The problem is, that every person has multiple web accounts, each requiring a password.... You have several options:
- Remember all your passwords. That's hard. That's why people use the same password over and over.
- Use a password Manager - A tool that saves all your passwords using a master password.
- Use OpenId.
Well, using the same password (even if it is a strong password) is not a good idea - You put your trust on to many services, that might or might not keep it to them selves. OpenId seems to me as the best solution. The problem with it, that many sites still don't support it.
The only option that is left for many sites is to use a password manager. That way, you only have to remember one random password. I thought of the two type password managers I then new:
- Offline password managers - that save your password on disk. The problem is, they are not portable - you have to take the password file with you where-ever you go
- Online password managers - that stores your password on the web. I have trust issues, and won't use this approach
The two existing approaches are problematic - So I thought of new approach: Dynamically creating the password for a certain site, using hash of the password and the name of the site. Someting like this: site_password = HMAC(masterpassword, sitename)
As always, before implementing, I searched the web for existing solutions. I have found that my idea is already implemented in passwordmaker.org.
So, I guess my approach was not new after all ;-). Anyway, I was still not satisfied - my main problem with passwordmaker.org is that it is too complex.
Also, this article describes problems with my scheme and suggested a modified hashing scheme to increase security.
The main problem that the article presented, is that in this approach, if you brute force the master password, you can get all the other passwords easily (because there is no file to steal, and you know the generation algorithm).
Well, since the main user of this application is me, and I would choose a strong random password - I was not concerned. That's when I created my own hash based password manager, that's easy to use (but don't use it with weak passwords!!). I used the same js md5 libraries as passwordmaker.org.
I also created a python version (it's attached). you'll need pygtk and pyglade in-order to run it.
TODO: add python code.