If you’re like most people, you use the same password for all your Web site accounts. This is certainly convenient, but it’s also risky: if just one of your passwords is compromised—either by a hacker or by someone who guesses your password—they could use it to gain access to your other accounts across the Web.
The solution, of course, is to use different passwords at each Web site. But how? Memorizing them all is probably out of the question. You could write them down on a piece of paper, but you’d need to remember to take it with you to work and on trips, and it could be easily lost or stolen. You could use a password manager like 1Password, but it would need to be installed on each machine you use, and that’s not an option on public computers. Password managers are also vulnerable to data loss and spyware.
Enter SuperGenPass. It works right from your Web browser and integrates with login forms. You remember one password (your “master password”), and SuperGenPass uses it to generate unique, complex passwords for the Web sites you visit. Your generated passwords are never stored or transmitted, so you can use SuperGenPass on as many computers as you like without having to “sync” anything.
SuperGenPass is a bookmarklet. A bookmarklet is a chunk of JavaScript code stored in your Web browser as a bookmark or favorite. There’s no software to install, so you can use SuperGenPass across all platforms and in any modern Web browser and on a number of smartphones. It also makes it easy to use across multiple computers, and even on public computers where access rights may be restricted.
SuperGenPass uses your master password and the domain name of the Web site you are visiting as the “seed” for a one-way hash algorithm. The output of this algorithm is your generated password. If either your master password or the domain name of the Web site changes, even by one character, the generated password will be drastically different.
For example, let’s say that your master password is “cornflakes”. If you use SuperGenPass at yahoo.com, your generated password will be “r9AQeOhBgU”. If you use SuperGenPass at amazon.com, your generated password will be “zcbEm1t32B”. SuperGenPass doesn’t need to remember this or store it anywhere, because it’s just a (very complex) math problem: the result is the same every time. And because SuperGenPass uses a one-way hash function, no one will be able to reverse-engineer your master password from your generated passwords. ^
When generating passwords, SuperGenPass ignores subdomains and only uses the primary domain name of the website. This ensures that the same password is generated at www.domain.com, login.domain.com, and domain.com, no matter where you are on the site.
SuperGenPass also provides some degree of phishing protection. Suppose you receive a phishing attack—for example, an e-mail that purports to be from Amazon but is actually from a malicious hacker trying to steal your password. It sends you to a page that’s set up to look like Amazon.com and has a similar URL (say, “www.amaz0n.com”), and includes a login form. Using SuperGenPass at this malicious Web site with your master password (“cornflakes”), your generated password is “uc15yrcmqI”. Compare with the previous example: though the master password is the same and the domain name is only slightly different, SuperGenPass generates a completely different password. Even if you are fooled by the phishing attack and attempt to log in to the impostor website, you haven’t sent your real password. ^
Yes! You will need to change the passwords for your existing Web site accounts to match what SuperGenPass generates. It’s worth it!
Remember, SuperGenPass is not compatible with any other password generator, including my earlier project, GenPass. ^
In order to resist dictionary attacks while retaining compatibility with Web site password requirements, all passwords generated by SuperGenPass:
SuperGenPass generates these complex passwords from even the simplest master passwords—but that doesn’t mean you shouldn’t choose a secure, hard-to-guess master password. Your master password is the key to all your passwords. Guard it. ^
SuperGenPass is designed to comply with the password requirements of the vast majority of Web sites. However, there will always be a small number of exceptions. It is best to memorize alternate passwords for the rare exception or two, and use SuperGenPass for all other Web sites. ^
This is actually a great use for SuperGenPass. Most sites like this compare your new password to your previous passwords, so using a counter (e.g., “password1”, “password2”) will not work. But with SuperGenPass, using a counter suffix with your master password works beautifully.
For example, let’s say you’ve chosen “cornflakes” as your master password, and that mybank.com requires you to periodically change your password. At mybank.com, use “cornflakes” plus a counter suffix as your master password, and increase by 1 each time you need to change your password (e.g., “cornflakes1”, “cornflakes2”). This small change in your master password generates drastically different passwords that will pass any comparison test. Your master password does not change and you only need to remember the current counter suffix when logging into mybank.com. ^
SuperGenPass works in just about every modern Web browser. Technically speaking, it requires a browser that supports JavaScript and the DOM model. It works on many smartphones, including the iPhone / iPod Touch (bookmark SuperGenPass in Safari and sync your bookmarks through iTunes). Some smartphone browsers limit bookmark length, so you might need to use the Internet Explorer version.
Some browsers—most notably, Internet Explorer and some versions of Safari and Opera—place a limit of the length of bookmarks and favorites. Since the code for SuperGenPass exceeds this length, versions for those browsers download this JavaScript file each time you use SuperGenPass. Only generic JavaScript code is downloaded, and no information is ever transmitted to this or any other Web site. (Internet Explorer may also prompt you with a security message when you add SuperGenPass to your favorites. This is typical of all bookmarklets and can safely be ignored.)
