»
S
I
D
E
B
A
R
«
Code Bounty: Firefox Password Generator
February 23rd, 2009 by masukomi

THIS BOUNTY IS CLOSED Greg Stoll has come up with a winning submission and receives the prize. I’m going to spend some time tweaking it and then I’ll release it, and it’s source, into the wild.

The Deal
I’m offering I was offering a $100 Amazon.com gift certificate or a donation to your favorite open source project to the first person who can write me a Firefox Extension that matches the criteria outlined below. Most of the work has been done for you by many open source developers. It just needs a a little UI wiring (check the mock-up at the end of the post).

Basic Idea
Not too long ago someone came up with a good implementation of a password generator (Too Many Passwords) that is easy to use and will generate good passwords for you so that you don’t end up either forgetting them or using the lame shortcut of having only a few passwords for all your sites (a strong one for important sites like your bank, and maybe a couple other less strong ones). PwdHash is a similar idea but as a Firefox Extension. Both are free and open source, and I know that there are other similar extensions and web sites, but nothing I’ve seen so far is as easy to use, or as well integrated with Firefox as I’d like, and thus, I’m posting this bounty. Essentially, I’m asking you to improve upon the idea in the first link (Too Many Passwords), and convert it into a Firefox Extension.

Why Not Do It Myself?
Because I know very little about Firefox Extensions and would rather spend my time working on my own projects. It would take me many hours for me to piece together the knowledge required to get this working as I want it, but hardly any time for someone who is already familiar with writing Firefox Extensions, because all of the heavy lifting has already been written by other people. All that’s left is wiring up the GUI. I think it’s worth $100 to me and the community to have this built, and I think that someone familiar with writing Firefox Extensions should be able to finish it in about three hours which seems a fair trade.

Details

Most of the details are covered in “The Fine Print” and the mock-up below. The only other thing, in case it wasn’t blazingly obvious, is that when you launch this via the Tools menu or a Right click it should be a some sort of XUL pop-up window that won’t be blocked by pop-up blockers. It would be best if you could make the JavaScript easy to be separated from the extension so that I, or someone else, can use it to make a web based version, but this isn’t a criteria for winning. If you’ve got questions, or any of this seems a little vague, or you think a criteria should be changed, please contact me.

The Fine Print

  • I’m open to suggestions and changes on any of these requirements.
  • It is perfectly acceptable to build upon existing code (including but not limited to either of the links above) as long as the result can be open sourced and the licenses don’t appear to conflict.
  • The only programming language involved must be JavaScript and it should not call out to any external programs. I want this to be easy for people to extend.
  • Must work on Linux, OS X, and Windows. If you’re only using JavaScript this should be a non-issue. I’ll test it on all platforms the first business-day after I get the submission.
  • Unless you can convince me otherwise it should use SHA1 instead of MD5. Yes, they’ve both been “broken” but SHA1 is less broken. And yes, there are open source JavaScript implementations of SHA1.
  • Passwords should be in hex (base 64) format so as to avoid any whack characters that sites might not accept.
  • The password generation should algorithm should be essentially the same as that of the first link except with SHA1 instead of MD5. That is to say, it should hash the password, then use that plus the contents of the “Domain (location)” field to generate a hash and then use the first n characters of that as the password.
  • Must include all required images and make no calls to any web site. It doesn’t matter what images you use in your submission. I’ll probably replace them with something else anyway. But please use the little lock icon that follows this list beside the menu items. I may replace that too though. ;)
  • The lock icon displayed on the form should be the unlocked lock if the site is not using https, and the locked one if they are. If you can think of other non-obnoxious visual indicators (maybe different background images) to warn users that the site they’re currently on isn’t using using SSL feel free to add them in. Hooking into the way Firefox does it in the address bar would be optimal but I don’t know if this is possible.
  • The insertion into a text field or copying to a clipboard should happen when someone clicks one of the “n char” buttons, not when they click the radio button.
  • All criteria specified in the following mock-up must be met.
  • I’ll take care of the documentation, so you don’t have to bother.
  • The resulting extension will be open sourced and full credit will be given (unless you’d prefer to remain anonymous).
  • Feel free to optionally make it launchable via some key combination or F-key as long as it doesn’t conflict with anything you can think of.
  • I’ll need instructions (or a link to existing ones) on how to bundle your source code into a Firefox Extension.
  • The winner is the first project (.zip, .tgz, .bz2) that shows up in my e-mail, meets all the criteria, can be successfully built from source by me, and works in my Firefox.
  • I’ll e-mail the winner the gift certificate number upon receipt of working code that I can build from source and meets all the criteria. If you choose to have me donate to an open source project instead the project must have some easy way for me to make the donation (my definition of “easy”).

