Slashdot Mirror

You can use a single password, combined with the url of the website, to generate unique passwords for each website, via a hashing algorithm.

One implementation of this is: https://github.com/hughperkins/openpw , which is a derivative of http://angel.net/~nic/passwd.current.html There are other implementations around.

The advantage of this system is:
- only one password to remember
- if a website gets hacked, that password can't be used on other websites, and can't realistically be used to obtain your master password, assuming they even know which algorithm you're using, which is unlikely
- unlike a password safe, you don't need to handle making backups, replicating the backups around, and so on

Check out Nic's password generator: http://angel.net/~nic/passwd.current.html

I extended it a bit https://github.com/hughperkins/passwordbookmarklet :
- longer passwords generated
- the bookmarklet password field uses password characters
- there's the option of using a bookmarklet with a 'confirm' field
- added a console application (python) which invisibly copies the password to the clipboard, for non-web applications

I've been using something like this for a while

http://www.angel.net/~nic/passwd.html

basically it's md5(websiteUrl + masterPassword) which creates a nice random string to use as a password. If one of those sites gets hacked or one of the passwords gets found out it's no biggie because each site has a unique password (if your master password gets found out then people might be able to guess at some of your logins tho)

I still let Firefox store my passwords but I keep them protected with a master password. Sure someone could brute force it but I don't save my bank passwords with it.

http://www.angel.net/~nic/passwd.html

My important passwords are hard to break, and written nowhere. I don't let the browser password manager remember those.

My less important passwords are written in an encrypted file. I let the browser remember those.

Passwords that are not important and may be accessed from other places, are generated with http://www.angel.net/~nic/passwd.html, so I can avoid storing them (and looking them up, if I change browser).

It's been done:

http://www.angel.net/~nic/passwdlet.html
http://supergenpass.com/genpass/
http://supergenpass.com/
(there are surely others)

Not an extension, but that can be a good thing.

Even worse is that once you break one of the unreasonable policies (no admin logon on a developer machine, say), it's hard to keep any respect for the more reasonable ones. A bit of trust and leniency would go a long way toward respect. You could for example tell employees that they should avoid spending a lot of bandwidth during peak hours, and give people plenty warning if they're hogging all the gas.

Oh, and help them out a little by hinting about things like KeePass for passwords, TrueCrypt for sensitive data, and MD5 Password generator.

Use an MD5 password generator. You can use the same password across sites, but it won't get compromised. Ever. There are a few sites like these that can help you generate these passwords:

http://passwordmaker.org/
http://angel.net/~nic/passwdlet.html
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/Pass wordComposer/

That's it then, for the feature most loved about del.icio.us: The dead simple interface. Now it'll be 2+ links away from the main page, accessible only through their enormously bloated I-wish-I-was-using-lynx-right-now interface, with a password form that for some stupid reason doesn't work with the Password Generator.

I guess I'll just have to backup my 2393 bookmarks and 3482 unique tags (as of today) and, dunno, hope someone builds an open source version.

Great utility that generate password for each site by hashing
the values of a master password plus the domain name of site
E.g.
          my_master_password+cnn.com=unique hash
          my_master_password+slashdot.com=unique hash
        The unique hashes are used as password and you only have to
        remember the master password which remains the same.
See a video tutorial: http://weblog.infoworld.com/udell/gems/singleSignO n.html
Or original site of utilitiy: http://angel.net/~nic/passwd.html
Plus a bloggers explanation:
        http://weblog.infoworld.com/udell/2005/05/03.html

The password generator bookmarklet

It's javascript which asks for your "master password" (i.e. just use one for everything), then calculates MD5(password + site name), and places that into any password input boxes on the page you're currently viewing.

Building on the same idea

Trunc(Base64(MD5([Website subdomain or IP] + [master password])),[Maximum allowed length])

Here is a webpage with client side javascript that does just that. I suggest saving a copy, modifying it to allow variable length truncation, and make it your home page.

There is a bookmarklet of a similar script (no base64) here

Also have a look at the JavaScript bookmarklets on http://angel.net/~nic/passwdlet.html

I have Safari set-up so that pressing Command and 1 will auto fill-in any password fields with the site generated password.

