If you’re like most people, you use the same password for all your Web site accounts. This is certainly convenient, but it’s also risky: if just one of your passwords is compromised—by a hacker, by someone who guesses your password, or by someone with internal access to one of your accounts—they could use it to gain access to your other accounts across the Web.
The solution, of course, is to use different passwords at each Web site. But how? Writing them down is insecure and impratical. Storing them—either on your hard drive or (even worse) online—leaves you vulnerable to spyware, encryption attacks, and data loss. Password managers like 1Password are convenient and reasonably secure at home or work, but cannot be installed on public computers.
Enter SuperGenPass. It works right from your Web browser and integrates with login forms. You remember one password (your “master password”), and SuperGenPass uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SuperGenPass on as many computers as you like without having to “sync” anything. ^
SuperGenPass is a bookmarklet. A bookmarklet is a chunk of JavaScript code stored in your Web browser as a bookmark or “favorite.” There’s no software to install, so you can use SuperGenPass across all platforms and in any modern Web browser—and on a number of smartphones. It also makes it easy to use across multiple computers—including public computers, where user rights may be limited.
SuperGenPass uses your master password and the domain name of the Web site you are visiting as the “seed” for a one-way hash algorithm (base-64 MD5). The output of this algorithm is your generated password. If either your master password or the domain name of the Web site changes, even by one character, the generated password will be drastically different.
For example, let’s say that your master password is “cornflakes”. If you want to log in at yahoo.com, SuperGenPass uses “cornflakes:yahoo.com” to generate a password of “r9AQeOhBgU”. At amazon.com, SuperGenPass uses “cornflakes:amazon.com” to generate “zcbEm1t32B”. By using an algorithm, SuperGenPass doesn’t need to remember or store your passwords—it simply computes them on-the-fly each time. And because it is a one-way hash algorithm, no one will be able to reverse-engineer your master password from your generated passwords. ^
SuperGenPass is not invulnerable. In particular, weak master passwords endanger a user (see technical details). Additionally, a malicious site could craft a JavaScript attack to target SuperGenPass users and discover a user’s master password. If you wish to use SuperGenPass on a site that you do not trust, use the mobile version and copy and paste the generated password.
Most importantly, you should not use SuperGenPass if you do not understand every aspect of how it works. ^
When generating passwords, SuperGenPass ignores subdomains and only uses the primary domain name of the website. This ensures that the same password is generated at www.domain.com, login.domain.com, and domain.com, no matter where you are on the site.
SuperGenPass also provides some degree of phishing protection. Suppose you receive a phishing attack—for example, an e-mail that purports to be from Amazon but is actually from a malicious hacker trying to steal your password. It sends you to a page that’s set up to look like Amazon, has a similar URL (say, “www.amaz0n.com”), and includes a login form. Let’s say you are fooled by this forgery and you proceed to log in with SuperGenPass. Even though you use your actual master password (“cornflakes”), because the domain name is slightly different, SuperGenPass generates a completely different password (“uc15yrcmqI”). The hacker hasn’t obtained your password, and will not be able to access your account—at Amazon or anywhere else! ^
Visit the home page and add SuperGenPass to your bookmarks. Next, think of a complex master password—avoid dictionary words or anything with personal associations—and commit it to memory. That’s it! Whenever you need to generate a password for a Web site, visit that site and then select SuperGenPass from your bookmarks. ^
Yes! You will need to change the passwords for your existing Web site accounts to match what SuperGenPass generates. It’s worth it! Most Web sites make this easy: look for a link titled “My Account,” “Preferences,” or “Settings.” ^
In order to resist dictionary attacks while retaining compatibility with Web site password requirements, all passwords generated by SuperGenPass:
For your security we recommend following the above guidelines when choosing your master password. Remember, your master password is the key to all your generated passwords. It must be secure and secret. ^
SuperGenPass is designed to comply with the password requirements of the vast majority of Web sites. However, there will always be a small number of exceptions. It is best to memorize alternate passwords for the rare exception or two, and use SuperGenPass for all other Web sites.
Alternatively, you could memorize a short suffix to append to your generated passwords that would satisfy Site X’s additional requirements. For example, if Site X requires your password to contain three numerals and at least one character from “!@#$%^&*()-+”, you could manually append “33%” to your generated password before logging in. ^
This is actually a great use for SuperGenPass. Most sites like this compare your new password to your previous passwords, so using a counter (e.g., “password1”, “password2”) will not work. But with SuperGenPass, using a counter suffix with your master password works beautifully.
For example, let’s say you’ve chosen “cornflakes” as your master password, and that mybank.com requires you to periodically change your password. At mybank.com, use “cornflakes” plus a counter suffix as your master password, and increase by 1 each time you need to change your password (e.g., “cornflakes1”, “cornflakes2”). This small change in your master password generates drastically different passwords that will pass any comparison test. Your master password does not change and you only need to remember the current counter suffix when logging into mybank.com. ^
SuperGenPass works in just about every modern Web browser. Technically speaking, it requires a browser that supports JavaScript and the DOM model. It works on many smartphones, including the iPhone / iPod Touch / iPad—just add the mobile version to your home screen.
Some browsers—most notably, all versions of Internet Explorer, some older versions of Safari and Opera, and many smartphone browsers—place a severe limit on the length of bookmarks. Use the Internet Explorer version of SuperGenPass for these browsers. It circumvents the limit by downloading this JavaScript file each time you use SuperGenPass (though it will likely be cached to reduce bandwidth usage). Only generic JavaScript code is downloaded, and no information is ever transmitted to this or any other Web site. (Internet Explorer may prompt you with a security message when you add SuperGenPass to your favorites. This is typical of all bookmarklets and can be safely ignored.)
