Managing passwords with PasswordMaker: Know your settings! by jgn on Monday, December 31, 2007 in Technology

I have long been a fan of PasswordMaker ( http://passwordmaker.sourceforge.net/).

What it does is generate a hash based on a domain (e.g., google.com) and a secret that you know (e.g., "topsecretpassword"). Then that hash becomes your password. You typically use the same secret with all sites, though you could vary this. Then PasswordMaker generates a password of a standard length and character set, based on the hash algorithm you use. So far, so good. It has a great Firefox plugin, and version for the command line, as a Yahoo widget, etc. The Firefox version provides a hot key ALT-` which opens PasswordMaker, allows you to enter your master password, and then the password field you're typing in gets pre-populated. There is also a JavaScript version, which is what this post is about.

So: one thing you want to make careful note of are the standard settings: The number of characters you desire, the algorithm, and the character set. I, for instance, have found that numerous sites do not allow characters outside the AZaz09 range (why, I know not). So I use a relatively constrained character set (but a longer password length). Some sites even restrict the number of characters, which is a shame, because if password generation is automatic, you might as well use 128 characters, 196 characters, whatever turns you on.

Why do you want to note all this stuff: I traveled over the holiday, and left my laptop at home; and without MY Firefox with my PasswordMaker with my settings, I was hobbled. I couldn't remember my character set, etc. So you should keep those passwords.

Indeed, I would strongly recommend downloading the JavaScript version, and editing the code so that when you bring the page up from your hard drive (or from SVN . . .) you can quickly type in your master password and get the domain-specific hash without the Firefox plugin. Or you might put this page on a web site you control so that if you're away from your tricked-out browser, you can still generate a hash when you need one.

comments powered by Disqus