Whilst your master password is stored in plain text in the bookmark file, as I use FileVault (AES Encrypted home folder) I think it should be OK for non banking sites...

Save the following html page to your computer or usb device

http://angel.net/~nic/passwd.html

Come up with a master password, enter the domain name of the particular site you are browsing and a unique password is generated for that site. All you have to remember is your master password. The page uses javascript, no data is passed to the internet. Whenever you need a password, just run the saved html page, enter master password, enter domain name, click generate button and you have your password

Problem statelment: How to associate one string (domain name) with another string (username/password combination)? a.k.a. translate strings.

Here's a whacky possible solution: use a translator pen, such as this:"SuperPen Translator" - which supports 'custom dictionaries' , to store passwords. Run the pen across site's address bar displayed on the computer screen, and the pen translates it to your username/password for that site.

Here's another of those pens: C-Pen.

Of course, if none of their dictionaries are user-editable, and if they have no SDK, this won't work.

Here's a more sensible solution: Javascript password generator
(Video about it - flash format)

A cool way to always have good passwords is to just choose a short phrase that you'll remember and run the text through MD5. So, if you're creating an account for your PC at work, you might use something like "Work PC password, May 2005" and then just run it throgh something like this.

This will give you a good mixed-case, alphanumeric password, and you can always retrieve it if you forget it, as long as you can remember the phrase that you used (which is much easier than remembering Qwy4%!Xx). The only other caveat is that you must have access to the web or to a machine with an MD5 generator.

And, being an uber-geek, you can even go one step further and eliminate that last requirement. You can make up your own algorithm for converting a phrase into pseudo-random characters. Keep it simple, and something that you can do with pencil and paper! You have to be able to remember the algorithm a month from now (when IT forces you to change your password) or else it's useless. But if you keep it simple, you'll have no trouble remembering how to do it. I've been using this system for a while now and it works like a charm.

I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.

I've been poking around trying to generate Web-site passwords by hashing the hostname and a master password, and I've come up with this bookmarklet which takes the first 8 chars of the hex representation of the MD5 hash.

This means you only have to remember one master password, and each site you register for gets its own unique password - instead of using the same throwaway password all over so you've given your whole online identity to each site's admins...

I've been meaning to find a crypto guy to ask if I could just use CRC32 to hash the input string, since MD5 is too much Javascript to bookmark in IE. I know it's not a secure way to checksum a file, but given a CRC32 hash and part of the input, can you recover the other part? Anybody?

http://www.angel.net/~nic/spam-x/ (with revision history dating back to 2001.

The only thing that it doesn't address is the potential for a spammer to bulk-mail accept-list confirmations prior to or as part of their mass-mailings.

So maybe use a digest of the headers to ID the original message, recover the e-mail address from it, and add it to the whitelist?

The links are just abbreviations, so you have to explore to discover what they mean, but the advantage to this is that I can cite the abbreviation easily each time I link a story found via that source.

The idea of putting them in rows at the top is so that frequent visitors to my blog can jump to other sources if they don't find anything new/interesting at mine. (I call them 'jumpbars'.) Lately I've started adding little asterisks for sources that have recently done especially noteworthy updates.

My local startpage duplicates the jumpbars, and adds less-frequent sources like monthlies. When I started blogging I made a serious effort to learn the update schedules of every online periodical, and I created a generic startpage that summarised these. (It's badly out of date now.) The idea was to encourage people to copy this page and customise it to their interests. But knowing when zines usually update makes it easy to prioritize my surfing-schedule. (I wish all periodicals spelled this info out on their front page, eg The Onion comes out late Tuesday.)

I think NewsHub still isn't appreciated for its headline-aggregation pages. I'd use NewsLinx too except that most all the tech zines have decided to use obnoxiously junky html-design, so I stick with Slashdot and the Register for tech news.

My politics are lefty, and Sam Smith's Progressive Review gives a very deep daily summary with links, while Common Dreams reprints full articles from many major sources. A newcomer is Memory Hole that specializes in stories the mainstream media tries to suppress/ignore.