If you are unsure if your Web browser enforces this limit, try the Firefox version. If SuperGenPass fails to load, then use the Internet Explorer version. ^
You really should. Entering your master password each time is the only way to take full advantage of the security that SuperGenPass offers. When using SuperGenPass on a public or untrusted computer, this is the only option you should consider.
There are, however, two alternatives offered on the “Customize SuperGenPass” page.
The first alternative—enter your master password each time, but use a hash to verify it—is also very safe, but it stores a multi-iteration hash of your master password in the bookmarklet. This, in effect, prevents you from mistyping your master password, which is a valuable safety mechanism. While the hash cannot be used to reverse-engineer your master password, it could be used to mount a dictionary or brute-force attack. Given access to your bookmarklet and enough time, your master password could be compromised. For maximum security, this option should only be employed on secure, trusted computers (e.g., home computer with frequent virus scanning).
The second alternative—hardcode your master password into SuperGenPass—is flatly insecure, and should never be considered safe in any way. This option is provided only for the convenience of the many users that have requested it, but let me be clear: I cannot recommend this option under any circumstances. While elementary steps are taken to mask your master password, it is more or less stored directly in the bookmarklet. This means that: (1) it is stored on your computer’s hard drive, where it is vulnerable to spyware and other exploits; (2) anyone with physical or remote access to your computer can easily generate passwords without knowing your master password; and (3) anyone with physical or remote access to your computer can, with limited effort, extract your master password for later use. Again, I cannot recommend this option, as it effectively negates many of the security advantages that SuperGenPass provides. Don’t do it! ^
Like with all software, you should understand the basics of how SuperGenPass works before making the decision to use it. As an algorithm, SuperGenPass is completely agnostic towards the input (your master password) and output (your generated passwords). All calculations and actions are performed locally by the Web browser on your computer; SuperGenPass does not transmit or store data.
In addition, this Web site does not collect or store any information. I do not keep access logs. All forms on this Web site are manipulated locally by the Web browser on your computer; they do not transmit or store data.
While my hosting service is generally very reliable, there are rare outages. If you use the Firefox / Safari / Opera version, outages will not affect your use of SuperGenPass. If you use the Internet Explorer version and you are concerned about outages, the “Customize SuperGenPass” page allows you to specify a different location for the hosted JavaScript file—your own server or the Coral cache, for example. I also recommend that you save a copy of the mobile version to your hard drive in case you need to generate a password while offline. ^
SuperGenPass is completely free of charge. If you encounter anyone charging for it, please let me know on the SuperGenPass message board immediately. ^
SuperGenPass has been translated into: French by Éric Desfonds, Spanish by Fernando P. Nájera Cano, Brazilian Portuguese by Flavio Suárez, German by Christian Debertshäuser, Traditional Chinese by LHK, and Hungarian by Mikola Ákos. They deserve considerable appreciation and thanks for their efforts.
If you would like to translate SuperGenPass into another language or provide improvements to an existing translation, I will be more than happy to put everything together and host it on this Web site. Download the key terms and copy and translate them with the formatting and numbering intact. Leave a message on the SuperGenPass message board to let others know you are working on the translation, and I will be in touch to let you know where to deliver the finished files. ^
Many users have requested the ability to program a second, hidden password into the SuperGenPass algorithm. You can enable this advanced option by following this special link to the “Customize SuperGenPass” page. Your “stealth password” is hardcoded into your bookmarklet and is concatenated onto the end of your master password each time you run SuperGenPass.
Take care when using this advanced option, since your stealth password is just as important as your master password—your passwords cannot be generated without both of them. If you employ a stealth password, you must remember it—not a trivial concern, since you will seldom type it—and employ it whenever you need another copy of the SuperGenPass bookmarklet.
When using the mobile version, there is no field for your stealth password, so simply concatenate it onto the end of your master password.
SuperGenPass uses a one-way hash algorithm (base-64 MD5) to generate passwords. Specifically, it concatenates the master password and the domain name of the Web site (“masterpassword:domain.com”), hashes the result at least ten times (and until it satifies the generated password requirements), and cuts the result to the desired length.
Like all hash functions, SuperGenPass could be made vulnerable to brute-force attacks if a malicious entity obtains a user’s generated password and the domain for which it was generated. For this reason, use of a strong master password is imperative. However (and perhaps obviously), a successful brute-force attack on one user of SuperGenPass has no effect on any other user.
SuperGenPass is not compiled; source code can be examined directly.
Read the change log for notes about changes between versions. Previous versions of SuperGenPass are available in the archive.
Important notice: Prior to version 2.0, SuperGenPass did not have full support for multibyte (loosely, non-ASCII) characters. As a result, multibyte characters were not fully seeded in the hash algorithm and password diversity was adversely affected. With the approaching mainstream adoption of Unicode domains, it was important to fix this bug. If your master password or a domain name contained multibyte characters (an uncommon occurrence), version 2.0 may now generate different passwords from earlier versions of SuperGenPass!
If you have further questions about SuperGenPass not addressed in this FAQ, please visit the SuperGenPass message board. ^
SuperGenPass owes a great debt to Paul Johnston, who wrote the JavaScript implementation of MD5, and to Nic Wolff, who wrote the original bookmarklet password generator.
My contributions, such that they are, are released under the GNU General Public License. ^