Hacker News new | past | comments | ask | show | jobs | submit login
Password Chart (passwordchart.com)
81 points by superberliner on March 1, 2010 | hide | past | favorite | 41 comments



SuperGenPass is a much better, simpler, and safer alternative, IMO.

http://supergenpass.com


By typing the master password into the destination form, then replacing it, the master is potentially revealed to any target site that might use JS/AJAX to view the password before form submission. So, this is not helpful against the "one bad (or compromised) site steals my master password" threat.

If SuperGenPass were to pop its own window, calculate the site-specific complex password, then insert that into the form, it could probably be safe -- but would still need very careful design. (Once a bookmarklet starts interacting with a page, it might reveal its internal state to that page.)


Yes, that is still a threat, and I would love to see SGP's algorithm make it into native addons for Firefox, Chrome, etc, triggered by a hotkey or toolbar button. However, my initial attempt fell flat when trying to wade through XUL, just didn't have enough time...

And if you're really that worried about a new site, the mobile version can be saved to your local disk and opened in a separate tab, and then copy-paste the generated password into the site in question.


You can always use the mobile version which IS a separate webpage that you type the domain and your password into and it generates your password (which you copy paste).

http://supergenpass.com/mobile/

Although this still requires that you trust supergenpass.com to not change the javascript it is serving you into something malicious.


It constantly surprises me that supergenpass hasn't caught on more with geeks. It's a pretty elegant solution to a problem everyone has.


Looks interesting but my first thought is that if I want to access my gmail on someone else's computer I would need to install the firefox extension first.


It's just a bookmarklet, not an extension, and if you're not at your own computer, there's a "mobile" version that can be used from anywhere to generate the correct password.


I've memorized a few (non-genpass) passwords for sites that I regularly use from other computers -- gmail being one of them. I also use the mobile version which nuclear_eclipse mentioned.


I've been using PwdHash. It's basically the same thing, but it's a Firefox addon. It will automatically hash a password field with the domain if you start the password with "@@" or hit F2. It also has a bunch of guards to warn you if you're entering your password in a field that might be insecure.

https://www.pwdhash.com/


If you're worried about browser security, there's a command-line reimplementation in python that a friend and I wrote:

http://github.com/gfxmonk/supergenpass

Less convenient, but much less likely to leak your passwords via the browser...


1Password is quite good for the Mac: http://agilewebsolutions.com/products/1Password

It integrates well with Firefox & Safari, and will sync over wi-fi to an iPhone for an encrypted backup.



Nice! This is pretty much exactly what I was looking for!


I glanced over the JS source and didn't find any evidence that the site is malware. Unfortunately, that's about the best thing I have to say about the security of using this method.


What are some negatives to using a security method like this?

In my mind, it's just a way to come up with "hard to guess, but easy to remember" passwords.


1. The biggest negative is that there are no positives: as TimMontague already pointed out, you might as well just use phrase + password as your password. To anyone who knows about this site, the output is no more secure than the input.

2. The cipher used is laughably weak. Given a sufficiently large output string (and sufficiently large is not large at all), it's trivial to brute-force the seed used to generate the substitution chart and determine the input password.

3. See my other comment on MITM attacks.


Use undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined as your password.

That happens if Cookies are disabled.


Wow! I've actually been trying to come up with a secure, but easy-for-me-to-remember password scheme.

What I wanted to build was a password generator which takes a username and domain as inputs and spits out an pseudo-random passsword.

Something like: bgraves & ycombinator.com & salt = ybcgormabviensator#salt

The problem for me is that I use very hard to guess passwords, generated by my password database program (KeePass). Now I have no idea what those PW's are and rely solely on KeePass to keep track, which isn't available on my workplace PC (and, no, syncing my password DB between environments is not permitted.)

This site maybe what I was looking for, and it even looks like it's in JS to prevent most MitM attacks!

Thanks HN!!


> even looks like it's in JS to prevent most MitM attacks!

The JS is delivered over cleartext HTTP. A MITM attack can substitute malicious JS code that will deliver your password to a third-party server.


