No So Weak Passwords (nswp) is a very simple Google Chrome extension to generate (not so weak) passwords for the casual web site requiring authentication you surf to not so often.
It is well known that reusing the same passowrd on different site is very dangerous, as well as using weak passwords; on the other hand, is quite difficult to remember many different good passwords.
The idea behind this extension is very easy (and not new at all, see the similar software_ section below): to generate a password concatenate a (unique and strong) secret, or "master password", to the web site URL (or something derived from it) and then take the SHA1 of it.
In more detail, once you've set your secret in the extension's options, by clicking on the extension icon you get a dialog with two fields: the first contains the host portion of the current tab (omitting the 'www.' prefix, if present) and the second one the generated password that will be automatically copied to the clipboard. If you want to edit the first field (for instance, to add a prefix to identify different accounts), just do it and the password will be automatically re-generated (an copyed to the clipboard).
The security of this extension depends on several facts:
-
the secret is remembered by Web Storage, nothing is ever sent over the network: not the secret, the visited sites URLs, or passwords;
-
the SAH1 secure hashing algorithm is NIST approved, the implementation used is the one by Chris Veness; thanks to this advice, the hash is applied ten times (unless you set "Use 1-pass only SHA1" in extension's options);
-
the code of the extension is very simle, publicily available, and can be inspected (and understood) by anyone with a basic undestanding of Javascript and HTML.
One can implement the same approach (albeit with a less pleasant user experience) using a web server and a couple of web pages, that can be hence used with any web browser, even mobile ones. For an example of such implementation feel free to use http://santini.di.unimi.it/extras/pw/ (on my web site directly – nothing will be ever stored by it), or use the code in alternatives/web directory of this repository. In principle, one can develop a bookmarklet to improve the user experience (by pre-filling the url field, for excample).
Similarly, one can implement a simple command line tool and use the generated passwords not only for web browsing, but for authentication in general. Have a look to the alternatives/cli directory of this repository for a very simple Python implementation.
As I said, the approach is not new at all. Similar (and for many aspect more complete, or better) alternatives are (among others):