{"id":53,"date":"2011-06-15T00:41:43","date_gmt":"2011-06-15T07:41:43","guid":{"rendered":"http:\/\/www.lorrin.org\/blog\/?p=53"},"modified":"2012-05-19T23:51:34","modified_gmt":"2012-05-20T06:51:34","slug":"a-fruitless-search-for-a-password-bookmarklet","status":"publish","type":"post","link":"https:\/\/www.lorrin.org\/blog\/2011\/06\/15\/a-fruitless-search-for-a-password-bookmarklet\/","title":{"rendered":"A Fruitless Search for a Password Bookmarklet"},"content":{"rendered":"<p>Using a bookmarklet to store passwords is appealingly simple. Alas, after doing some digging, I couldn&#8217;t find any viable options.<\/p>\n<p>The first concern I came across is that it is important to <a href=\"http:\/\/codahale.com\/how-to-safely-store-a-password\/\">use a hash algorithm that&#8217;s <\/a><em><a href=\"http:\/\/codahale.com\/how-to-safely-store-a-password\/\">slow<\/a><\/em> (e.g. <a href=\"https:\/\/secure.wikimedia.org\/wikipedia\/en\/wiki\/bcrypt\">bcrypt<\/a> or <a href=\"http:\/\/www.tarsnap.com\/scrypt.html\">scrypt<\/a>)<em>.<\/em> Otherwise it&#8217;s too easy to brute-force the master password based on a site password. Suppose a site you visit stores your password in plaintext and gets hacked. That breach then compromises your master password, even though only your site-specific password was revealed.<\/p>\n<p>I couldn&#8217;t find a JavaScript implementation of scrypt, but I found a <a href=\"https:\/\/code.google.com\/p\/javascript-bcrypt\/\">JavaScript bcrypt implementation<\/a>. Better yet, I found a derivative that tidies up the first one, removing dependencies on e.g. <a href=\"http:\/\/www.clipperz.com\/\">ClipperZ<\/a>, and wraps it in a <a href=\"http:\/\/scripts.cwillu.com\/passwords\/\">simple bookmarklet<\/a>. <a href=\"http:\/\/supergenpass.com\/\">SuperGenPass<\/a> provides a much more user-friendly bookmarklet, so I started gearing up to replace it&#8217;s MD5 hashing with bcrypt.<\/p>\n<p>But, alas, SuperGenPass (and any other simple bookmarklet) is <a href=\"http:\/\/akibjorklund.com\/2009\/supergenpass-is-not-that-secure\">not secure<\/a> in the face of a malicious website that contains JavaScript designed to sniff entry of the master password into the bookmarklet. <a href=\"http:\/\/crypto.stanford.edu\/PwdHash\/\">PwdHash<\/a> is a browser extension based approach from the Stanford Security Lab designed to combat the weaknesses of the bookmarklet based approach. Their paper, <a href=\"http:\/\/crypto.stanford.edu\/PwdHash\/pwdhash.pdf\">Stronger Password Authentication Using Browser Extensions<\/a>, is interesting reading and explains a variety of ways to compromise a bookmarklet based approach. PwdHash has already spawned a number of ports to other browsers and mobile devices, but alas they&#8217;re all based on prototype code that uses the undesirably fast HMAC-MD5 as the hashing algorithm (even though the paper points out PwdHash is a good candidate for a better hashing algorithm).<\/p>\n<p>I was not able to find any PwdHash derivative that used bcrypt. I did find a simple <a href=\"http:\/\/blog.derekmauro.com\/2011\/04\/how-i-manage-passwords.html\">command-line tool based on scrypt<\/a>, but that&#8217;s not great if you don&#8217;t have easy access to your own computer.<\/p>\n<p>Solutions like <a href=\"http:\/\/www.passpack.com\/\">PassPack<\/a> offer the potential to solve these problems (extension rather than bookmarklet, use of strong encryption rather than weak hashing), but have an Achilles heel of their own: <a href=\"http:\/\/maltainfosec.org\/archives\/88-PassPack-and-why-it-does-not-work.html\">the service provider has the power to decrypt all your passwords<\/a>. For now I&#8217;ll stick with my <a href=\"..\/2011\/03\/30\/introducing-moinmoin-client-crypt\/\">moinmoin-client-crypt<\/a> approach.<\/p>\n<p><strong>UPDATE 2012-05-19<\/strong>: PassPack <a href=\"http:\/\/www.passpack.com\/en\/security\/\">does not store<\/a> your packing key on their servers afterall. (LastPass <a href=\"https:\/\/lastpass.com\/whylastpass_technology.php\">does not either<\/a>, <a href=\"http:\/\/www.clipperz.com\/users\/marco\/blog\/2007\/08\/24\/anatomy_zero_knowledge_web_application\">nor does Clipperz<\/a>.) But you still must trust them, as they are in a position to insert backdoors into either the browser add-ons or web-based access they provide. This is less of an issue with ClipperZ, since you can run the <a href=\"http:\/\/www.clipperz.com\/open_source\/clipperz_community_edition\">Community Edition<\/a> on your own hardware. Some brief comparisons <a href=\"http:\/\/floatingsun.net\/2010\/02\/03\/web-based-password-managers-3-years-later\/\">here<\/a> and <a href=\"http:\/\/www.emilsit.net\/blog\/archives\/the-difference-between-clipperz-and-passpack\/\">here<\/a>. Also there is some interesting discussion in the comments of the previously linked <a href=\"http:\/\/maltainfosec.org\/archives\/88-PassPack-and-why-it-does-not-work.html\">PassPack critique<\/a>. Gabriel Weinberg has LastPass amongst his <a href=\"http:\/\/www.gabrielweinberg.com\/blog\/2011\/11\/online-services-our-startup-subscribes-to.html\">list of services used at DuckDuckGo<\/a>. LastPass did possibly have a data breach, but they <a href=\"http:\/\/blog.lastpass.com\/2011\/05\/lastpass-security-notification.html\">handled it well<\/a>. Some more details on <a href=\"http:\/\/blog.passpack.com\/2011\/05\/passpack-is-not-lastpass-we-have-a-big-friend\/\">PassPack&#8217;s packing keys and master keys<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using a bookmarklet to store passwords is appealingly simple. Alas, after doing some digging, I couldn&#8217;t find any viable options. The first concern I came across is that it is important to use a hash algorithm that&#8217;s slow (e.g. bcrypt or scrypt). Otherwise it&#8217;s too easy to brute-force the master password based on a site <a href='https:\/\/www.lorrin.org\/blog\/2011\/06\/15\/a-fruitless-search-for-a-password-bookmarklet\/' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[52],"tags":[6],"_links":{"self":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/comments?post=53"}],"version-history":[{"count":6,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":184,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/posts\/53\/revisions\/184"}],"wp:attachment":[{"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/media?parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/categories?post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lorrin.org\/blog\/wp-json\/wp\/v2\/tags?post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}