If you’re like most people, you use the same password for all your Web site accounts. This is certainly convenient, but it’s also risky: if just one of your passwords is compromised—either by a hacker or by someone who guesses your password—they could use it to gain access to your other accounts across the Web.
The solution, of course, is to use different passwords at each Web site. But how? Memorizing them all is probably out of the question. You could write them down on a piece of paper, but you’d need to remember to take it with you to work and on trips, and it could easily be lost or stolen. You could use a password manager, but it would need to be installed on each machine you use, and that’s not an option on public computers. Password managers are also vulnerable to data loss and spyware.
Enter SuperGenPass. It works right from your Web browser and integrates with login forms. You remember one password (your “master password”), and SuperGenPass uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SuperGenPass on as many computers as you like without having to “sync” anything.
A bookmarklet is a chunk of JavaScript code stored in your Web browser as a bookmark or favorite. There’s no software to install, so you can use SuperGenPass across all platforms and in any modern Web browser. It also makes it easy to use across multiple computers, and even on public computers where access rights may be restricted.
SuperGenPass uses your master password and the domain name of the Web site you are visiting as the “seed” for a one-way hash algorithm. The output of this algorithm is your generated password. If either your master password or the domain name of the Web site changes, even by one character, the generated password will be drastically different.
For example, let’s say that your master password is “cornflakes”. If you use SuperGenPass at yahoo.com, your generated password will be “r9AQeOhBgU”. If you use SuperGenPass at amazon.com, your generated password will be “zcbEm1t32B”. SuperGenPass doesn’t need to remember this or store it anywhere, because it’s just a (very complex) math problem: the result is the same every time. And because SuperGenPass uses a one-way hash function, no one will be able to reverse-engineer your master password from your generated passwords. [Go back]
When generating passwords, SuperGenPass ignores subdomains and only uses the primary domain name of the website. This ensures that the same password is generated at www.domain.com, login.domain.com, and domain.com, no matter where you are on the site.
SuperGenPass also provides some degree of phishing protection. Suppose you receive a phishing attack—for example, an e-mail that purports to be from Amazon but is actually from a malicious hacker trying to steal your password. It sends you to a page that’s set up to look like Amazon.com and has a similar URL (say, “www.amaz0n.com”), and includes a login form. Using SuperGenPass at this malicious Web site with your master password (“cornflakes”), your generated password is “uc15yrcmqI”. Compare with the previous example: though the master password is the same and the domain name is only slightly different, SuperGenPass generates a completely different password. Even if you are fooled by the phishing attack and attempt to log in to the impostor website, you haven’t sent your real password. [Go back]
When you are ready to log in or create an account at a Web site, complete the form using your master password. Then, select SuperGenPass from your bookmarks or favorites. SuperGenPass will replace your master password with the generated password for that Web site. Now you’re ready to submit the form.
If SuperGenPass has any problems, it will notify you in the box at the the upper-right-hand corner of the page. In the extremely rare case that SuperGenPass fails to load, you can use the mobile version. [Go back]
Yes! You will need to change the passwords for your existing Web site accounts to match what SuperGenPass generates. Depending on how many Web site accounts you have, this is a potentially daunting task. But consider the alternative: sticking with your old, low-security, shared password all over the Web. There’s also no need to do it all at once; in fact, most people do it gradually.
To change a Web site’s password, find that site’s “change password” form. The procedure is then the same as the general procedure above, except that SuperGenPass’s auto-fill feature may overwrite the “old password” field. If this happens, simply retype your old password in that field before submitting the form. [Go back]
In order to resist dictionary attacks while retaining compatibility with Web site password requirements, all passwords generated by SuperGenPass:
SuperGenPass is designed to comply with the password requirements of the vast majority of Web sites. However, there will always be a small number of exceptions. It is best to memorize alternate passwords for the rare exception or two, and use SuperGenPass for all other Web sites. [Go back]
This is actually a great use for SuperGenPass. Most sites like this compare your new password to your previous passwords, so using a counter (e.g., “password1”, “password2”) will not work. But with SuperGenPass, using a counter suffix with your master password works beautifully.
