By typing the master password into the destination form, then replacing it, the master is potentially revealed to any target site that might use JS/AJAX to view the password before form submission. So, this is not helpful against the "one bad (or compromised) site steals my master password" threat.
If SuperGenPass were to pop its own window, calculate the site-specific complex password, then insert that into the form, it could probably be safe -- but would still need very careful design. (Once a bookmarklet starts interacting with a page, it might reveal its internal state to that page.)
Yes, that is still a threat, and I would love to see SGP's algorithm make it into native addons for Firefox, Chrome, etc, triggered by a hotkey or toolbar button. However, my initial attempt fell flat when trying to wade through XUL, just didn't have enough time...
And if you're really that worried about a new site, the mobile version can be saved to your local disk and opened in a separate tab, and then copy-paste the generated password into the site in question.
You can always use the mobile version which IS a separate webpage that you type the domain and your password into and it generates your password (which you copy paste).
Looks interesting but my first thought is that if I want to access my gmail on someone else's computer I would need to install the firefox extension first.
It's just a bookmarklet, not an extension, and if you're not at your own computer, there's a "mobile" version that can be used from anywhere to generate the correct password.
I've memorized a few (non-genpass) passwords for sites that I regularly use from other computers -- gmail being one of them. I also use the mobile version which nuclear_eclipse mentioned.
I've been using PwdHash. It's basically the same thing, but it's a Firefox addon. It will automatically hash a password field with the domain if you start the password with "@@" or hit F2. It also has a bunch of guards to warn you if you're entering your password in a field that might be insecure.
I glanced over the JS source and didn't find any evidence that the site is malware. Unfortunately, that's about the best thing I have to say about the security of using this method.
1. The biggest negative is that there are no positives: as TimMontague already pointed out, you might as well just use phrase + password as your password. To anyone who knows about this site, the output is no more secure than the input.
2. The cipher used is laughably weak. Given a sufficiently large output string (and sufficiently large is not large at all), it's trivial to brute-force the seed used to generate the substitution chart and determine the input password.
Wow! I've actually been trying to come up with a secure, but easy-for-me-to-remember password scheme.
What I wanted to build was a password generator which takes a username and domain as inputs and spits out an pseudo-random passsword.
Something like: bgraves & ycombinator.com & salt = ybcgormabviensator#salt
The problem for me is that I use very hard to guess passwords, generated by my password database program (KeePass). Now I have no idea what those PW's are and rely solely on KeePass to keep track, which isn't available on my workplace PC (and, no, syncing my password DB between environments is not permitted.)
This site maybe what I was looking for, and it even looks like it's in JS to prevent most MitM attacks!
Provided that the code is intact when you initially retrieve it, that solves the MITM issue. But then you're tied to that computer, and if that's acceptable, then you're far better off just using a password-keeper that uses real crypto.
It depends what your defending against and what your original password is.
If the purpose is to turn a short password into something more secure it is pointless. As tptacek is always saying; Sha1 is cheap. It is trivial to incorporate it into an attack :)
Your better off choosing a random long sentence as your password. Easier to remember and much more secure.
I use a form of the Vigenère cipher cipher that is simple enough that I can 'get' my passwords with a pen and paper (I've had to do this before for public terminals), but is also made less cumbersome with a simple little utility.
It isn't cryptosecure or anything, obviously, but it works well for my purposes. I've never been entirely comfortable with using someone else's web site or a password database (well, I use a password database at home, for example, but I have to have access to passwords remotely).
I think this is in an incredibly bad way to create passwords, at any given moment they could swap out the js so that it phones home and then boom your insecure.
Hey folks - I'm the creator of passwordchart.com. A friend just alerted me to the submission here - I guess I picked the wrong day to try to get things done and ignore HN yesterday.
I built passwordchart.com four years ago after reading a comment on Slashdot. It got me thinking about building a simple form of a personal one time pad that could be regenerated via memorable phrase. The interactive password part is really just there to show how to use the chart.
Finally, for a data point for others wondering what a post on HN means for traffic, I normally get around 300 to 350 visitors per day. Yesterday there were 5623 visitors and so far today Google Analytics is reporting 1333 visitors.
Because that doesn't give you security if the site is compromised.
For example, if my Phase+password combination is RootGod+Facebook.com it wouldn't take very long for someone to realize that RootGod+Gmail.com would also likely work there.
I thought that the Password+Site combo assumed the usage of SHA1 or MD5, though I know that this doesn't work for some sites (with max password limits). Maybe CRC32 in those cases?
CRC32 is bad way to hash anything, if you want secure hash of some obscure length, just truncate output of say SHA-256 (by the way, SHA-224 is exactly this: truncated output of SHA-256).
I use long and complex mathematical/physics/chemistry formula as password. It's easy to remember, good to practice your memory and very hard to crack (since it contains letters, numbers and special chars).
Edit: just to be clear, the page linked above needs to be hosted on a server you trust and served by something like SSL. Do not use it directly over HTTP and expect some security.
This seems like too much work, to me. I'll stick with the "easy for you to remember, but difficult for others to guess" rule for making my passwords. I've never used password generators because I want to be able to log in away from home or work.
Why the hell one opens a website to choose password and serve it over clear-text (HTTP)?
Isn't that ironic? Trying to make something secure by actually making it totally insecure?
(Before someone jumps, even it's JS it doesn't mean safe against MITM as someone can inject JS before it loads and send all keystrokes to another server)
Seems like the real threat here is training a user that it's ok to use third party web sites to tell them what password to use. That's a very bad habit.
http://supergenpass.com