The GoSecure Applet
This applet uses the net.goui.util.GoSecure class to implement a simple but secure means by which to manage different passwords for multiple services which can be accessed from any web browser.
How to Generate a Password
In order to generate a secure password (and more importantly make sure you can reliably regenerate it later) you need to have a well defined process in place. You must make sure that any information you need to enter into the applet can be recalled at a later date, so being as methodical as possible is vital.
- Username : Typically this is just the normal username by which you identify yourself to the service in question. This is case sensitive so it would be sensible to only use lower case if possible or match the real username for which the password applies.
- Service : When choosing the string to use for a service it is good practice to follow the same convention for all passwords. If the service relates to a URL, consider using only the domain part, removing any protocol (http://) or directory information. Remember that a single service provider may have many websites, so pick the most canonical one you can (for example use "ebay.com" rather than "ebay.co.uk"). This is also case sensitive.
- Passphrase : This is the critical piece of information by which a password is generated. Your choice of passphrase must be both secure enough to avoid a brute force attack on the system and memorable enough that you won't risk forgetting it. Note that a passphrase needs to be at least 30 characters long before it can be considered good enough for generating secure passwords. It is well worth investing a few minutes of your time to construct a good passphrase which you can easily remember and which you won't have to write down anywhere.
- Length : This parameter defines the length of the password which will be generated. It is better to use the default length if possible but if there are constraints for a particular service, pick the longest available length.
- Type : This parameter controls the type of password produced by GoSecure (see below). The types are listed in increasing order of security so pick the most secure type which is acceptable to the service in question. Only use the pronounceable type if you will need to verbally confirm the password to someone.
- Spoken : The password will be composed from the set of lower-case Latin characters in accordance with the pronounceable password generator, described at http://www.multicians.org/thvv/gpw.html.
- Lower : The password will be composed from the set of lower-case Latin characters (ie, [a-z])
- Mixed : The password will be composed from the set of upper-case and lower-case
Latin characters (ie, [A-Z] + [a-z]).
- AlphaNum : The password will be composed from the set of upper-case and
lower-case Latin characters and the Latin numerals (ie, [A-Z] + [a-z] + [0-9]).
- Symbol : The password will be composed as for AlphaNum but with the addition of
the symbolic ASCII characters
If at First You Don't Succeed
Even when you have entered all this information in accordance with your chosen methodology there is still a chance that a generated password may not be suitable for a given service (for example a website may require that a password contains at least two symbol characters). In this case it is possible to hit Create again to generate the next password in sequence until a suitable password is found. This sequence is completely deterministic so when you come to regenerate this password you should be able to skip the same number of invalid passwords to retrieve your password.
The Applet Controls
- Create : This button creates the first/next password in the sequence. When this button is used to create the first password in a sequence, the input fields are disabled to prevent unexpected changes from occurring during the password generation sequence.
- Reset : This resets the applet during a password generation sequence to allow the inputs fields to be edited again.
- Show : This checkbox controls whether or not the password will be visible. If unset, the password will be shown in the same colour as the background of the text field; this is useful because whilst no longer visible the password can still be selected for cut&paste operations.
- Select : This button selects all the text within the password field for cut&paste operations. Only use this if there is no risk that the cut&paste history of the computer you are using could be accessed by anyone else.
- Dump : This will bring up a window containing a URL which can be used to launch the GoSecureLite applet to regenerate the current password (see below).
Setting Your Own Defaults
All of the input fields for the applet can have their defaults overridden by providing extra parameters in the HTML of the form <param name="parameter" value="default-value">. The valid parameters are:
- username : The username string (no default)
- service : The service string (no default)
- length : The password length (default = "12")
- type : The password type (default = "AlphaNum")
There are other parameters which you can supply to change the internal state of the applet:
- url : The base portion of the output URL (default = "http://goui.net/GoSecure.cgi")
- hash : The hashing algorithm used internally (default = "SHA-1")
- show : The default state of the Show checkbox (default = "true")
As well as the main GoSecure applet, there is a simplified version available targeted at password retrieval. This is intended to be used in conjunction with a simple CGI script, to allow bookmarks to be created which can contain all the non-secure information about a password.
The GoSecureLite applet contains a minimal UI and is expected to take most of its state from the parameters supplied to it. Typically the applet will be supplied with all its user information except the passphrase itself, ensuring that there is no risk of forgetting things like the service string used. This applet is designed to be launched by the GoSecure.cgi script which uses the parameters provided to the URL. The best way to create such a URL is to use the Dump feature of the main GoSecure applet.
As well as the applet parameters described above, the URL used to launch the GoSecureLite applet can contain other parameters.
- version : This is provided by the GoSecure class and is used to ensure that the correct version of the applet is launched (this is used directly by the GoSecure.cgi script and is not passed to the applet). This value should not be changed or removed.
- skip : This is present when the original password was not the first password in a given sequence; this allows the GoSecureLite applet to skip the same number of passwords automatically to ensure that the original password is retrieved. This value should not be changed or removed.
- salt : This is used to verify that the supplied passphrase is correct and helps guard against simple mistyping. However, it does provide an attacker with a small amount of information which could reduce the time it takes to crack your passphrase, but if a suitably good passphrase is chosen this shouldn't be of any practical use. If you are certain you will always remember your passphrase then the salt parameter can safely be removed from the URL and no passphrase verification will occur.
Typically you would generate one URL for each password you wish to manage and then add these to your bookmarks. You can also make them available on a webpage so they can be accessed from any computer. If you don't want people seeing your username for a particular site you can remove it from the URL and the GoSecureLite applet will prompt you for it.
Thanks go to Tom Van Vleck for letting me use his GPW (Generate Pronouncable Passwords) algorithm in this code (see http://www.multicians.org/thvv/gpw.html) and to Makoto Matsumoto and Takuji Nishimura for developing the rather nice Mersenne Twister implementation from which I derived the MTRandom class (see http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html).
As an aside to all of this (and a means to plug my own work a little) these applets both use the net.goui.awt.GoLayout class to manage the positioning of their components which makes specifying layouts like this very straightforward.