Ingenious password manager
Stewart Stremler
bofh at stremler.net
Sun Sep 26 00:24:04 PDT 2004
begin quoting Joshua Penix as of Fri, Sep 24, 2004 at 12:08:58AM -0700:
> You may still consider it useless, but I think John's point was that the
> bookmarklet, a special implementation of the JavaScript code, is useful
> inside a web browser because it auto-fills the password field for you.
Yes. I got that.
But if it's a reasonable place to have an account, you don't want to use
the autogenerated password, as you want to keep that account when the
domain-name changes -- and if you want more than one account, too bad...
That's what I meant by it breaking on 40% of the non-stupid accounts I
have -- either there are several accounts per domain, or the domain
has changed underneath me over the life of the account.
If it's a trash account -- such as for reading NYT -- there's reasons
to abandon any pretense at a "secure" scheme. You WANT to use a trash
password for those "Free Registrations", unless you happen to think that
they're A Good Idea.
> The workflow is:
>
> 1) Browse to page with login
> 2) Click bookmarklet
> 3) Box pops up and asks for your password
> 4) Password field in form is automatically filled in using your
> password, plus the appropriate MD5 for *that* site.
> 5) You're logged in and on your way
I got that.
It's just not that different from:
1) Browse to page with login
2) Browser auto-fills the fields if you've been there before
3) Click "Login"
4) You're logged in an on your way
or, if you haven't been there before...
1) Browse to a page with login
2) Broswer doesn't fill with anything
3) Click on "Register An Account Link"
4) Fill in information, padding offensive questions with noise
5) Pop up xterm, generate password with utility script, paste in
6) Record information somewhere [*]
7) Click "Submit"
8) Log in
9) Tell browser to Remember These Values
* Optional, but you may want to keep track of your lies if you're
padding offensive questions with nonsense answers.
> That's integration you wouldn't necessarily have if you implemented the
> same algorithm outside of your browser.
Well, the browser auto-fills the account and password for a web-page
anyway, if I tell it to do so. So the average workflow is the same,
except that you're now you've enabled javascript in your browser....
-Stewart "It's silly to talk about 'workflow' w/r to the WWW" Stremler
More information about the KPLUG-List
mailing list