: if my account on Joe’s random forum is cracked it won’t lead to the compromise of my Amazon account!

Even different tiers of passwords aren’t ideal though, and that’s why Nic Wolff’s Password generator bookmarklet (via 43 Folders) has me so excited. Nic’s bookmarklet pops up a JavaScript prompt box asking for your “master” password, then MD5s it against the domain of the current login page and inserts the resulting hash in to any password fields on the page. A single password can be used for dozens of sites without any risk of a compromise of one account affecting the others. It’s brilliant.

There are a couple of minor flaws in the bookmarklet: the master password prompt is in plain text rather than masking your input with asterisks, and the bookmarklet could leave you high and dry if a site changes the domain on which their login form resides without you noticing. The first could be solved by extending the bookmarklet to append a “master password” field to the page using the DOM, while a solution to the second would require some kind of server-side store of the domains at which the initial accounts were created.

Quibbles aside, it’s an ingenious solution to a pervasive problem.

This is The bookmarklet solution to the password problem by Simon Willison, posted on 6th September 2004.

Next: Command line blacklisting

Previous: How to track an RSS feed

Previously hosted at