The password-generating program that I created, Oplop, has now hit version 0.3. The biggest change since the last version is that the whole idea of having various restriction filters placed on your eventual password is now gone. From practical experience it turned out that most sites are happy with what Oplop generates, otherwise sometimes there is demand for making sure there is a digit.
So now a digit is always included in any generated password. Simplifies the UI immensely. Now all one needs to do is input a label and a password to get their generated label password back; no more checkboxes!
And thanks to the power of App Engine, Oplop is online. I kept needing passwords at work and since I have not gotten around to writing an iPhone or Nokia S60 app, I decided I needed something. Well, since I am interning with the App Engine team and I already had Oplop implemented in Python, I figured I would just do an App engine application where I skip using Django and just do a bare-metal web app.
Now as of right now the online solution is not ideal. While I use HTTPS for everything to prevent online snooping, there is no protection from someone peering over your shoulder to notice the password that is shown on the screen. Besides, if I didn't have JavaScript so much or had my housemate mention he has had issues at his work with differing MD5 implementations, I could have a JS version that does everything client-side.
But I would like to harness the ability to store info on a per-user level for this web app. The thing holding me up is deciding how much to store. If I store labels along with any caveats for the label password for that label, then I don't have to think about having that stuff written down anywhere. Plus I could have completion suggestions for someone who is logged in. And if there is a way for someone to be logged into their Google account from an application then the label completion could extend to even application implementations of Oplop.
The security implication, though, is that if someone gets a hold of someone's label list, will that provide too much information? Chances are you could figure out where someone had an account from the label name (e.g. it's obvious what account the "amazon.com" label is for), but the labels are worthless without the master password. But if you got a hold of the master password, your accounts could all be compromised (still requires knowing the username for each account).
If I store just a list of sites where one has labels along with any password caveats for the site, then I could have a bookmarklet that tells you what the caveat is. You then still have to remember your label for the site, but at least that bit of information would not be available to anyone who manages to get a hold of your account information. But it does guarantee people will know where you have an account.
Storing both the label and corresponding site for the label gives you the perks of both, but with the combined drawbacks. I have not decided if any of these potential security issues are worth the benefits they bring at the moment.
Followers
Subscribe
Posts
Comments
FriendFeed status
Contact Me
Ohloh metrics
Blog Archive
8 comments:
Hi Brett, have you seen Clipperz.com? Worth reading some of the stuff they have, and they have some opensource bits (including a JavaScript crypto library).
John: Nope, never saw them before. Seems decent, but I still don't like the idea of storing my actual password with anyone or on anything.
Have you checked SuperGenPass.com? It's a JavaScript password in a bookmarklet. Nothing is stored anywhere.
ash: Nope, didn't see it before. The auto-generating bookmarklet is nice, although I prefer to not have them select my seed for me based on the URL (reason I went with labels in Oplop).
Brett, it's probably not difficult to hack SuperGenPass to use user-defined labels instead of URL. Why do you prefer labels?
I thought about using SuperGenPass, but decided against it. I don't like that master password becomes very sensitive. And you couldn't easily change it - when you do, you'd have to change password in each and every website you use. That can be very time consuming.
By the way, check out Joel Spolsky's suggestion to use PasswordSafe + DropBox combination:
http://www.joelonsoftware.com/items/2008/09/11b.html
It's time for me to try it myself :-)
ash: I prefer having control over my own labels as it adds an extra level of salt to the generated password. I can assume you have an amazon.com account, but I don't know what label you might use; "www.amazon.com", "amazon.com", "Amazon", "amazon", etc. Adds another level of protection against potential brute force attacks.
As for the master password weakness, it's a trade-off with that or an application/piece of paper that has all of my passwords written down. The former just means the weakness is the master password for the machine or app. The latter the weakness is me not losing my wallet. It's a question of where the weakest point is and how hard is it to get a hold of stuff to make attacks on your passwords.
As for Joel's suggestion, that's nice, but it still has the weakness that if someone gets to your dropbox account you can then brute-force the file and get all of your passwords.
The firefox PasswordMaker plugin seems to work fine for me. You should check it out.
@Casey: Thanks for the pointer, but I flip-flop on browsers too much to rely on a Firefox add-on for something as crucial as my passwords.
Post a Comment