PswGen Toolbar Updated
v0.9.3 is now available on the Mozilla Addons site at https://addons.mozilla.org/en-US/firefox/addon/13261
This version includes functional Options at last – you can now switch the “Follow Me” feature off if you want to, and I’ve added a “Hide Password” toggle so that not only do you never need to type your passwords in, they’re not even shown on the screen any more.
Be aware that there is a bug with the way new “experimental” add-ons are handled on the add-ons site, and they show a “invalid file hash” error when installing unless you first log in to the add-ons site. This is NOT a fault with the add-on itself, regardless of what the message says.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
I trim the URL as much as I sensibly can, knocking off the “www.” if it’s there, and removing the TLD bits and anything after the main URL, so for example, “www.amazon.co.uk/this/that” and “www.amazon.com/the/other” will both resolve down to “amazon”. This is then combined with the three static fields entered by the user and fed into a high-strength hashing routine, the result of which is then used to generate the password.
I did think about having the static data persist across sessions, but that breaks your security – if anybody else has access to your browser, they’ll also have access to all your services. So for now at least, you’ll have to enter those details every time you start the browser.
The name, secret word and secret number are all used to seed the hash, and the more it has to work with, the better the result. I guess you could just get away with the site name and one other factor, but I chose to go for as much input variance as possible. This also makes is simple to update your passwords once a month, say. Log in to each site or service in turn, then change ONE factor (the secret number, for example) and update the site password. All you have to remember for the next month is the new secret number.
Thanks for your comments and suggestions, always much appreciated. Let me know how you get on with it once you’ve upgraded your Firefox.
That’s a sensible approach (trimming down to just the domain name without TLD), but it could lead to a slight decrease in security because the password generated for http://www.amazon.com will be the same as the one for http://www.amazon.co.uk
Probably pretty harmless, I honestly can’t think of a situation where that could a problem, but it’d be an exception to the feature of having different passwords for different websites.
I wasn’t suggesting that the static data should persist across sessions. What I meant was that it should be entered the first time in a session where a password is required, not at the very start of the session. I think it’d be an improvement in usability that wouldn’t compromise security.
Finally, I think that maybe two of the three static fields (name, secret word, secret number) should be optional, and users should be warned about the security implications of using just one. I believe that it’s better to have “good enough” security that people use 90% of the time, than having excellent security that people use 20% of the time.
Thanks for you reply and keep up the good work.
Yeah I’m not entirely comfortable with the situation of amazon.com and amazon.co.uk having the same password, and I’m not convinced I made the right decision there. But as you say, it’s harmless, and does keep things tidy.
You don’t have to enter the static data at the start of a session. The toolbar just quietly sits there waiting for you, feel free to ignore it! This will become clear when you start using it.
I agree with your “good enough” sentiment, and will consider adding to a future version.
Hi there!
I’m surprised no one has left comments about your add-on until now. While I haven’t tried it because I haven’t made the switch to Firefox 3.5 yet, it looks very useful.
I’ll probably be testing it when I install Firefox 3.5 and I’ll let you know what I think about it.
However, I already have a question and a suggestion to make. Question first:
- What do you use to create each site’s unique password? The domain name? The URL? Something else? I wonder because there are times that you may end up at the same website but the URL looks different (think those dynamically generated URLs with parameters) so using the URL may not be the best alternative. But you may have already thought this out.
Suggestion:
- Is there a chance to only have to enter the name and password the first time a password is needed instead of every time Firefox starts? Maybe with a toolbar button that displays a dialog? And why is the name needed? Shouldn’t a (long enough) password be enough?
Thank you