New version of SuperGenPass

I am preparing a new version of SGP. My main goals are:

1. Fix bugs. Most bugs are related to framesets and iframes, and the detection of password fields therein. However, many reported bugs are, in fact, unfixable due to cross-site-scripting restrictions put in place by the Web browser.

2. Address some (but not all) security concerns. SuperGenPass, in bookmarklet form, likely will never be entirely shielded from potential attacks. I do plan a number of changes that will make it resistant to the kind of attacks that it has been theorized SGP could be made vulnerable to.

3. Satisfy some (but not all) feature requests. I am strongly resistant to bloating SGP with new features and user input variables. However, I am open to suggestions, provided they advance the goal of keeping SGP simple, easy to use, and elegant. (Please do not request that I incorporate a different hash algorithm into SGP.)

4. Simplify the code. Currently, SGP uses DOM manipulation to create the SGP window. This makes the UI very difficult to maintain. I am exploring the idea of using a Data URI to encode the SGP window. This would result in dropping support for versions of Internet Explorer older than—I think—8. Statistics show that use of these browser versions among SGP users is extremely low.

5. Share the code. SGP is, to understate things, not actively developed. I hope by sharing the code on GitHub I can encourage development, forking, and porting—things I am in favor of but do not have the time to do myself.

I will update this thread as development proceeds to elaborate on the above points. Feel free to link to or outline bugs and features you think should be addressed and ideas you might have to help mitigate the problems currently facing SGP. I am particularly interested in community opinion on deprecating the "Internet Explorer" version of SGP and the use of Data URIs within the bookmarklet.

Hi Chris,

I look forward to the code on Github and the new release. I would definitely be interested in contributing.

Sincerely,
marc

Looking forward to the new version. Thanks for your work, Chris!

Eagerly awaiting... :-)

To provide a very quick update, I have found a way forward and am about halfway towards releasing a beta, which I will do here.

The fact that the bookmarklet remains vulnerable to DOM-based attacks is troubling. I have found a way to prevent them but, naturally, it involves some compromises. To summarize the problem:

The current version of SGP is constructed entirely within the DOM of the login page. While the code is within a wrapper function, the DOM elements are exposed to a theoretically malicious site owner.

The solution? Take advantage of HTML5's postMessage API. Instead of a self-contained bookmarklet, SuperGenPass would instead:

1. Load an HTML file from supergenpass.com in a floating iframe.
2. Use the postMessage API to pass the generated password to the login page, where it is populated into password fields.

Since the user enters their master password in an iframe from another domain, SGP is protected from malicious login pages via the browser's built-in XSS policies. The only thing that the login page has access to is the generated password.

Compromises? A few:

A. Internet Explorer support is trimmed to IE8 and newer.
B. The bookmarklet is no longer self-contained for any browser. It relies on an Internet connection to load an HTML file from supergenpass.com (or your own host, if you prefer). Aggressive server caching may allow offline use, but it is not guaranteed.
C. The bookmarklet no longer supports picking up the master password from the login page's password field. For security, the master password must be typed into the iframe's password field.
D. Hardcoded master passwords and hash verification are no longer available.

This may be jarring, but some mitigating notes:

i. I am replacing hash verification with Identicons. Instead of using an actual hash to verify that a master password was typed correctly, a unique, hash-based Identicon serves as a visual confirmation to the user.
ii. I plan on further releasing a GreaseMonkey version of SGP that addresses compromises B, C, and D.
iii. The source will be on Github and should be *much* easier to work with. So anyone is free to go their own way.

I'm sure this presents some questions, which I will try my best to address. SGP is a neglected hobby project, and for that I apologize. I hope to have a beta ready for testing in two to three weeks.

Hi!

I liked the news!
I use the bookmarklet and already type the Master Password in the bookmarklet's field...
Do you know the SuperGenPass Opera Extension? https://addons.opera.com/en/addons/extensions/details/supergenpass/1.2/?display=en
There is something called "local storage" (or so). I don't know if this is only for Opera extensions or for javascript files too... Maybe the SuperGenPass Opera Extension author could give you some ideas!
I liked the Identicon idea too!

Looking forward!
Best regards!