Back in March 2006 I wrote about what I thought was a near-perfect solution to the problem of tracking passwords for any number of Web sites, internal or external— a bookmarklet-generating application from labs.zarate.org called GenPass.
I loved it, and still do, because the idea was so elegant: You added a "bookmarklet" (a piece of JavaScript code embedded in a bookmark) to your Web browser (Internet Explorer or Mozilla). Whenever you came to a Web site that needed a password, you clicked on the bookmarklet and typed a universal password.
That password would be hashed against the domain name using the MD5 one-way encryption algorithm, then used as the password for any logins at that domain. This way, you never needed to memorize more than one password, but the resulting password would be unique and secure for every domain you visited.
The best part was that all the calculations to create the new password were performed the bookmarklet itself never transmitted anything, and the generated passwords were not stored anywhere (except in your browser's auto-form fill-in function, if it's enabled).
As great as GenPass was, it was limited. So author Chris Zarate decided to stop working on the original GenPass, and has since released a new version called SuperGenPass which improves on the original in several ways.
Zarate has reworked how SuperGenPass identifies second-tier top-level domains. For instance, amazon.co.uk generates a different password than yahoo.co.uk.
Also, the way SuperGenPass handles the actual filling-in of password fields has also been changed. When you create the bookmarklet, you can elect to have the master password embedded in the bookmarklet itself or supply the master password every time you need to fill in a password field. If you choose the latter, you type the master password in a site's login page as you would normally—then invoke SuperGenPass, which generates the proper password and inserts it automatically into the proper field on the page. When this happens, the password field changes color (to bright green) as a visual cue. This way, you can distinguish SuperGenPass's behavior from, say, the auto-form-fill behavior in Internet Explorer or Firefox.
SuperGenPass bookmarklets can run in interactive mode. (I created one bookmarklet that runs automatically, and another that runs interactively and requires user input.) When you do this, SuperGenPass pops up a window onscreen that offers expanded options: You can show the password for the current domain, supply a new master password and regenerate the domain password, change the password length, and so on.
Some of the same limitations apply to SuperGenPass as before. It is not compatible with earlier versions of GenPass; any passwords generated with earlier versions of GenPass will not come out the same in SuperGenPass when you use the same master password. Finally, for the sake of security, it's probably best not to hard-encode the master password in the bookmarklet; if someone gets their hands on the bookmark, it's trivially easy from there to figure out how to use it.
About the author:
Serdar Yegulalp is editor of the Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
