“The password system is broken” – I don’t know how often I’ve heard that phrase already. Yes, passwords suck. Nobody can be expected to remember passwords for dozens of websites. Websites enforcing arbitrary complexity rules (“between 5 and 7 characters, containing at least two-upper case letters and a dog’s name”) doesn’t make it any better. So far I’ve heard of three common strategies to deal with passwords: write them down, use the same one everywhere or just hit “forgot password” every time you access the website. None of these are particularly secure or recommendable, and IMHO neither are the suggestions to derive passwords via more or less complicated manual algorithms.
As none of the password killing solutions gained significant traction so far, password managers still seem to be the best choice for now. However, these often have the disadvantage of relying on a third-party service which you have to trust or storing your passwords on disk so that you have to trust their crypto. But there is also this ancient idea to derive individual passwords from a single master password via one-way hashing functions. This is great as the only sensitive piece of data is your master password, and this one you can hopefully just remember.
Now all the existing password generators have significant usability issues. What if I want to have multiple passwords on a single website? What if different websites share the same login credentials (e.g. all the WordPress blogs)? What if you are required to change your password every few months? What if there is some password which I have to use as is rather than replace it by a generated one? How to deal with that crazy website that doesn’t accept special characters in passwords? Do I have to remember all the websites that I generated passwords for? I haven’t found any solution that would answer all these questions. And I’m not even starting about security, this is a topic for a separate blog post (spoiler: only one out of twenty password generator extensions for Firefox got crypto right).
So last summer I decided to roll my own: Easy Passwords. I’m working on it in my spare time so it took a while until I considered it ready for general use but now you can finally go and install it. You set your master password and then you can generate named passwords for any website. You can adjust password length and character set to match the requirements of the website. And if the generated password absolutely won’t do, you can still store your existing password — it will be encrypted securely, only to be decrypted with your master password.
On most websites your password can be filled in with a single click. And Easy Passwords supports website aliases: for some WordPress blog you can edit the site name into “wordpress.com” — done, you will get WordPress passwords there now. And it can show you all your passwords on a single page, you can even print them as a paper backup. This piece of paper has enough information to recreate all your passwords should your hard drive crash, but it will be useless to anybody who doesn’t know your master password.
It’s not perfect of course. For example, the aliasing functionality isn’t very intuitive and could be improved. I also have a few issues listed in the GitHub project, e.g. I’d like to warn about filling in passwords if the website doesn’t use HTTPS. Also, a secure master password is very important so it would be nice to implement some kind of security indicator when the master password is set. I wonder what other issues people come up with, we’ll see.
I see you’re using the WebCrypto API for this. What are the chances of you turning this into a ChatZilla plugin script so a master password can be used to identify to different IRC Network services with a generated password?
If I were to implement this, I wouldn’t turn this into a plugin script but rather connect the two extensions. This way you would still be able to manage your passwords via Easy Passwords UI. Ideally, Easy Passwords would add a few commands to ChatZilla – register a nick, change password for an already registered nick, identify.
However, I’m not sure what a future-proof way of doing this would look like. Easy Passwords has been written in such a way that converting it to Web Extensions should be relatively easy. But once this is done it won’t have any way of messing with ChatZilla.
Does EasyPassword use the Firefox built-in system? Or you store all in a separate database? I’m looking for an improvement in password management since long time, but still I can’t find what I need. Your extension seems interesting but with some limits too.
And, above all, why don’t work on the native pasword manager instead of an extension? In that way all users can benefit from your work by default, and a sync platform is available for people who need it.
It has a separate database but it won’t usually store any passwords – only password metadata (name, length, character set) is stored, the password itself will be generated when needed.
If you read a bit further, the “native” password manager is a very different concept from what I wanted.
How is this any better than https://www.pwdhash.com/ , which has Firefox add-on and Android apps.?
Thank you for pointing me to this add-on, I overlooked it back when I did my survey of password generators.
Well, for one this extension is ancient and hasn’t really been updated much, so it isn’t restartless for example. It has no user interface, meaning no website aliasing functionality like I mentioned in my blog post – it guesses the relevant part of the domain name, and if the guess is wrong you are stuck. It also won’t remember what passwords you generated, so it is up to you to remember which websites you use generated passwords on. Only one password per site is possible, and if the generated password fails to meet site’s criteria you are stuck. In other words, it fails to provide an answer to any of the issues I raised in this blog post.
Oh, and it is one of those password generators that messed up crypto. You shouldn’t use it, it simply isn’t safe. I’ll publish a blog post on security considerations for passwords generators soon.
“only one out of twenty password generator extensions for Firefox got crypto right”
Which one? ;)
just give me hint
Don’t worry, this one still didn’t do a good job usability-wise – otherwise I wouldn’t waste time on Easy Passwords :)
I know, nothing is perfect and never will be. I wonder if I’m lucky man using that safe one.
BTW: Does your ext save usernames?
Unlikely. The only password generator I found which has done its homework is called hash0 and has a total of 9 users.
Easy Passwords saves password names – I normally enter usernames there, simply as a reminder. However, it won’t currently fill in usernames as finding the username field on the page is non-trivial. But I’d like to add this feature eventually.
Never mind, I remember the results of my survey incorrectly. There were more password generators that have good or at least okay’ish crypto.
There you go: https://palant.de/2016/04/20/security-considerations-for-password-generators#overview. The list has been somewhat updated, hash0 still comes out top however. UniquePasswordBuilder and masterpassword aren’t great but ok to be used IMHO. Everything else on that list isn’t recommendable.
My only problem with generated passwords. Is sometimes I need to log in to a service when I’m not near my computer. I only use a desktop. If I have to login from somewhere else, like my brothers iPhone or something, I can’t. The other day I was at my uncles and wanted to log in to my phone service (I use an online one) but couldn’t remember the password.
These incidents are one off though. So I’m giving this a shot! Thanks for this read!
I guess I could create a website that you could use to generate passwords on those rare occasions (with warnings, not recommendable for the general use).
There you go: https://palant.de/easypasswords-online.html
Actually, this won’t really help you with your iPhone – Safari is a crappy browser and no other browser engines are allowed on the iPhone. With Android on the other hand it should work.
would you publish the code for https://palant.de/easypasswords-online.html so that anyone could install it on its own server rather than entering its mater password on an unknown site ?
Ideally (it depends on the languages you used), I could transport it on my usb key with some kind of stand-alone server (or better as a self served page if it is possible).
Yes, I’ve been already thinking where I should put the source code for it. I guess I’ll create a gh-pages branch in the Easy Passwords repository and host the page on GitHub rather than my server. It’s a single webpage without any external resources, so copying it around is easy.
There you go: https://palant.github.io/easypasswords/online.html (it’s a pity however that HTTPS-only isn’t supported there).
I’m using Password Hasher for the moment but, as you pointed out in your survey, it’s very outdated and insecure. I would like to give EasyPasswords a try. The thing is, I switched from Firefox to Pale Moon several months ago because of the changes in Firefox that keep breaking some of my favorite addons. And also UI changes that I don’t like and added functionality like WebRTC or Pocket which I have no interest in. Anyway, EasyPasswords doesn’t support Firefox versions prior to 41 and therefore also not Pale Moon. Would it be too difficult to support it? I would be willing to invest some time in this but I have little to no knowledge about Firefox addon development.
Feel free to try the online version under https://palant.github.io/easypasswords/online.html – I bet that it doesn’t work in Pale Moon, meaning that supporting Pale Moon isn’t feasible. Problem is that Pale Moon uses an extremely outdated version of Gecko which the developers enrich with hand-selected changes (yes, they forked Gecko without having the resources to maintain it properly). The way I’ve seen it, they won’t have any interest in that “fancy new stuff” like WebCrypto API (similarly to how they’ve disabled lots of forward-facing stuff, like WebRTC).
You’re right, the online page doesn’t work because of lacking WebCrypto support. When I checked the Pale Moon discussion forum I read that it’s not supported not because it’s fancy new stuff but because crypto in browser is inherently insecure. I’m not knowledgable enough to discuss this technically but the chances of me going back to Firefox is pretty slim, so I’ll look at other solutions like SpiderOak Encryptr. Thanks.
Yes, that’s the usual level of discussions with Pale Moon – of course crypto in the browser can be insecure, but it doesn’t have to be. There are plenty of perfectly legit applications for WebCrypto, Easy Passwords being one.