For space news, NasaWatch is tops. I've mostly given up on Drudge and Salon, and am having doubts about the BBC science page.

Other daily faves include the AstroPic of the Day, two poem-of-the-day sites, Zippy the Pinhead, and various blogs. A weekly that I think is underappreciated is Dean Baker's Economic Reporting Review that gives a very dry weekly critique of economics-propaganda in the NY Times and Washington Post. (They very systematically distort the facts with the obvious goal of redistributing the wealth upwards.)

I disagree completely. I've been using a whitelist for a while now and it works flawlessly. Here's the deal. I set up the initial whitelist based on my address book--people that I regularly send email to. Then, the procmail filter I use runs every email I receive against the whitelist. If the sender is on the list, it goes to INBOX. Otherwise, the email is held in a pending-message folder and they get an automatically generated reply that says something to the effect of "Hi, I haven't received your email yet because your email address hasn't been verified. Please reply to this email to verify that you are a real person and not a spammer and you will be automatically added to my whitelist."

Person replies, they get added to the whitelist, and the original email gets delivered. Spambots don't reply. Easy as pie.

The one saving grace of the system I use is that all email, spam included, gets put into a BULK folder. I periodically sift through the BULK folder to make sure I haven't missed anything important (like a message from my bank or airline or something) and delete all the spam.

I use a variation of this procmail script on my email system.

In fact, now that I've effectively killed spam on my email account, my email address has become MORE useful--I don't hesitate to publish it on my website or give it out to folks.

I've been using this procmail script that works flawlessly. It's very simple and I can't remember the last time I got spam. It works much better than trying to catch spam based on headers and key words in the subject. Basically, it implements an accept list, so that only users that respond to an auto-reply will be added to the list and thereby get their message through. Simple and effective.

I've been using this procmail script for quite a while now. Basically, it implements an "accept list" as described in this OSOpinion article, whereby only people that respond to an auto-reply are added to the accept list, which means that none of the automated spam apps can get their crap through to you. I can't remember the last time I got any spam.

it shouldn't be too hard to write.

this page has a nice description of implementing
a similar mechanism via procmail.

I do this with a simple procmail script. In fact, you don't need the password and manual authorization: spammers don't read their return mail.

This is blocking 100 spams a day for me right now. I still get maybe 3 non-spam UCEs a week from real people. And no one has ever compained about it.

Sorry, I meant to link it:

http://angel.net/~nic/spam-x.html

Content filtering doesn't work reliably. I use this simple .procmailrc to keep an accept-list and let new senders with real return addresses add themselves easily. No-one has ever complained, and I get no spam at all.

Here's my page about doing this easily with procmail, including my simple .procmailrc. Life without spam is good...

I use procmail with an accept-list and I get no spam (I define spam as UCE with a forged From header). Here's my .procmailrc.

Like a lot of web sites, Salon's design makes it so hard to read it's almost not worth my time. Stories are squeezed into a teeny central column between a row of irrelevant links on the left and another row of irrelevant links on the right. The front page is an exercise in scrolling - scroll down to read the first column, scroll back up, scroll sideways, scroll down again... Augh. I'd stopped reading it except when someone would tell me about a particularly interesting story.

When I found this useful script that presents the current headlines in a simple list, linked directly to Salon's reader-friendly [aka "print this page"] layout, I started reading it again. But one assumes the "Premium" Salon won't be available via this unofficial portal.

I sent them a letter to the editor to the effect that I'd be happy to pay a subscription fee for a readable, crap-free layout that let me concentrate on the stories and not my scrollbars. Admittedly, I'm more of a curmudgeon about readability than most, but I doubt I'm alone in my annoyance.

Screw the ads, they're a relatively minor annoyance. I'd rather have an ad-ridden but easy-to-read page than one with no ads and two words per column (scroll down, scroll left, scroll right) any time.

I don't get any spam - I use procmail to verify senders on all incoming e-mail. It works, and it only inconveniences each sender the first time they mail you from a given address.