Lock icons: lock lock_open

Mockup

password_generator_mockup


10 Responses  
  • comic.masukomi.org » Archive » Turtled writes:
    February 24th, 2009 at 2:08 am

    [...] other news. I just put up a bounty for a Firefox Extension I want written. So, if you have any experience with writing those, or know someone who does, please [...]

  • Jakub Narebski writes:
    February 24th, 2009 at 2:44 pm

    Very good idea. (Unfortunately I don’t know how to write Firefox extension either.)

    A few comments:
    Why hex format, and not for example Base64, uuencode, or Ascii85? What to do if web site has some requirements about passwords, like having mixed case, or at least one digit, or at least one punctation character?
    Wouldn’t it be better to use exactly (or almost exactly) the same scheme like Firefox uses for its Awesomebar (URL location bar) to mark whether site uses secure connection, has some unecrypted elements on otherwise encrypted page, or is unsecured?
    Shouldn’t submission be in XPI format, i.e. ready to install, instead of jar, zip, or tar.gz?

  • masukomi writes:
    February 24th, 2009 at 3:06 pm

    I’ve actually looked at what it would take by checking out the PwdHash plugin and it’s actually not that hard. it’d just take me a while to figure out how to get it into a menu and a right click and look up how to do the XUL styling (haven’t touched it in ages).

    Base64 I’m thinking. Yes the way Firefox checks security in the Awesomebar would be optimal. Not sure how easy that is or if it’s even possible. I suggested a standard compression format for the submission because I want raw source code that I can build into an xpi. The source code will then be put up as an open source project.

    I don’t have a good answer for the sites that require specific password constraints like upper and lower case, punctuation, etc. My thought is that supporting this would add a level of complexity to this plugin’s UI that would almost defeat it. There are other plugins like PasswordMaker, and desktop password generators that are highly configurable but as soon as you head down that road you loose the ease of use, and if it’s a pain to use only hardcore security geeks and paranoid people are going to bother. I essentially never encounter sites with these requirements. The rare things that do, like some banks, I’m fine with remembering a separate password for.

    One thing that could be done is to alternate case in all generated passwords: lower, upper, lower, upper…. etc. for all generated passwords. You could also probably add a toggle to guarantee at least 1 digit, and then if you chose an 8char password but the first digit was 10 chars in it’d give you a 10 char password instead (maybe relabel the buttons short, med, and long). Those two would take care of 99% of your issues. Although I’m thinking the number toggle thing would probably have to be either a default so that you don’t have to remember which sites you used that at, or stored on a per site basis. But the problem with the latter is that then you can’t make a web based version for people to use if they happen to be on a different computer and can’t / won’t install the plugin.

  • Jakub Narebski writes:
    February 24th, 2009 at 5:09 pm

    Actually Base64 would give in most cases both mixed case and digits, so it would work in 99.9% cases.

    XPI is just zip archive, just like ODF (OpenDocument Format) files and JAR (Java ARchive) are zip archives, of course with some requirements to contents.

  • Decklin Foster writes:
    February 25th, 2009 at 2:03 pm

    I use pwgen in my non-Firefox[1] hacked up solution for this sort of thing, which has various options for adjusting the mix of uppercase/symbols/numbers. Might be worth incorporating (if there were a JavaScript implementation of the algorithm, I could use it from anywhere, even if I couldn’t SSH back to my server to run my script). Compared to straight-up Base64, which I used to use, it spits out things that are memorable enough that I at least know my Google or Twitter password off the top of my head, but still feel comfortably secure.

    (Of course, thanks to pipes and xdotool, I only *see* these passwords when running it from a terminal, just as Firefox extension users wouldn’t see their passwords normally. So they’d also probably only get familiar with the ones they had to use the web version for when stuck on someone else’s PC. Seems like a decent tradeoff.)

    [1] Conkeror.

  • weblog.masukomi.org » Why your tiered password scheme is flawed, and what to do about it. writes:
    February 26th, 2009 at 10:08 pm

    [...] Code Bounty: Firefox Password Generator [...]

  • chopin writes:
    February 27th, 2009 at 10:18 am

    have you looked at: -
    http://superjared.com/passworder/

  • W writes:
    February 27th, 2009 at 11:24 am

    Have you seen http://supergenpass.com/ ?

    W

  • pezhore writes:
    February 27th, 2009 at 12:22 pm

    I’d mention again passwordmaker… It does an amazing job of generating unique passwords based on a master password/hashing algorithm. It also allows for custom character sets from which to generate a password for those stupid sites that only allow [a-Z,0-9].

  • Greg writes:
    February 27th, 2009 at 11:25 pm

    I sent an email to this effect, but I went ahead and implemented a Firefox extension to do this. It’s up at http://gregstoll.dyndns.org/~gregstoll/passwordhash/ if anyone wants to try it out!



Leave a Reply

»  Substance: WordPress   »  Style: Ahren Ahimsa
© Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.