What's the point?
Okay, so we all know we should have different passwords for each site we visit. Why? Because if one password becomes compromised, you don't want someone being able to get access to all your other sites. But now we have a problem. How can we possibly remember all of those passwords?
One way is to use a password manager. KeePass Password Safe is pretty good for example. The trouble is you have to have that with you all the time.
What would be really nice is to have the passwords available to you online. There's a few cool options out there; LastPass is a really common option. The trouble with all your passwords being online is of course that if that gets hacked, then all your passwords are out; you might as well have just used one password. And call me paranoid... you're paranoid... but I just don't like having all my passwords online. That said, LastPass does support Multifactor authentication so that's pretty sound.
So what's your solution?
I'm not sure it's a solution, but it's one way. Instead of using a master key to access an online database of passwords protected by a master password, use a master password to generate a unique password for each site; that's what this password generator does. Woohoo! No stored passwords; it must be fantastically safe.
Of course not. Let's see what's wrong.
What's wrong with this?
The trouble is that it still depends on your master password. Crack that and again they've taken everything. To try to help make the master password stronger, this generator asks for an extra phrase. This effectively allows you to use two memorable phrases but in reality they sort of just make the master password longer; however, because the phrases can be unrelated, they can make it harder for a human to guess. Also length is everything: see how big is your haystack?
You'll notice that there is a third phrase used in the generation. This is your final chance to make it harder to crack. Remember, this doesn't make the generated password harder to crack. What we are doing here in making it harder for someone to crack your master password and use this site to regenerate your key. In the hover text I suggest that this phrase might be something written down and kept in your wallet. Why? That's crazy talk. Check Microsoft's Jesper Johansson's comments here to see why that might be a good idea. And with this password generator if your wallet falls into someone else's hands that still isn't enough on its own.
Anything else to worry about?
- Of course. The biggest risk is that someone spoofs this site and you finish up typing away into their malicious page. Always make sure you are on henspace.com.
- The next problem is that I might be malicious. Okay the site is safe at the moment; I'll show you how to check later. But what about in a few months time when I'm down on my luck. I might quietly change the site to squirrel away your details. We'll I don't intend to change the page so I would use a service like WatchThatPage to tell you if anything has changed. If it has, recheck it.
- Finally someone might hack my website and change the page. The remedy is to do the same as the previous question. Alternatively download the source and host it on your own site or local machine. If you do host it for your own use, do not pretend to be henspace.com.
Okay, it's all good. How do I check you're not actually doing anything.
It's reasonably easy to check depending on your knowledge of web stuff. The information below is for Google Chrome but there are similar tools in the other browsers.
- From the password generator page, press Ctrl-Shift-I to open up the developer's panel and select Network. Now refresh the page. You should only see two entries; passwordgen.html and favicon.ico which is an attempt to get the little address bar icon. If you have a plugin like Evernote you might lots of GETs while it loads its stuff. Sorry I can't answer for the plugins. Clear the view by clicking on the Clear icon. Now type away in the fields and look at the network; you won't see anything because the password generator isn't sending anything anywhere.