Seems neat, but there are many similar utilities. See http://supergenpass.com/ which has been around at least a decade.
Personally, I prefer an encrypted password database like KeePass. Combine it with Dropbox and you have a free, secure password system that is also accessible from multiple computers.
> Now I know I don't need to reset passwords everywhere.
Unless, of course, your Reddit password is for some completely inexcusable reason the same as another password you have somewhere else, in which case you ought to be changing them on general principles.
Getting your Reddit password stolen would be a pain. Having it then unlock your email and your Steam accounts would be a bleedin' tragedy.
There's an awesome little applet SuperGenPass to save you remembering lots of passwords: one masterpassword auto-generates p/ws for other websites based on the URL. Much nicer than using hunter2 on everything...
My computer's word list is 98569 words long. If I constructed a passphrase out of completely random words from that word list, I'd get about 16.5 bits of entropy per word. E.g., I just generated "bemusing mulishly decenter", which would theoretically have about 50 bits of entropy.
Most passphrases won't be random word selections, but will be focused around more commonly used words and incorporate grammar. This decreases the entropy density significantly. Claude Shannon determined the entropy density of English text to be 0.6 to 1.3 bits per character.
In comparison, pwgen probably generates passwords with about (I'm eyeballing it here) 3 or 4 bits of entropy per character. If you randomly chose letters+numbers+punctuation to make a password out of, you'd get about 5 bits of entropy per character, but since pwgen makes it pronouncable you get a wee bit of redundancy in there.
Your password of paeshoah(oh5Qui would probably be around 50 bits of entropy (again, just a rough guestimate). Security-wise this would put it roughly on par with a system that developed a passphrase of "bemusing mulishly decenter" but much more secure than a system that developed a passphrase of, for instance, "this is an example passphrase".
For storing unique passwords for each site, you may want to look into something like SuperGenPass. It never stores your passwords (either encrypted or otherwise), but uses a one-way hash based on a base password and the name of the site to determine a unique password for each site.
From http://supergenpass.com/faq/#Features
"When generating passwords, SuperGenPass ignores subdomains and only uses the primary domain name of the website. This ensures that the same password is generated at www.domain.com, login.domain.com, and domain.com, no matter where you are on the site."
Far safer and more convenient is supergenpass. It uses a hash function with your master password and the domain (url or program name or whatever) to re-generate your password every time. I use the mobile version, rather than the bookmarklet (this is safer). You can just type supergenpass.com/mobile into any browser. Nothing to store, no database to be compromised, no usb key to lose.
I've got supergenpass.com/mobile saved to my hard-drive, saved as a Chrome application window.
The thing is, your password is still only as safe as your master password. I've got a fully-randomly generated password. And the website says you really ought to understand the algorithm and such before using it. I hope I undestand it well enough, but I don't know javascript.
I prefer SuperGenPass. It doesn't store your passwords, it generates them from a hash—so you don't have to worry about losing any files or worry about trusting the cloud. You just have to make sure your master password is powerful.
Hmm. I don't have an iphone, myself; I use the Android App, and that lets me enter the site URL then my master password and autogenerates the correct site password and copies it so I can paste it in.
Doesn't look like there is an equivilant iPhone app, but the FAQ says
> It works on many smartphones, including the iPhone / iPod Touch / iPad—just add the mobile version to your home screen.
I assume that makes sense in the context of iphones, and presumably does something similar to the Android app?
supergenpass: runs in browser so no need to install (simplifies things), opensource, and never stores passwords, instead it generates from master pass + domain. The generation approach in my opinion is far superior to storing. Only real quirk is stupid sites with arbitrarily low character limits on passwords. I have my default to a larger number and have to remember to drop for 1-2 sites I seldom use. Alternatively, one can use the default or similar size and avoid the issue, but obviously shorter passwords as shorter...
I use bookmarklet on desktop and "mobile" page on foreign computer/phone.
SGP
An app version SuperGenPass. No more storing passwords, just choose a master password and SGP will use the first few characters of an MD5 hash of a website's domain combined with your massword password to generate a random-looking password.
I like to have master passwords by categories, such as one for financial sites, one for gaming, one for social media, etc. So while I use the same master password for gaming sites, each site has a unique and seemingly random password.
For example, if my master password were "r3ddit@pps", my password when logging into reddit.com would be "a9R4Eqdb9v" if I use the default 10 characters.
It's kind of cool, yes. But I don't see how this is useful as a practical device. As far as I can tell, there are two ways of using this:
Print out the Latin square, and save it somewhere. Problem is then, anyone who has access to your Latin square can easily (in a small number of tries) recover your password. So it suffers from the post-it-note-on-monitor problem.
I mean, it is really as much security as the following scheme:
with the only difference that the Latin square is far clumsier to use, and less flexible (for the simple scheme, you can choose to prepend something longer than '¤'; you can't really add much more "secret" entropy for the Latin square).
Don't print the Latin square. Instead, remember a long passphrase. Every time you need the password, go to the GRC website and enter the passphrase as seed, to generate a Latin square, then use that.
Again, this is just a much more elaborate version of a simple scheme:
Neither of these simpler scheme is any bad though, so in that sense the Off The Grid is a decent choice. But it also seems terribly impractical, and more importantly, that impracticality is added for no real benefit. So I'd say Off The Grid is mostly bling. It seems mysterious and cool, and that is its allure. But when you think about it, it's just a simple scheme artificially made very impractical to use.
The supergenpass is an awesome layer to add to password security. It is a client-side only bookmarklet that does md5(url + password) so even if you use the same password on multiple sites a cracker would need to reverse the md5 first in order to use it on another site.
This is a known algorithm so it doesn't make your password any harder to crack (tools can just add a md5(url+candidate) pass), but what it does mean is that the original password never leaves your computer. Anything outside your computer that intercepts it has to crack it in order to use it on another site -- even if you use the same password everywhere, or a pattern.
Basically combine this with normal good practice (strong passwords, vary by site, SSL/TLS) and you should only have to worry about local attacks like keyloggers.
I'm surprised no one has mentioned SuperGenPass yet. It does exactly what the article suggests and I've been using it for a couple of years now.
Many people in this thread are saying that password length is far more important than a shorter, albeit more complex password. This is true, but I think it's missing the point. The real issue here is that you cannot trust that every site will be responsibly storing your password. If you use the same password for every site you visit, the security is only as strong as the weakest service you use. There is no guarantee that some ignorant, lazy, or malicious programmer did not store your super secure password in plain text.
Oh, and with SuperGenPass you can specify an arbitrary password length :P
I use the random number generator on my graphing calculator to come up with about 10 numbers, each representing one of the many valid keys on my keyboard.
Then I plug that into <em>this</em>, saved onto my machine. I'd say my password's probably unbreakable, but I don't want to offer that as a challenge.
So whatever works, I guess.
Except now, I've just realized I don't quite remember my master password, lol.