Clever password -> website -> password salting scheme

This is quite clever (as long as you are vigilante);

http://supergenpass.com/

You know the deal, you need to create a new account and have to supply username, email and password to do so.  You may have learned or heard that it is NOT a good idea to use the same password for different sites (if one gets compromized ALL your logins would thus be vaunerable), but also you really can’t remember 1031 different passwords…  well SuperGenPassword.com CAN help you with this!?

What is does is quite simple you enter sitename (the url/site you are creating the login for) and password (your generic/master password) into SuperGenPassword and viola it provides you with a “unique” password for the site – the clever part is that you wont have to remember this password!?  You simply remember the generic/master password, and next time you visit the site you use SuperGenPassword to generate the password you need for the site..  This is done simply by hashing (http://en.wikipedia.org/wiki/Hash_function) the site/url salted (http://en.wikipedia.org/wiki/Salt_(cryptography)) with your generic/master password.

Lets take an example;

Password on url test.dk become l5zuZo0qa2
Password on url test.com become eipalNBj0T
Secret on url test.dk become nY8BEihJsR
Secret on url test.com become dXt1E8tILH

As you can see the same password makes a different hash depending on the url.

Now SuperGenPassword even offers some clever scripting shortcut so you can generate these passwords automatically and insert them into the password field on web-sites, I would advice against this as the scripting they use has been proven to be vaunerable to interception by malicious sites/scripts which can thus obtain your generic/master password.  Instead use http://supergenpass.com/mobile/ their mobile solution and generate the password manually in a different tab and paste the password into the site you wish, a bit more work but a lot more security..  also a good trick is to pad the password with a “pin”, lets say the hash from the data you entered into http://supergenpass.com/mobile/ become dXt1E8tILH – then normally you would use this as the password – however if you add padding to the start eg. added TOAD to the beginning the “final” password would thus become  TOADdXt1E8tILH, thus even if someone found out you were using SuperGenPass and somehow got hold of your password then it would be useless for them as only you would know to add TOAD to the password generated by SuperGenPass.

Here is a YouTube video that explain a bit about SuperGenPass, note that he is USING the scripting which I advice you do NOT.. But you may get the idea a bit better though..

So DO NOT use the script, use http://supergenpass.com/mobile/ instead..

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *