When the bookmarklet asks for your master password, do you really want to echo it “in the clear” (not echoing it as asterisks)? There seems to be a difference between the bookmarklet and the html version.

Unfortunately, JavaScript does not allow you to mask user input on its dialog boxes. So yes, the bookmarklet has that disadvantage. But it’s not transmitting your password anywhere, so as long as no one is looking over your shoulder you’ll be fine.

would be nice, if the user could chose the password length, and what characters (upper- lowercase) and if numbers should be included…

Ralph, as far as the HTML form goes, good idea; I'll work on that.

As for the bookmarklet, one can edit the script to achieve this. I'd prefer not to ask the user each time for length and case preference … it would make its use cumbersome. If you'd like help altering the bookmarklet, just e-mail me.

Thank you for the bookmarklet.

I have begun to use your bookmarklet on my home computer to generate passwords. For a moment I was worried that I wouldn't be able to login to websites when not at my home computer, then I remembered your HTML page version. But then I worried that I wouldn't be able to remember the URL when I didn't have it bookmarked. So I came up with a little workaround.

First I created a button.

Then I put the button on my home page and linked it to your HTML page version, since I hope I can remember the URL to my own homepage. :-)

Chaim, that looks great! With your permission, I'll add the button to the labs.zarate.org page.

Please go right ahead and do so.

This is so much easier than having a password management application. My main concern involves the html form for when you are not on your own browser, or on one that doesn't allow bookmarklets (I use Blazer on my Treo 650 for example). The problem I see is that you are passing your master password to the form on your page unencrypted, which seems to be a security issue itself. Does this make sense? Can you think of a way around it?

Oops, never mind! I just figured out that this is simply a chunck of JavaScript code that you can download and run locally on any JavaScript-compliant browser. Blazer can save pages for offline viewing, so I tried it out. Disabled the phone so I knew it wasn't connecting anywhere to transmit the info, and then entered info into the form and voila! Pretty cool. Now the only problem is trying to figure out all the sites that I have passwords on so that I can change them. There must be over a hundred at this point! Ugh!

Hi, Chris.

I'm by no means a Javascript expert, but is there any reason why we shouldn't see the bookmarklet without all of the char to %[\dA-F][\dA-F] encoding? I get nervous when I see nothing but encoded chars. I snagged the code, passed it through a Perl decoder and it does appear clean. For some reason, when I just copy/paste the clear chars into a bookmark, it does not seem to execute anything when activated.

Mike, any character that is invalid for a URL is also invalid for a JavaScript bookmarklet (most notably curly brackets). Instead of encoding just the special characters, I find it easier (espcially for a long bookmarklet like this) to encode the entire thing. Here's a webpage that will do this encoding/decoding for you:

ASCII to Hex to Unicode

Hi Chris,

I've been using your script and chaning various passwords but I do have this nagging question in the back of my mind. I don't understan much in terms of the technical details of encryption schemes, so maybe this is a stupid question. Basically, I'm wondering if someone sees your password for site X and knows you are using your encryption scheme, so they know two pieces of the puzzle plus the encryption scheme being used, can they from that get your master password?

Levi: no, they can't. That's the beauty of MD5. It's a one-way hash function. Read more about MD5.

This quick hack demonstrates some things you could do with Bash and sed to get similar results. Have fun with this. (The sed replacements demo how easily other characters could be added to your passwords, if necessary.)

function mypassgen() {
read -p "Enter master password: " -s MASTER ;
read -p "Enter site or machine name: " -s RESOURCE
echo "${MASTER}${RESOURCE}" | md5sum | cut -c 1-15 | sed 's/2/$/g' | sed 's/a/*/g' ; }

Great little utility.

I unescaped the code and I noticed that it runs the .js from your website. I've downloaded a copy of the .js file that does the actual work and I'd like to change the bookmarklet to refer to this downloaded file, rather than the one on your site.

I tried substituting in the file path instead of the URL but that doesn't seem to work. I'm not a java programmer so I don't know the syntax.

Can you tell me how the file path should be entered?

Could you also tell me how I can alter the script to produce an eight character password?

BTW: I think the master password should be in clear as you have done it. If you mistype the password when you create it, you'll get an output that won't work if you later don't mistype it.

thankyou

To make the script match the javascript, you need to put a ":" between the password and hostname. Here's an alternative (using a different md5 command line utility). This generates identical passwords to the javascript.

!/bin/sh
read -p "Enter master password: " -s MASTER
echo ""
read -p "Enter site or machine name: " RESOURCE
md5 -s "${MASTER}:${RESOURCE}" | sed -e 's/.*= //' | cut -c 1-8

It has problems with sites using different ports for different site parts.. for example at the main page the url is http://site.com/index.htm and somewhere else in the site it is http://site.com:8080/something.html.. could it be solved?

There's an extensive list of top level domains here: http://www.surbl.org/two-level-tlds

Domenico, nice catch. This has been fixed and all the bookmarklets have been updated. The cached version may take a day or so to update.

Shai, that is a long list! Unfortunately, if I updated the bookmarklets now, it might affect people that already created passwords on those domains.

I'm pretty confident that my list of 270 covers the most common second-tier top-level domains. The worst that could happen is that a user might have the same password for two different websites on a very obscure second-tier top-level domain.