Universal password tool gets update in SuperGenPass

Back in March 2006 I wrote about what I thought was a near-perfect solution to the problem of tracking passwords for any number of Web sites, internal or external— a bookmarklet-generating application from labs.zarate.org called GenPass.

More password tools Learn how to create secure passwords you dont have to remember. Visit our topical resource center and learn what other systems administrative tools are available.

I loved it, and still do, because the idea was so elegant: You added a "bookmarklet" (a piece of JavaScript code embedded in a bookmark) to your Web browser (Internet Explorer or Mozilla). Whenever you came to a Web site that needed a password, you clicked on the bookmarklet and typed a universal password.

That password would be hashed against the domain name using the MD5 one-way encryption algorithm, then used as the password for any logins at that domain. This way, you never needed to memorize more than one password, but the resulting password would be unique and secure for every domain you visited.

The best part was that all the calculations to create the new password were performed the bookmarklet itself never transmitted anything, and the generated passwords were not stored anywhere (except in your browser's auto-form fill-in function, if it's enabled).

As great as GenPass was, it was limited. So author Chris Zarate decided to stop working on the original GenPass, and has since released a new version called SuperGenPass which improves on the original in several ways.

Zarate has reworked how SuperGenPass identifies second-tier top-level domains. For instance, amazon.co.uk generates a different password than yahoo.co.uk.

Also, the way SuperGenPass handles the actual filling-in of password fields has also been changed. When you create the bookmarklet, you can elect to have the master password embedded in the bookmarklet itself or supply the master password every time you need to fill in a password field. If you choose the latter, you type the master password in a site's login page as you would normally—then invoke SuperGenPass, which generates the proper password and inserts it automatically into the proper field on the page. When this happens, the password field changes color (to bright green) as a visual cue. This way, you can distinguish SuperGenPass's behavior from, say, the auto-form-fill behavior in Internet Explorer or Firefox.

SuperGenPass bookmarklets can run in interactive mode. (I created one bookmarklet that runs automatically, and another that runs interactively and requires user input.) When you do this, SuperGenPass pops up a window onscreen that offers expanded options: You can show the password for the current domain, supply a new master password and regenerate the domain password, change the password length, and so on.

Some of the same limitations apply to SuperGenPass as before. It is not compatible with earlier versions of GenPass; any passwords generated with earlier versions of GenPass will not come out the same in SuperGenPass when you use the same master password. Finally, for the sake of security, it's probably best not to hard-encode the master password in the bookmarklet; if someone gets their hands on the bookmark, it's trivially easy from there to figure out how to use it.

About the author:
Serdar Yegulalp is editor of the Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP User passwords and network permissions 20 days to a more secure enterprise Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.