labs.zarate.org: password generator

by chris zarate  •  e-mail  •  comments ↓

Synopsis: Instead of using the same “master” password at every website you visit—potentially exposing all your accounts when one is compromised—the below tool lets you use your “master” password and a one-way algorithm (MD5) to create unique, complex passwords for each website you visit. And unlike other password generators, this version ignores subdomains, ensuring you get the same password for both http://www.domain.com/ and http://login.domain.com/.

generate a password  (mobile version)

Master password
Site URL

Show advanced options >>

Your password will appear here.


Bookmarklet: Use the below tool if you want an “on-the-go” password generator. It will help you create a personalized bookmarklet—that is, a link that you can add to your bookmarks or favorites and use in any JavaScript-capable web browser. Please e-mail me if you have any trouble with this tool.

build your bookmarklet

Choose your browser ?

 Firefox/Safari/Opera   Internet Explorer

Choose your level of security ?

 Safest: Enter your master password each time you use the bookmarklet
 Convenient: Hardcode your master password into the bookmarklet

Show advanced options >>

Your bookmarklet will appear here.


what makes this tool different

Nic Wolff made an excellent password generator, using a JavaScript implementation of MD5. You type your master passphrase and it creates unique passwords for each secure website you visit. Very cool. However, I found it wanting in one major way: it generates different passwords for different subdomains of the same website. Since many sites have multiple login points spanning two or more subdomains, it became unusable for me. I altered it to take into account just the primary domain name, i.e., “domain.com”. Therefore, with this tool, http://www.domain.com, http://login.domain.com, and http://domain.com will all result in the same password. While this is probably undesired behavior for some websites out there (though I can’t think of one at present), it suits me fine.

Important: My version is not compatible with Nic’s or (likely) anyone else’s. If you’ve already made passwords with someone else’s tool, you should stick with it or recreate all your passwords. If you’re new to this, though, you’re fine.

Thanks to Nic for the original version. Thanks also to Tim Cuthbertson for pointing out that this tool originally did not take into account second-tier top-level domains like “co.uk” or “eu.com.” It now does, although the implementation is not perfect. Basically, it checks against a hardcoded list of known (to me) second-tier top-level domains. That list is here.

Thanks also to Luke for suggesting the cached version, and to Erik for inspiring the bookmarklet builder.

comments (25)

Lisa, one day later (link):

When the bookmarklet asks for your master password, do you really want to echo it “in the clear” (not echoing it as asterisks)? There seems to be a difference between the bookmarklet and the html version.

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, seventy-five minutes later (link):
In reply to: Lisa ↑ 

Unfortunately, JavaScript does not allow you to mask user input on its dialog boxes. So yes, the bookmarklet has that disadvantage. But it’s not transmitting your password anywhere, so as long as no one is looking over your shoulder you’ll be fine.

Reply to this comment:

Ralph, seventeen hours later (link):

would be nice, if the user could chose the password length, and what characters (upper- lowercase) and if numbers should be included…

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, one hour later (link):
In reply to: Ralph ↑ 

Ralph, as far as the HTML form goes, good idea; I'll work on that.

As for the bookmarklet, one can edit the script to achieve this. I'd prefer not to ask the user each time for length and case preference … it would make its use cumbersome. If you'd like help altering the bookmarklet, just e-mail me.

Reply to this comment:

Chaim Krause, one day later (link):

Thank you for the bookmarklet.

Reply to this comment:

Chaim Krause, sixty-nine minutes later (link):

I have begun to use your bookmarklet on my home computer to generate passwords. For a moment I was worried that I wouldn't be able to login to websites when not at my home computer, then I remembered your HTML page version. But then I worried that I wouldn't be able to remember the URL when I didn't have it bookmarked. So I came up with a little workaround.

First I created a button. button

Then I put the button on my home page and linked it to your HTML page version, since I hope I can remember the URL to my own homepage. :-)

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, sixty-six minutes later (link):
In reply to: Chaim Krause ↑ 

Chaim, that looks great! With your permission, I'll add the button to the labs.zarate.org page.

Follow-ups: Chaim Krause ↓ 
Reply to this comment:

Chaim Krause, nine hours later (link):
In reply to: Chris Zarate ↑ 

Please go right ahead and do so.

Reply to this comment:

Levi Wallach, thirteen hours later (link):

This is so much easier than having a password management application. My main concern involves the html form for when you are not on your own browser, or on one that doesn't allow bookmarklets (I use Blazer on my Treo 650 for example). The problem I see is that you are passing your master password to the form on your page unencrypted, which seems to be a security issue itself. Does this make sense? Can you think of a way around it?

Reply to this comment:

Levi Wallach, forty-nine minutes later (link):

Oops, never mind! I just figured out that this is simply a chunck of JavaScript code that you can download and run locally on any JavaScript-compliant browser. Blazer can save pages for offline viewing, so I tried it out. Disabled the phone so I knew it wasn't connecting anywhere to transmit the info, and then entered info into the form and voila! Pretty cool. Now the only problem is trying to figure out all the sites that I have passwords on so that I can change them. There must be over a hundred at this point! Ugh!

