Easy Password Handler

Fork me on GitHub

tl;dr

I wrote a chrome extension which enables the user to handle more secure passwords with ease. It's based on J. Coglan's great work getvau.lt

You can find it at github. And you can also download the extension via the chrome extension store.

Easy and save web service passwords

After different attacks and breaches like the Adobe hack I wanted to find and use a more suitable way to use secure and easy to remind passwords. Many people out there are either using unsecure and easy to guess passwords or (including me until now) try to use a system which derives some kind of service specific passwords from a master password or passphrase. It includes rules like adding servicename parts, numbers and other characters in a special predefined way. Whilst having unsecure passwords is bad for security, the alternative messes with your brain… You only remember the passwords you use often, most of them have to be rebuilt by your rule everytime you have to use it. Another way is to keep it like xkcd and use more memorable passphrases. But still you need more (in most cases way more) than one password to remember.

Tools like KeyPass can save you the effort of remembering more than one password or passphrase and nevertheless having a different password for every service. But still you have to store these passwords somewhere. So in the (luckily unlikely) case if someone cracked your key’s passphrase he or (or what's more likely the password safe's implementation) she could get all your passwords at once. Furthermore you have to install and use this tool on every device you are using as well as synchronising the password safe itself throughout the different devices.

Comfort and security

Such tools (and others) also are able to generate passwords for a new service if you like. These passwords you cannot remember at all (ok, maybe one or two, but that’s it). And most of them are (at least the good ones) hard to guess for a computer, too.

Now what if you would regenerate the password everytime you have to use it based on your passphrase and a service specific salt? First, you would still need a tool executing that job. A (web) service providing only client side (javascript) code serving a form to generate the password would not even limit you to an active internet connection and could be used within every browser. And yes, you should make sure that there is no (asynchronous) network connection, though. You might use an algorithm like PBKDF2 or bcrypt fulfilling that job. Even if an attacker cracks the service’s database and reaps your password (which normally should be stored as a hopefully salted hash there!) you only have to change this service’s password. Which you can achieve easily by changing the salt (or the passphrase).

Tools like supergenpass, getvau.lt and mawud can do that job for you. For more explanation and comparison you might want to visit ss64.com.

I like getvault the most which is available at github, too. So I took the vault library and wrote a chrome extension called Easy Password Handler providing a popup for every password field, enabling me (and maybe you) using the password generator within the site at the place you need it.

How it works

There still are some issues with special password rules for some services which is by now solved by a short password service rule or a configurable character overwrite as part of the Easy Password Handler overlay.

Easy Password Handler Allowed or required characters, the desired password length, the default salt method (like prefix, suffix or loginname) and auto submit after generating the password can be configured through the extension’s options. With a current update, using password rules for specific site and creating them by yourself is also possible.

For now it’s chrome/chromium only but I will work on Firefox and Safari support as soon I will have some spare time.

I implemented an android application based on the Easy Password Handler extension as well and published it in the play store.