Chris Zarate edited this page Jun 2, 2014 · 5 revisions
Clone this wiki locally

Why should I use SuperGenPass?

Maybe you shouldn’t! You should only use SuperGenPass if you understand how it works and the benefits it provides. Here’s why I use it:

Like many people, at one time I used the same password at every Web site. This was certainly convenient, but also risky: if just one of my accounts got hacked, someone theoretically could gain access to all of my accounts across the Web.

Enter SuperGenPass. It works right from your Web browser and on phones and tablets. You remember one password (your “master password”), and SGP uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SGP on as many computers as you like without having to “sync” anything.

How does SuperGenPass work?

SuperGenPass uses your master password and the domain name of the Web site you are visiting as the “seed” for a one-way hash algorithm (base-64 MD5). The output of this algorithm is your generated password. If either your master password or the domain name of the Web site changes, even by one character, the generated password will be drastically different.

As software, SGP is a bookmarklet and a Web app (mobile version). The bookmarklet contains a small amount of JavaScript that:

  • Loads jQuery if it hasn't already been loaded by the host page
  • If the page contains frames, looks for the largest viewport within the frameset
  • Creates an draggable iFrame containing the mobile version of SuperGenPass
  • Sends a message to the iFrame (using HTML5 postMessage) containing the domain of the host page
  • Stands by to receive the generated password from SuperGenPass (also using HTML5 postMessage)

The mobile version can also be used directly on mobile devices and added to home screens.

Why does the bookmarklet load the mobile version? Why can't it be self-contained?

When using a bookmarklet on a third-party site, it is impossible to detect a potentially hostile JavaScript environment. The page could essentially hijack core JavaScript functions, simulate SuperGenPass, and trick you into handing over your master password.

To mitigate this, the bookmarklet loads the mobile version of SuperGenPass over TLS. That way, you type your master password into a safe environment that is protected by your browser's cross-site scripting restrictions. The generated password is then sent to the host page using HTML5 postMessage, where the bookmarklet verifies that it came from SuperGenPass.

Should I use a “secret” password?

Yes! For extra protection, you should provide a “secret” password using the advanced settings of SuperGenPass. This will generate a unique identicon (based on your secret password) that you will see whenever you load SuperGenPass. If you don’t recognize the identicon, that could be an indication that someone is trying to intercept your master password.

Is SuperGenPass safe?

No one should ever consider their online activity safe. SuperGenPass provides security benefits but, like any software, it should never be considered invulnerable. More than any other factor, a weak master password will endanger a user, so be sure to choose a strong master password, and change it regularly.

What are some unique features of SuperGenPass?

When generating passwords, SuperGenPass ignores subdomains and only uses the primary domain name of the website. This ensures that the same password is generated at www.domain.com, login.domain.com, and domain.com—no matter where you are on the site.

SuperGenPass also provides some degree of phishing protection. Suppose you receive a phishing attack—for example, an e-mail that purports to be from Amazon but is actually from a malicious hacker trying to steal your password. It sends you to a page that’s set up to look like Amazon, has a similar URL (say, www.amaz0n.com), and includes a login form. Let’s say you are fooled by this forgery and you proceed to log in with SuperGenPass. Even though you use your actual master password (cornflakes), because the domain name is slightly different, SuperGenPass generates a completely different password (uc15yrcmqI). The hacker hasn’t obtained your password, and will not be able to access your account—at Amazon or anywhere else.

Will I need to change all of my passwords?

Yes! You will need to change the passwords for your existing Web site accounts to match what SuperGenPass generates. It’s worth it!

How complex are the generated passwords?

In order to resist dictionary attacks while retaining compatibility with most Web site password requirements, all passwords generated by SuperGenPass:

  • Consist of Latin alphanumerics (A-Z, a-z, 0-9)
  • Always start with a lowercase letter of the Latin alphabet
  • Always contain at least one uppercase letter of the Latin alphabet
  • Always contain at least one numeral
  • Can be any length from 4 to 22 characters (default: 10)

Site X has different password requirements!

SuperGenPass is designed to comply with the password requirements of the vast majority of Web sites. However, there will always be a small number of exceptions.

To get around this problem, some SGP users memorize a short suffix to append to their generated passwords that satisfies extra requirements. For example, if Site X requires your password to contain three numerals and at least one character from !@#$%^&*()-+, you could manually append 67% to your generated password before logging in.

Site Y requires me to change my password every month!

This is actually a great use for SuperGenPass. Most sites like this compare your new password to your previous passwords, so using a counter (e.g., password1, password2) will not work. But with SuperGenPass, using a counter suffix with your master password works beautifully to generate drastically different passwords that will pass any comparison test.

Do I have to type my master password every time I use SuperGenPass?

Yes! Entering your master password each time is the only way to take full advantage of the security benefits that SuperGenPass offers.

Why should I trust SuperGenPass? What happens if your site goes down?

As an algorithm, SuperGenPass is completely agnostic towards the input (your master password) and output (your generated passwords). All calculations and actions are performed locally by your Web browser; SuperGenPass does not transmit data or does not store your master password or generated passwords.

This site is hosted on GitHub. While it is generally very reliable, there are rare outages. Most of the time, though, these outages won’t affect you since the files are cached very aggressively.

Technical details

SuperGenPass uses a one-way hash algorithm (base-64 MD5) to generate passwords. Specifically, it concatenates the master password and the domain name of the Web site (masterpassword:domain.com), hashes the result at least ten times (and until it satisfies the generated password requirements), and cuts the result to the desired length.

Like all hash functions, SuperGenPass could be made vulnerable to brute-force attacks if a malicious entity obtains a user’s generated password and the domain for which it was generated. For this reason, use of a strong master password is imperative. However (and perhaps obviously), a successful brute-force attack on one user of SuperGenPass has no effect on any other user.

Other implementations

A list of third-party SuperGenPass implementations, including apps for various platforms, can be found on the implementations wiki page.

Previous versions

Previous versions are archived in the commit history of this repository. Links are compiled on the previous versions wiki page. Please note that versions of SGP prior to 3.0 contained DOM vulnerabilities that made it theoretically possible for master passwords to be intercepted.

Acknowledgments and license

SuperGenPass owes a great debt to Paul Johnston, who wrote the JavaScript implementation of MD5, and to Nic Wolff, who wrote the original bookmarklet password generator.

My contributions, such that they are, are released under the GNU General Public License version 2.