“Hi Ken, as with traditional books, the RRP of each eBook title is dictated by the publisher of the eBook. Waterstone’s is working with all publishers to agree what is the appropriate price for an eBook and in the meantime, we discount as many eBook titles as possible to try and offer the best possible value to our customers. A long way from perfect, we know, but hopefully there will be changes in the near future. Kate”

Thanks, Kate. And Waterstone’s. I appreciate the time taken to reply. And good luck in your arm-wrestling with the publishers. Unless and until the powers-that-be have a serious pricing re-think, eBooks remain an interesting idea for slightly eccentric people. And that’s a great pity.

You may want to mention the web version and the other systems on the firefox page.

BTW, having studied theoretical computer science, the concepts discussed above seem very strong indeed. The only weakness that I can see is in the key (“general-purpose password and secret-number”)

If a cracker knows you are using this system, they could use that to run a dictionary or other brute force attack on the key entered this would be only slightly harder than doing it for a normal password. They could also set up a fraudulent site, and use your password there to run an off-line dictionary attack and discover your key.

As long as ONE of the following is true you are safe however: you use a secure key with sufficient entropy; noone knows or suspects that you use this system; noone is determined enough to jump through the extra couple of hoops just to attack you and other users of this system.

Definitely an interesting solution to what is a really tricky problem.

I don’t quite follow your Exceptions issue, though. PswGen doesn’t remember any passwords or auto-fill them for you, it only helps generate them.

Also please note that this post is pretty historical by now, PswGen has its own project page (links in the main post) which is a lot more current.

Thanks for your comments, they are appreciated.

You don’t have to enter the static data at the start of a session. The toolbar just quietly sits there waiting for you, feel free to ignore it! This will become clear when you start using it.

I agree with your “good enough” sentiment, and will consider adding to a future version.

I wasn’t suggesting that the static data should persist across sessions. What I meant was that it should be entered the first time in a session where a password is required, not at the very start of the session. I think it’d be an improvement in usability that wouldn’t compromise security.

Finally, I think that maybe two of the three static fields (name, secret word, secret number) should be optional, and users should be warned about the security implications of using just one. I believe that it’s better to have “good enough” security that people use 90% of the time, than having excellent security that people use 20% of the time.

Thanks for you reply and keep up the good work.

I did think about having the static data persist across sessions, but that breaks your security – if anybody else has access to your browser, they’ll also have access to all your services. So for now at least, you’ll have to enter those details every time you start the browser.

The name, secret word and secret number are all used to seed the hash, and the more it has to work with, the better the result. I guess you could just get away with the site name and one other factor, but I chose to go for as much input variance as possible. This also makes is simple to update your passwords once a month, say. Log in to each site or service in turn, then change ONE factor (the secret number, for example) and update the site password. All you have to remember for the next month is the new secret number.

Thanks for your comments and suggestions, always much appreciated. Let me know how you get on with it once you’ve upgraded your Firefox.

I’m surprised no one has left comments about your add-on until now. While I haven’t tried it because I haven’t made the switch to Firefox 3.5 yet, it looks very useful.
I’ll probably be testing it when I install Firefox 3.5 and I’ll let you know what I think about it.
However, I already have a question and a suggestion to make. Question first:
- What do you use to create each site’s unique password? The domain name? The URL? Something else? I wonder because there are times that you may end up at the same website but the URL looks different (think those dynamically generated URLs with parameters) so using the URL may not be the best alternative. But you may have already thought this out.
Suggestion:
- Is there a chance to only have to enter the name and password the first time a password is needed instead of every time Firefox starts? Maybe with a toolbar button that displays a dialog? And why is the name needed? Shouldn’t a (long enough) password be enough?

Thank you