For example, let’s say you’ve chosen “cornflakes” as your master password, and that mybank.com requires you to periodically change your password. At mybank.com, use “cornflakes” plus a counter suffix as your master password, and increase by 1 each time you need to change your password (e.g., “cornflakes1”, “cornflakes2”). This small change in your master password generates drastically different passwords that will pass any comparison test. Your master password does not change and you need only remember the current counter suffix when logging into mybank.com. [Go back]
No password solution is completely safe from keyloggers, which are becoming increasingly sophisticated. Even on-screen keyboards are useless against the latest spying software. That’s why it remains vitally important to scan your system regularly for malware and to refrain from using untrustworthy computers.
That said, using SuperGenPass is moderately safe from traditional keyloggers since passwords are generated and not typed. While by no means bulletproof, it is much better than typing your password in the clear. [Go back]
Some browsers—most notably, Internet Explorer and some versions of Safari and Opera—place a limit of the length of bookmarks and favorites. Since the code for SuperGenPass exceeds this length, versions for those browsers download this JavaScript file each time you use SuperGenPass. Only generic JavaScript code is downloaded, and no information is ever transmitted to this or any other Web site. [Go back]
SuperGenPass works in just about every modern Web browser. Technically speaking, it requires a browser that supports JavaScript and the DOM model. There’s actually an easy test for this: if you can build your bookmarklet (using the form on the home page), then your browser meets the requirements.
SuperGenPass works on most smart phones, including the iPhone. Often they limit bookmark length, so you might need to use the Internet Explorer version.
If you are running a very old Web browser and experience difficulty with SuperGenPass, try GenPass Classic, which does not require DOM-model support. [Go back]
While my hosting service is generally very reliable, there are rare outages. If you use the Internet Explorer version and you are concerned about this situation, the bookmarklet builder allows you to specify a different location for the hosted JavaScript file—your own server or the Coral cache, for example.
In the event that I become destitute or demented (or both) and am unable to pay my server bills, others have volunteered to keep SuperGenPass available. I also recommend that you save a copy of the mobile version to your hard drive in case you need to generate a password while offline. [Go back]
SuperGenPass has been translated into French by Éric Desfonds, into Spanish by Fernando P. Nájera Cano, into Brazilian Portuguese by Flavio Suárez, and into Hebrew by Shimi. Much appreciation and huge thanks for their efforts.
If you would like to translate SuperGenPass into another language, I will be more than happy to put everything together and host it on this Web site. Download the key terms and copy and return them to me with the formatting and numbering intact. [Go back]
SuperGenPass is completely free of charge. Donations are not accepted, but contributions to the AIDS Research Alliance are a wonderful means of thanks. Please drop me a line if you choose to donate so I can thank you personally. [Go back]
SuperGenPass 1.3 added some functionality:
SuperGenPass 1.2 was updated on 5 and 7 March 2008 to correct a few small bugs:
SuperGenPass 1.2 fixed a few small issues:
SuperGenPass 1.1 introduced a number of new features:
Previous versions of SuperGenPass are available in the archive. GenPass is available on its own page. [Go back]
Source code is easy. It’s just JavaScript, so either break apart your bookmarklet, or, for a more readable version, take a look at the JavaScript file that the Internet Explorer version loads.
Below, I have provided psuedo-code for the algorithm only. The UI is presumed to be self-explanatory.
function SuperGenPass (MasterPass, Domain, Length):
PasswdSeed = MasterPass + ":" + Domain
repeat 10 times:
PasswdSeed = Base64MD5(PasswdSeed)
end repeat
PasswdCand = Substring(PasswdSeed, 1, Length)
# Check for password requirements; if it fails,
# keep iterating until it passes.
while FailsRequirements(PasswdCand)
PasswdSeed = Base64MD5(PasswdSeed)
PasswdCand = Substring(PasswdSeed, 1, Length)
end while
return PasswdCand
end function