-
Notifications
You must be signed in to change notification settings - Fork 162
Maybe you shouldn’t! You should only use SuperGenPass if you understand how it works and the benefits it provides. Here’s why I use it:
Like many people, at one time I used the same password at every Web site. This was certainly convenient, but also risky: if just one of my accounts got hacked, someone theoretically could gain access to all of my accounts across the Web.
Enter SuperGenPass. It works right from your Web browser and on phones and tablets. You remember one password (your “master password”), and SGP uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SGP on as many computers as you like without having to “sync” anything.
SuperGenPass uses your master password and the domain name of the Web site you are visiting as the “seed” for a one-way hash algorithm (base-64 MD5). The output of this algorithm is your generated password. If either your master password or the domain name of the Web site changes, even by one character, the generated password will be drastically different.
As software, SGP is a bookmarklet and a Web app (mobile version). The bookmarklet contains a small amount of JavaScript that:
- Loads jQuery if it hasn't already been loaded by the host page
- If the page contains frames, looks for the largest viewport within the frameset
- Creates an draggable iFrame containing the mobile version of SuperGenPass
- Sends a message to the iFrame (using HTML5 postMessage) containing the domain of the host page
- Stands by to receive the generated password from SuperGenPass (also using HTML5 postMessage)
The mobile version can also be used directly on mobile devices and added to home screens.
When using a bookmarklet on a third-party site, it is impossible to detect a potentially hostile JavaScript environment. The page could essentially hijack core JavaScript functions, simulate SuperGenPass, and trick you into handing over your master password.
To mitigate this, the bookmarklet loads the mobile version of SuperGenPass over TLS. That way, you type your master password into a safe environment that is protected by your browser's cross-site scripting restrictions. The generated password is then sent to the host page using HTML5 postMessage, where the bookmarklet verifies that it came from SuperGenPass.
Yes! For extra protection, you should provide a “secret” password using the advanced settings of SuperGenPass. This will generate a unique identicon (based on your secret password) that you will see whenever you load SuperGenPass. If you don’t recognize the identicon, that could be an indication that someone is trying to intercept your master password.
No one should ever consider their online activity safe. SuperGenPass provides security benefits but, like any software, it should never be considered invulnerable. More than any other factor, a weak master password will endanger a user, so be sure to choose a strong master password, and change it regularly.
When generating passwords, SuperGenPass ignores subdomains and only uses the
primary domain name of the website. This ensures that the same password is
generated at www.domain.com, login.domain.com, and domain.com—no matter
where you are on the site.
SuperGenPass also provides some degree of phishing protection. Suppose you
receive a phishing attack—for example, an e-mail that purports to be from Amazon
but is actually from a malicious hacker trying to steal your password. It sends
you to a page that’s set up to look like Amazon, has a similar URL (say,
www.amaz0n.com), and includes a login form. Let’s say you are fooled by this
forgery and you proceed to log in with SuperGenPass. Even though you use your
actual master password (cornflakes), because the domain name is slightly
different, SuperGenPass generates a completely different password
(uc15yrcmqI). The hacker hasn’t obtained your password, and will not be able
to access your account—at Amazon or anywhere else.
Yes! You will need to change the passwords for your existing Web site accounts to match what SuperGenPass generates. It’s worth it!
In order to resist dictionary attacks while retaining compatibility with most Web site password requirements, all passwords generated by SuperGenPass:
- Consist of Latin alphanumerics (A-Z, a-z, 0-9)
- Always start with a lowercase letter of the Latin alphabet
- Always contain at least one uppercase letter of the Latin alphabet
- Always contain at least one numeral
- Can be any length from 4 to 22 characters (default: 10)
SuperGenPass is designed to comply with the password requirements of the vast majority of Web sites. However, there will always be a small number of exceptions.
To get around this problem, some SGP users memorize a short suffix to append to
their generated passwords that satisfies extra requirements. For example, if
Site X requires your password to contain three numerals and at least one
character from !@#$%^&*()-+, you could manually append 67% to your generated
password before logging in.
This is actually a great use for SuperGenPass. Most sites like this compare your
new password to your previous passwords, so using a counter (e.g., password1,
password2) will not work. But with SuperGenPass, using a counter suffix with
your master password works beautifully to generate drastically different
passwords that will pass any comparison test.
Yes! Entering your master password each time is the only way to take full advantage of the security benefits that SuperGenPass offers.
As an algorithm, SuperGenPass is completely agnostic towards the input (your master password) and output (your generated passwords). All calculations and actions are performed locally by your Web browser; SuperGenPass does not transmit data or does not store your master password or generated passwords.
This site is hosted on GitHub. While it is generally very reliable, there are rare outages. Most of the time, though, these outages won’t affect you since the files are cached very aggressively.
SuperGenPass uses a one-way hash algorithm (base-64 MD5) to generate passwords.
Specifically, it concatenates the master password and the domain name of the Web
site (masterpassword:domain.com), hashes the result at least ten times (and
until it satisfies the generated password requirements), and cuts the result to
the desired length.
Like all hash functions, SuperGenPass could be made vulnerable to brute-force attacks if a malicious entity obtains a user’s generated password and the domain for which it was generated. For this reason, use of a strong master password is imperative. However (and perhaps obviously), a successful brute-force attack on one user of SuperGenPass has no effect on any other user.
A list of third-party SuperGenPass implementations, including apps for various platforms, can be found on the implementations wiki page.
Previous versions are archived in the commit history of this repository. Links are compiled on the previous versions wiki page. Please note that versions of SGP prior to 3.0 contained DOM vulnerabilities that made it theoretically possible for master passwords to be intercepted.
SuperGenPass owes a great debt to Paul Johnston, who wrote the JavaScript implementation of MD5, and to Nic Wolff, who wrote the original bookmarklet password generator.
My contributions, such that they are, are released under the GNU General Public License version 2.