Reply to this comment:

Mike Arms, three days later (link):

Hi, Chris.

I'm by no means a Javascript expert, but is there any reason why we shouldn't see the bookmarklet without all of the char to %[\dA-F][\dA-F] encoding? I get nervous when I see nothing but encoded chars. I snagged the code, passed it through a Perl decoder and it does appear clean. For some reason, when I just copy/paste the clear chars into a bookmark, it does not seem to execute anything when activated.

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, four hours later (link):
In reply to: Mike Arms ↑ 

Mike, any character that is invalid for a URL is also invalid for a JavaScript bookmarklet (most notably curly brackets). Instead of encoding just the special characters, I find it easier (espcially for a long bookmarklet like this) to encode the entire thing. Here's a webpage that will do this encoding/decoding for you:

ASCII to Hex to Unicode

Reply to this comment:

Levi Wallach, four days later (link):

Hi Chris,

I've been using your script and chaning various passwords but I do have this nagging question in the back of my mind. I don't understan much in terms of the technical details of encryption schemes, so maybe this is a stupid question. Basically, I'm wondering if someone sees your password for site X and knows you are using your encryption scheme, so they know two pieces of the puzzle plus the encryption scheme being used, can they from that get your master password?

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, fourteen hours later (link):
In reply to: Levi Wallach ↑ 

Levi: no, they can't. That's the beauty of MD5. It's a one-way hash function. Read more about MD5.

Reply to this comment:

Shane Geiger, one week later (link):

This quick hack demonstrates some things you could do with Bash and sed to get similar results. Have fun with this. (The sed replacements demo how easily other characters could be added to your passwords, if necessary.)

function mypassgen() {
read -p "Enter master password: " -s MASTER ;
read -p "Enter site or machine name: " -s RESOURCE
echo "${MASTER}${RESOURCE}" | md5sum | cut -c 1-15 | sed 's/2/$/g' | sed 's/a/*/g' ; }

Follow-ups: Kee Hinckley ↓ 
Reply to this comment:

Bludnok, one week later (link):

Great little utility.

I unescaped the code and I noticed that it runs the .js from your website. I've downloaded a copy of the .js file that does the actual work and I'd like to change the bookmarklet to refer to this downloaded file, rather than the one on your site.

I tried substituting in the file path instead of the URL but that doesn't seem to work. I'm not a java programmer so I don't know the syntax.

Can you tell me how the file path should be entered?

Could you also tell me how I can alter the script to produce an eight character password?

BTW: I think the master password should be in clear as you have done it. If you mistype the password when you create it, you'll get an output that won't work if you later don't mistype it.

Reply to this comment:

badr, two months later (link):

thankyou

Reply to this comment:

Kee Hinckley, one month later (link):
In reply to: Shane Geiger ↑ 

To make the script match the javascript, you need to put a ":" between the password and hostname. Here's an alternative (using a different md5 command line utility). This generates identical passwords to the javascript.

!/bin/sh
read -p "Enter master password: " -s MASTER
echo ""
read -p "Enter site or machine name: " RESOURCE
md5 -s "${MASTER}:${RESOURCE}" | sed -e 's/.*= //' | cut -c 1-8

Reply to this comment:

Domenico, four weeks later (link):

It has problems with sites using different ports for different site parts.. for example at the main page the url is http://site.com/index.htm and somewhere else in the site it is http://site.com:8080/something.html.. could it be solved?

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Shai Coleman, eight hours later (link):

There's an extensive list of top level domains here: http://www.surbl.org/two-level-tlds

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, one day later (link):
In reply to: Domenico ↑ 

Domenico, nice catch. This has been fixed and all the bookmarklets have been updated. The cached version may take a day or so to update.

Reply to this comment:

Chris Zarate, eleven minutes later (link):
In reply to: Shai Coleman ↑ 

Shai, that is a long list! Unfortunately, if I updated the bookmarklets now, it might affect people that already created passwords on those domains.

I'm pretty confident that my list of 270 covers the most common second-tier top-level domains. The worst that could happen is that a user might have the same password for two different websites on a very obscure second-tier top-level domain.

Reply to this comment:

Jordan, one week later (link):

How did you get the treo working with it? I tried saving the page in blazer and using the form on the page, but it won't work for me. I suppose it'd be pretty trivial to come up with some code for the palm that would generate the same data, I'm sure there are md5 functions built right into it. That might be kind of convienant. Any palm programmers out there up to the task? ;-(

Follow-ups: Chris Zarate ↓ 
Reply to this comment:

Chris Zarate, one hour later (link):
In reply to: Jordan ↑ 

Jordan, I added a mobile version that should work with your Treo.

Reply to this comment:

Jordan, five hours later (link): 

Works like a charm, thanks much.

Reply to this comment:

post a comment

name

url (optional)

comment

HTML will be stripped; however, Markdown markup is allowed.
E.g., *bold*, _italic_, [link](http://example.com/).

                            Remember me.