

Password Chart - superberliner
http://www.passwordchart.com/

======
nuclear_eclipse
SuperGenPass is a much better, simpler, and safer alternative, IMO.

<http://supergenpass.com>

~~~
gojomo
By typing the master password into the destination form, then replacing it,
the master is potentially revealed to any target site that might use JS/AJAX
to view the password before form submission. So, this is not helpful against
the "one bad (or compromised) site steals my master password" threat.

If SuperGenPass were to pop its own window, calculate the site-specific
complex password, then insert that into the form, it could probably be safe --
but would still need very careful design. (Once a bookmarklet starts
interacting with a page, it might reveal its internal state to that page.)

~~~
nuclear_eclipse
Yes, that is still a threat, and I would love to see SGP's algorithm make it
into native addons for Firefox, Chrome, etc, triggered by a hotkey or toolbar
button. However, my initial attempt fell flat when trying to wade through XUL,
just didn't have enough time...

And if you're really that worried about a new site, the mobile version can be
saved to your local disk and opened in a separate tab, and then copy-paste the
generated password into the site in question.

------
dfranke
I glanced over the JS source and didn't find any evidence that the site is
malware. Unfortunately, that's about the best thing I have to say about the
security of using this method.

~~~
bgraves
What are some negatives to using a security method like this?

In my mind, it's just a way to come up with "hard to guess, but easy to
remember" passwords.

~~~
dfranke
1\. The biggest negative is that there are no positives: as TimMontague
already pointed out, you might as well just use phrase + password as your
password. To anyone who knows about this site, the output is no more secure
than the input.

2\. The cipher used is laughably weak. Given a sufficiently large output
string (and sufficiently large is not large at all), it's trivial to brute-
force the seed used to generate the substitution chart and determine the input
password.

3\. See my other comment on MITM attacks.

------
aw3c2
___Use
undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined
as your password._ __

That happens if Cookies are disabled.

------
bgraves
Wow! I've actually been trying to come up with a secure, but easy-for-me-to-
remember password scheme.

What I wanted to build was a password generator which takes a username and
domain as inputs and spits out an pseudo-random passsword.

Something like: bgraves & ycombinator.com & salt = ybcgormabviensator#salt

The problem for me is that I use very hard to guess passwords, generated by my
password database program (KeePass). Now I have no idea what those PW's are
and rely solely on KeePass to keep track, which isn't available on my
workplace PC (and, no, syncing my password DB between environments is not
permitted.)

This site maybe what I was looking for, and it even looks like it's in JS to
prevent most MitM attacks!

Thanks HN!!

~~~
dfranke
> even looks like it's in JS to prevent most MitM attacks!

The JS is delivered over cleartext HTTP. A MITM attack can substitute
malicious JS code that will deliver your password to a third-party server.

~~~
bgraves
Not if you just save the JS file to your local machine, right? There's no HTTP
involved in that case (which is precisely how I intended to use it).

~~~
dfranke
Provided that the code is intact when you initially retrieve it, that solves
the MITM issue. But then you're tied to that computer, and if that's
acceptable, then you're far better off just using a password-keeper that uses
real crypto.

------
zitterbewegung
Another easier and more secure is to use a sha1 hash on every password you
generate and just use that as your password.

~~~
ErrantX
It depends what your defending against and what your original password is.

If the purpose is to turn a short password into something more secure it is
pointless. As tptacek is always saying; Sha1 is cheap. It is trivial to
incorporate it into an attack :)

Your better off choosing a random long sentence as your password. Easier to
remember and much more secure.

------
arghnoname
I use a form of the Vigenère cipher cipher that is simple enough that I can
'get' my passwords with a pen and paper (I've had to do this before for public
terminals), but is also made less cumbersome with a simple little utility.

It isn't cryptosecure or anything, obviously, but it works well for my
purposes. I've never been entirely comfortable with using someone else's web
site or a password database (well, I use a password database at home, for
example, but I have to have access to passwords remotely).

------
dantheman
I think this is in an incredibly bad way to create passwords, at any given
moment they could swap out the js so that it phones home and then boom your
insecure.

~~~
bgraves
It's incredibly simple to save the JS files + HTML file to your local machine
and run it locally.

~~~
ashishbharthi
Or create an iphone/android app for yourself.

------
dugmartin
Hey folks - I'm the creator of passwordchart.com. A friend just alerted me to
the submission here - I guess I picked the wrong day to try to get things done
and ignore HN yesterday.

I built passwordchart.com four years ago after reading a comment on Slashdot.
It got me thinking about building a simple form of a personal one time pad
that could be regenerated via memorable phrase. The interactive password part
is really just there to show how to use the chart.

Finally, for a data point for others wondering what a post on HN means for
traffic, I normally get around 300 to 350 visitors per day. Yesterday there
were 5623 visitors and so far today Google Analytics is reporting 1333
visitors.

------
TimMontague
Why not just use the phrase+password as a password?

~~~
e1ven
Because that doesn't give you security if the site is compromised. For
example, if my Phase+password combination is RootGod+Facebook.com it wouldn't
take very long for someone to realize that RootGod+Gmail.com would also likely
work there.

~~~
pyre
I thought that the Password+Site combo assumed the usage of SHA1 or MD5,
though I know that this doesn't work for some sites (with max password
limits). Maybe CRC32 in those cases?

~~~
dfox
CRC32 is bad way to hash anything, if you want secure hash of some obscure
length, just truncate output of say SHA-256 (by the way, SHA-224 is exactly
this: truncated output of SHA-256).

------
est
I use long and complex mathematical/physics/chemistry formula as password.
It's easy to remember, good to practice your memory and very hard to crack
(since it contains letters, numbers and special chars).

------
nas
Ugh, garbage. Use a HMAC with a master password and a parameter (e.g. the site
name) to generate a site specific password. Forget about shitty crypto.

My humble attempt (based on others work): <http://python.ca/nas/tmp/pw.html>

Edit: just to be clear, the page linked above needs to be hosted on a server
you trust and served by something like SSL. Do not use it directly over HTTP
and expect some security.

------
biotech
See also PasswordMaker: It has extensions supporting several browsers and a
javascript version as well.

PasswordMaker uses your password and the website domain name to generate a
unique password.

<http://passwordmaker.org/>

------
pedalpete
Not quite sure, but I'm assuming this is recommended for local system
passwords, rather than web based passwords?

I can't imagine actually getting people to remember (and enter) strings like
p?7J9 _J_ J4M^E97J*J7J into a password field.

Or am I using it incorrectly?

------
Pistos2
This seems like too much work, to me. I'll stick with the "easy for you to
remember, but difficult for others to guess" rule for making my passwords.
I've never used password generators because I want to be able to log in away
from home or work.

------
anthonyb
"Use EJCKVpVpqdGUDCQgHVwWkc as your password."

Yeah, I don't think so somehow.

------
grumpyfart
Why the hell one opens a website to choose password and serve it over clear-
text (HTTP)?

Isn't that ironic? Trying to make something secure by actually making it
totally insecure?

(Before someone jumps, even it's JS it doesn't mean safe against MITM as
someone can inject JS before it loads and send all keystrokes to another
server)

~~~
jexe
Seems like the real threat here is training a user that it's ok to use third
party web sites to tell them what password to use. That's a very bad habit.