If you are unsure if your Web browser supports long bookmarks, try the Firefox version. If SuperGenPass fails to load, then use the Internet Explorer version.
Remember, you can always use the mobile version if your browser doesn’t support SuperGenPass or if you’re stuck at an ancient terminal. ^
You really should. Entering your master password each time is the only way to take full advantage of the security that SuperGenPass offers. When using SuperGenPass on a public or untrusted computer, this is the only option you should consider.
There are, however, two alternatives offered on the “Customize SuperGenPass” page.
The first alternative—enter your master password each time, but use a hash to verify it—is also very safe, but it stores a multi-iteration hash of your master password in the bookmarklet. This, in effect, prevents you from mistyping your master password, which is a valuable safety mechanism. While the hash cannot be used to reverse-engineer your master password, it could be used to mount a dictionary or brute-force attack. Given access to your bookmarklet and enough time, your master password could be compromised. For maximum security, this option should only be employed on trusted computers.
The second alternative—hardcode your master password into SuperGenPass—is the least secure, and should never be considered safe in any way. This option is provided only for the convenience of the many users that have requested it, but let me be clear: I cannot recommend this option under any circumstances. While elementary steps are taken to mask your master password, it is more or less stored directly in the bookmarklet. This means that: (1) it is stored on your computer’s hard drive, where it is vulnerable to spyware and other exploits; (2) anyone with physical or remote access to your computer can easily generate passwords without knowing your master password; and (3) anyone with physical or remote access to your computer can, with limited effort, extract your master password for later use. Again, I cannot recommend this option, as it effectively negates many of the security advantages that SuperGenPass provides. Don’t do it! ^
SuperGenPass is open source. There is only one developer, but the source code is freely available and is regularly reviewed by independent programmers. From an architecture standpoint, SuperGenPass is just a complicated math problem and is completely agnostic towards your passwords. All calculations are performed by your computer and no data is ever transmitted or stored anywhere.
While my hosting service is generally very reliable, there are rare outages. If you use the Internet Explorer version and you are concerned about outages, the “Customize SuperGenPass” page allows you to specify a different location for the hosted JavaScript file—your own server, the Coral cache, or the Google Code repository. I also recommend that you save a copy of the mobile version to your hard drive in case you need to generate a password while offline. ^
SuperGenPass has been translated into French by Éric Desfonds, into Spanish by Fernando P. Nájera Cano, into Brazilian Portuguese by Flavio Suárez, into German by Christian Debertshäuser, into Traditional Chinese by LHK, and into Hungarian by Mikola Ákos. They deserve considerable appreciation and thanks for their efforts.
If you would like to translate SuperGenPass into another language or provide improvements to an existing translation, I will be more than happy to put everything together and host it on this Web site. Download the key terms and copy and return them to me with the formatting and numbering intact. ^
SuperGenPass is completely free of charge. If you encounter anyone charging for it, please let me know immediately. ^
SuperGenPass uses a one-way hash algorithm (Base-64 MD5) to generate your passwords. In order to generate unique hashes, it concatenates your master password and the domain of the Web site and hashes the result at least ten times.
You may have read about vulnerabilities in MD5, such as collisions and hash databases, but SuperGenPass avoids these problems by design. In addition, most people use passwords of moderate length (much less than the full 24-character hash), which negates any mathematical security concern.
Many users have requested the ability to program additional password “salt” into the SuperGenPass algorithm. You can enable this advanced option by following this link to the “Customize SuperGenPass” page. Your “stealth password” is hardcoded into your bookmarklet and functions as additional salt. It is concatenated onto the end of your master password each time you run SuperGenPass.
Take care when using this advanced option, since your stealth password is just as important as your master password—your passwords cannot be generated without both of them. If you employ a stealth password, you must remember it—not a trivial concern, since you will seldom type it—and employ it whenever you need another copy of the SuperGenPass bookmarklet.
When using the mobile version, there is no field for your stealth password, so simply concatenate it onto the end of your master password.
Read the change log for notes about changes between versions. Previous versions of SuperGenPass are available in the archive.
Important notice: Prior to version 2.0, SuperGenPass did not have full support for non-ASCII characters. As a result, some extended characters were not fully incoporated into the hash algorithm. With the approaching mainstream adoption of Unicode domains, it was important to fix this bug. If your master password or a domain name contained non-ASCII characters, version 2.0 may now generate different passwords from earlier versions of SuperGenPass!
SuperGenPass owes a great debt to Paul Johnston, who wrote the JavaScript implementation of MD5, and to Nic Wolff, who wrote the original bookmarklet password generator.
My contributions, such that they are, are released under the GNU General Public License.
Source code can be viewed directly by examining the bookmarklet. There is also a Google Code repository. If you have questions about how SuperGenPass works, please visit the SuperGenPass Google Group. ^