Not if you just save the JS file to your local machine, right? There's no HTTP involved in that case (which is precisely how I intended to use it).


Provided that the code is intact when you initially retrieve it, that solves the MITM issue. But then you're tied to that computer, and if that's acceptable, then you're far better off just using a password-keeper that uses real crypto.


Sounds like you might be looking for PwdHash: https://addons.mozilla.org/en-US/firefox/addon/1033


Another easier and more secure is to use a sha1 hash on every password you generate and just use that as your password.


It depends what your defending against and what your original password is.

If the purpose is to turn a short password into something more secure it is pointless. As tptacek is always saying; Sha1 is cheap. It is trivial to incorporate it into an attack :)

Your better off choosing a random long sentence as your password. Easier to remember and much more secure.


I use a form of the Vigenère cipher cipher that is simple enough that I can 'get' my passwords with a pen and paper (I've had to do this before for public terminals), but is also made less cumbersome with a simple little utility.

It isn't cryptosecure or anything, obviously, but it works well for my purposes. I've never been entirely comfortable with using someone else's web site or a password database (well, I use a password database at home, for example, but I have to have access to passwords remotely).


I think this is in an incredibly bad way to create passwords, at any given moment they could swap out the js so that it phones home and then boom your insecure.


It's incredibly simple to save the JS files + HTML file to your local machine and run it locally.


Or create an iphone/android app for yourself.


Hey folks - I'm the creator of passwordchart.com. A friend just alerted me to the submission here - I guess I picked the wrong day to try to get things done and ignore HN yesterday.

I built passwordchart.com four years ago after reading a comment on Slashdot. It got me thinking about building a simple form of a personal one time pad that could be regenerated via memorable phrase. The interactive password part is really just there to show how to use the chart.

Finally, for a data point for others wondering what a post on HN means for traffic, I normally get around 300 to 350 visitors per day. Yesterday there were 5623 visitors and so far today Google Analytics is reporting 1333 visitors.


Why not just use the phrase+password as a password?


Because that doesn't give you security if the site is compromised. For example, if my Phase+password combination is RootGod+Facebook.com it wouldn't take very long for someone to realize that RootGod+Gmail.com would also likely work there.


I thought that the Password+Site combo assumed the usage of SHA1 or MD5, though I know that this doesn't work for some sites (with max password limits). Maybe CRC32 in those cases?


CRC32 is bad way to hash anything, if you want secure hash of some obscure length, just truncate output of say SHA-256 (by the way, SHA-224 is exactly this: truncated output of SHA-256).


I use long and complex mathematical/physics/chemistry formula as password. It's easy to remember, good to practice your memory and very hard to crack (since it contains letters, numbers and special chars).


Ugh, garbage. Use a HMAC with a master password and a parameter (e.g. the site name) to generate a site specific password. Forget about shitty crypto.

My humble attempt (based on others work): http://python.ca/nas/tmp/pw.html

Edit: just to be clear, the page linked above needs to be hosted on a server you trust and served by something like SSL. Do not use it directly over HTTP and expect some security.


This seems like too much work, to me. I'll stick with the "easy for you to remember, but difficult for others to guess" rule for making my passwords. I've never used password generators because I want to be able to log in away from home or work.


See also PasswordMaker: It has extensions supporting several browsers and a javascript version as well.

PasswordMaker uses your password and the website domain name to generate a unique password.

http://passwordmaker.org/


Not quite sure, but I'm assuming this is recommended for local system passwords, rather than web based passwords?

I can't imagine actually getting people to remember (and enter) strings like p?7J9JJ4M^E97J*J7J into a password field.

Or am I using it incorrectly?


"Use EJCKVpVpqdGUDCQgHVwWkc as your password."

Yeah, I don't think so somehow.


Why the hell one opens a website to choose password and serve it over clear-text (HTTP)?

Isn't that ironic? Trying to make something secure by actually making it totally insecure?

(Before someone jumps, even it's JS it doesn't mean safe against MITM as someone can inject JS before it loads and send all keystrokes to another server)


Seems like the real threat here is training a user that it's ok to use third party web sites to tell them what password to use. That's a very bad habit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: