One Pass For All
As an internet user, you probably have a bunch of web accounts. With few exceptions, all of them are password-protected. To keep these accounts as safe as possible, you have to figure out a set of strong yet easy-to-remember and hard-to-guess passwords. Moreover, these passwords shouldn’t be the same as or similar to each other, or more strictly, the relationship among these passwords should be hard to detect. Otherwise, if one of them is compromised, so are the others. With the number of accounts growing, password maintenance tends to be a thorny issue. That’s where the password management tools come in. The key idea of most of them is pretty straightforward: they securely keep track of all account passwords for a user so that he only need remember one single super-password(called master password), by which he can access the encrypted password database whenever in need.
To avoid reinventing the wheel, I look up the web to see if anyone else has the same idea. It turns out SuperGenPass meets my requirement quite well. Basically, SuperGenPass is able to transform a master password into strong and different passwords for the different web sites. Not surprisingly, it uses MD5 algorithm to achieve the goal. As a one-way cryptographic hash function, MD5 can quickly convert the combination of a master password and an internet domain to an input-sensitive, pseudo-random string, which implies that even if the password for some specific website is compromised, it is infeasible to reversely compute the original master password or passwords for other websites. Great as the idea is, it’s not new to me. The actual sweet spot to me is that it populates the password just in-place; namely, after a user fills out a master password in a password field and clicks the SuperGenPass bookmarklet, the hashed password will directly replace the master password. By contrast, running a script under a shell and copying or retyping the output into password field is somewhat unsafe and cumbersome.
Life becomes easier now. With the aid of a password bookmarklet, I only have to keep one secret key in mind, yet confidently sign on various websites with unique and strong passwords, without even knowing what they actually look like. That said, traditional password managers still have their places, they may save the hints of some(one or very few) master passwords just in case, or autofill login form for non-crucial accounts on trusted machines, or record some other sensitive information.
Before adopting SuperGenPass, I take a closer look at its features and source
code. In my opinion, there are some defects that cannot be ignored.
For one thing, MD5 is considered cryptographically broken.
It’s OK to serve as file integrity checker, but not that competent as a password
generator. What is worse, SuperGenPass’s default
salt is empty and cannot
be customized unless you modify the source code. This makes it more vulnerable
to dictionary attack. Another problem is SuperGenPass is
solely based on Base64, which means the generated
password are mainly composed of letters and digits, excluding many special
$, etc. This may dilute the strength of the
passwords, especially considering the default password length is only 10.
One more thing that concerns me is it totally neglects the login name(username).
I have multiple accounts on the same websites(e.g. gmail, dropbox), and
definitely don’t wish all of them share passwords. Appending or prepending
a master password with a username may be barely enough, but nominally
this make ONE master password not really true, and theoretically,
simple concatenation of a key and data is less reliable than
HMAC algorithm. In addition, it seems that SuperGenPass doesn’t work
well on password-change page(let me know if I am wrong here). I have no clue
why sometimes it autofills all passwords including old password, new password
and confirmed new password, sometimes it only fill just one or two of them.
Eventually, I decide to develop one by myself from scratch. As a result, a
gadget named 1pass4all (i.e. one pass for all)
Hopefully, 1pass4all provides some improvements over SuperGenPass as follows:
1pass4all is based on algorithm HMAC-SHA224, seeing that SHA-2 is more secure than MD5, and HMAC is more suitable than plain concatenation. By default, the generated password may contain any printable characters(Base94) instead of Base64 characters, and password’s maximal length extends from 24 to 26. Besides, it supports customizable salt and hash iteration(for key stretching). Furthermore, 1pass4all can take username into account, which means the same master password on the same website will result in different passwords as long as logins differ.
When possible, 1pass4all will auto-login after populating password without popping up a confirmation form. If everything goes smoothly, the bookmarklet just acts as a login button, except doing something magic underneath. Normally, clicking the bookmarklet will only change the value of the focused password field(or the first one if none is focused). This is less confusing, and can avoid unwanted password transformation(e.g. those manually typed old-password).
Aiming at advanced users, 1pass4all supports a specialized password syntax, so that they can specify username, domain, password-length, salt, hash iteration, password character set, username auto-detection, auto-login etc. in the password field(instead of a pop-up form) on-the-fly.
Like SuperGenPass, 1pass4all also has mobile version in case you cannot or don’t want to install bookmarklet for some reason. For example, when you are on a mobile or on other’s computer, or you are visiting an untrusted website that may steal your master password. It’s useful as well when you are logging on a non-browser application.
I will be gratified if your interest has been aroused so far. Please don’t hesitate to give it a try now. For further instructions, you may read README file. Any problems and suggestions are welcome in the comments below. As a reminder, despite the fact that 1pass4all can largely strengthen your password, you still need design a very strong master password, since 1pass4all’s algorithm is open. Fortunately, that’s the only password you have to memorize at any time.
Lastly, I’d like to acknowledge SuperGenPass for inspiring me to develop this project.
P.S. The Chinese version of this article is also available.
 Wikipedia: MD5
 Wikipedia: SHA-2
 Wikipedia: HMAC