This short film just changed my life. Really.
More information here, here, here, here and here. (via Alex King)
As I get ready for my trip to India I’m trying to figure out how to reduce my dependency on my laptop. I’ll bring it to India, but I plan to leave it with my in-laws, and just bring a USB keychain loaded up with portable Firefox (a version which also works on Mac OS X can be found here) and Thunderbird with me on the road. I’ll then use FeedLounge for reading my newsfeeds. Our home voicemail will be forwarded as e-mails using VoicePulse (I was considering taking the actual phone with us, but I doubt we’ll have the ability to plug it in anywhere, and we can always use Skype). I’ve also uploaded all my contacts to Plaxo, which will soon have a Mac OS X interface.
The only thing that was bugging me was passwords. I could have brought my Palm, but with all the camera equipment I don’t want to have to charge yet another device on the road. Now I don’t have to!!! I just have to make sure to change all my passwords over to the new system before I leave!
UPDATE: From the Password Composer FAQ:
Should I use this for my on-line banking account?
In one word: no.
You should follow the instructions you were given by your bank, credit card company and such instead. Use this script only in those cases where you otherwise were tempted to re-use one of your existing web personalities. In other words, this script fits in the large non critical space between serious web applications where your real world identity is at stake, and those cases where a login can be avoided alltogether. For the last category you might take a look at BugMeNot by the way.
But I figure that about 90% of my passwords fall in this category.
UPDATE: I’ve been implementing this and I have a few tips.
First of all, I recommend the greasemonkey version if you are using Firefox, as opposed to the Pasword Maker Firefox extension. The reason being that the simpler greasemonkey version is compatible with the web form and bookmarklet versions on Nic’s site. This means that you will have cross-platform compatibility. You can even save a copy of the source code for Nic’s web site on your own server so that you can be sure to always have it.
Secondly, the one problem with using this approach to passwords is that it is URL dependent. This is a problem because you might come to a site from different URLs (www.domain.com or domain.com), or the site you use to generate passwords might be different from the real domain name. The greasemonkey script solves the first problem, and Pasword Maker is able to handle both problems – but you still need to remember what the correct URL for login is, in case you attempt to login from the wrong one!
Third, you still need to remember your usernames. I realized that my username varies much more than I think it did. To solve these last two problems I suggest saving a single file with the domain name and username for every account. You should probably encrypt this file, but it doesn’t matter if someone else gets a hold of it, since they still won’t have your password. (The whole point of this is so that you use better passwords for eCommerce sites where you would probably otherwise use the same password for every site. But it isn’t industrial strength protection for things like your bank site.)
UPDATE: Sheesh. I had over 260 passwords stored in my password vault! I’ve eliminated about 60 of them and I’m exhausted. It is worth noting that while Pasword Maker can handle multiple accounts on a single domain (such as Gmail), the more robust solution (which works on all browsers) does not. Similarly, Password Maker can handle sites that require you to change your password regularly, but the simpler solution cannot. Since I don’t like being tied to a particular browser, I can’t use Password Maker, but I’m happy getting rid of all my other passwords. It is really nice to clean things up so that I only have to store a few critical passwords – like those for Gmail and my bank, not hundreds of useless web sites! (Half the sites I have saved passwords for don’t even seem to exist anymore!)
UPDATE: I have things working now, and I’m pretty happy with my system, but I don’t think it is yet something that would work for everyone. It is still a little complex to install and implement. For that to happen I think there needs to be some kind of a web standard in place, where each site generates its own hash. Then browsers could all automatically generate passwords based on your own master password and the site hash (rather than the URL). Sites could force an update to everyone’s password by generating a new hash for their site on a regular basis. (And sites like Gmail with multiple user accounts, could generate a unique hash for each user.) All additional information: usernames, challenge questions, etc. should then be eliminated. With a simpler system in place people would be more likely to follow better security practices.
UPDATE: Came up with a solution for multiple user accounts. Simply use the form version and then write the domain as “username.domain.com” to generate unique passwords for each user. You can then write this domain down in your encrypted list of domains and usernames.
Oct 02, 2005 @ 20:41:07
I’ve been using Key Maker for some time now. A similar approach — combine the URL, your login name, and a “pass phrase” — but it’s a standalone program. No Palm version, unfortunately.
Oct 02, 2005 @ 21:28:14
Also no mac version. The nice thing about this solution is that it can be used anywhere. You really shouldn’t need to know your URL and the login name, but unfortunately it seems that it is inevitable that you have to keep a record of them somewhere …
Oct 12, 2005 @ 09:28:18
Hi Kerim, that’s quite disciplined of you to take only your USB keychain. I can attest, though, that it is a nice experience, of being cut off from the Internet and from your computer for a short while.
So when are you going? BTW the film looks wonderful. I’m looking forward to it!
Oct 12, 2005 @ 10:35:00
Well, it is looking like I’ll have to take my laptop afterall – but I’m going to leave it with my inlaws for the six weeks we are shooting. We leave the first week in December!
We hope to have a preview of the film up on the web soon! Just needs subtitles, which are a pain!
Dec 06, 2005 @ 14:44:15
You do not have to use a username with PasswordMaker. Just leave it blank. It’s completely optional! That way there’s no username to remember.
Also, you wrote:
This isn’t accurate. The simple soution has the same field called “counter / modifier” for just this purpose.
Finally, you wrote:
You get this with PasswordMaker, too. You can download the HTML/Javascript from here and run it locally.
macosxhints - Get the most from X!
Dec 27, 2005 @ 20:50:38
[...] [ Reply to This ] Create a ‘password safe’ for online passwords Authored by: rhowell on Mon, Dec 5 ’05 at 08:43AM Use the keychain, as others have suggested. The best feature: you can sync your keychain between multiple computers. An odd bug: When you create a New Password Item, you can enter a URL for the name, which is handy. Why Safari insists on clobbering these when you choose Safari->Reset Safari…, I’ll never know. What if I use Firefox? Safari doesn’t even use these Password Items, it uses only the Autofill item. Ughh…[ Reply to This ] Create a ‘password safe’ for online passwords Authored by: adrianm on Mon, Dec 5 ’05 at 08:46AM Er, why not just use the KeyChain?[ Reply to This ] Create a ‘password safe’ for online passwords Authored by: luhmann on Mon, Dec 5 ’05 at 09:09AM This approach seems like a better way to go.[ Reply to This ] Create a ‘password safe’ for online passwords Authored by: pub3abn on Mon, Dec 5 ’05 at 09:10AM Personally I find the encrypted disk image method better. I routinely sync my password lists between home and work, and do not necessarily want to sync the whole keychain. I just drag the disk image to a USB drive, and copy it off onto the other computer. Also I have several different text files in a single disk image, which I use to keep track of various kind of notes. For me it is a much more organized and practical system.[ Reply to This ] Create a ‘password safe’ for online passwords – Authored by: siMac on Mon, Dec 5 ’05 at 09:20AM [...]