Perfect Passwords – with ease |
|
Update! The Windows 7 Desktop Gadget is now functional! Still working out how to package it for distribution, though. And it’s butt-ugly (any volunteers to beautify it?). But it works. It probably also works as a Vista Sidebar Gadget too, as the framework is the same, but I’m lucky enough to have avoided Vista so far. Watch this space for another update, when I’ll announce the public release. In the meantime, if you’re desperate, leave me a comment and I’ll send you all the source. |
 |
Update! The PswGen toolbar for FireFox is now available on the Mozilla Addons site.
I’d appreciate any feedback; preferably on the PswGen addon page on the Mozilla site, but feel free to leave comments here if you’d like a personal reply (Mozilla doesn’t supply contact details). Note that the addon is currently still in the “experimental” sandbox, so you may have to register or login to the Mozilla site before you’ll be allowed to install it.
This is really simple to use. Enter your name, your favourite password and number into the toolbar. Switch on the “follow me” mode (you’ll find it in the Options of the addon), and as you move around the web (or even between tabs within the browser), it will generate high-security password for you, ready to use. Click the “Copy” button to send it to the clipboard, then paste it wherever you need it.
The PswGen project is unfunded. If you’d like to help out, you can make a donation:
Update! The standalone Windows executable now available to download at PswGen for Windows (106).
Update! The web service is now available at http://pwd.pembi.net
Where it all started…
(and no, that’s not my real password there!)
This page originally appeared as a blog posting, but PswGen has since evolved into something approaching “product” status, so I thought a proper page might be appropriate to track progress, releases, etc.
When I wasn’t in bed with the dreaded lurgy a few weekends back, I was playing with Python a bit more. The result? The first official public release of my password generator program, PswGen. Really it’s nothing more than a GUI onto the Python back-end I talked about recently when I started learning Python. I’ve continued down the Python road here, so if you’re on Windows, download and run the Python installer first. Contemporary Mac and Linux desktops all include Python as standard. You’ll also need the wxPython widget library, which enables the windowed controls, check if your distribution needs them.
Once you’ve got Python up and running (don’t panic, it’s very lightweight, easy to install and not intrusive), download the PswGen zip file:
Perfect Passwords (94)Unpack it to somewhere on your hard drive, then create a desktop shortcut to the PswGen.py file. TIP for Windows users: rename the main program file PswGen.py to PswGen.pyw – this forces Python to run “windowed” and kills the otherwise annoying command prompt box. For added convenience, drag a copy of that shortcut onto your quick-launch bar.
A bit more information about what this does: It uses your input values to create a highly-secure hash code, which is then used to look up character values from a string of easily-entered and confustion-resistant options. The password generated in this way appears to be random rubbish. Change one character of one of the inputs, and the entire password changes. These passwords are extremely resistant to dictionary attacks, social-engineering educated guesses, and brute-force cracks. Also, because you never need to actually type them (cut & paste to your heart’s content!), you’re even protected against keyloggers. Ain’t that cool?
NONE of the information you enter is recorded. It is NEVER sent over the net or written to the disk by this code. This is one of the reasons that source code is supplied – you don’t have to take my word for it. Check the code yourself. Change it, if you like.
What’s next?
Command-line version.– done, I needed it for the web server implementation anyway. Available on request if anybody wants it.Web service implementation.Done! Although on a non-authoritative SSL, at http://pwd.pembi.net.Standalone Windows exe, for people who couldn’t be bothered with Python.Done!FireFox Add-On.done! And released to the Mozilla addons site. Currently sandboxed as an experimental addon, but hopefully that’ll change soon.Windows Vista/7 Sidebar/Desktop Gadget.done- Symbian S60 front-end for my Nokia, for when I’m not at my own PC and don’t have a web connection.
- Windows Mobile implementation (if I can get hold of a Windows Mobile device to test on). Well, why not?
- iPhone version (but somebody will have to donate an iPhone). Now in development!
Don’t expect lightening progress, this is a hobby-project that I spend half an hour on every now and again.
In the meantime, I hope this is of value to you. If you do use it, I’d very much appreciate your comments and feedback. The code is licensed under the GPL which basically means you can use it for free, modify it, copy it, distribute it, give it away… just about anything you like provided you don’t make money from it. And give credit where due! Full source code is included. If you happen to be a Python expert and have some tips to offer, I’d love to hear those too.
And a final word if you do decide to use this: as handy as it is, PswGen is not the beginning and the end of your security philosophy. Ultra-high security requirements call for multi-factor authentication, and while PswGen can certainly help with one factor, don’t neglect the others. Also, don’t forget to change your passwords occasionally. Log on to each site in turn, using PswGen to supply the existing password, then ask the site to change your password. Now go back to PswGen and change just the secret word and/or number, and you’ll have a completely different password that isn’t remotely related (visually) to the old one.
I must say, this has been something of a journey for me. It started off as an idle idea, then an experiment in learning Python. I’ve since had to re-deploy in pure PHP as my web host’s version of Python is too old, and again in Javascript as a FireFox add-in. The Windows .exe version is in Delphi, and for the WM and iPhone variants I’ll probably need C. Not bad for a project that was supposed to be all Python. –sigh–
917 views
Comments
Let me know if you have any further thoughts once you’ve used it a bit? All feedback welcome!
Let me know if you have any further thoughts once you’ve used it a bit? All feedback welcome!
Leave a comment
Please Login or Register to leave a comment. Sorry about this! If I leave comments open to the world, I just get spammed off the net. While it's nice to be popular, I'd rather not be popular with spambots.
(note that I haven’t installed it — I’ve just looked at this page and the firefox addon page so far …)
You may want to mention the web version and the other systems on the firefox page.
BTW, having studied theoretical computer science, the concepts discussed above seem very strong indeed. The only weakness that I can see is in the key (“general-purpose password and secret-number”)
If a cracker knows you are using this system, they could use that to run a dictionary or other brute force attack on the key entered this would be only slightly harder than doing it for a normal password. They could also set up a fraudulent site, and use your password there to run an off-line dictionary attack and discover your key.
As long as ONE of the following is true you are safe however: you use a secure key with sufficient entropy; noone knows or suspects that you use this system; noone is determined enough to jump through the extra couple of hoops just to attack you and other users of this system.
Definitely an interesting solution to what is a really tricky problem.