The Security Mentor

Today we take a look at a Firefox extension, "Password Composer", which generates a new password for each web site based on a single master password.

This one fits smoothly into the browser's interface. It puts a little red icon to the left of a web page's password field. Click the little red icon and it asks you for your master password, and asks whether you want to create the per-site password based on the full name of the site (e.g. "login.example.com") or just the short name (e.g. "example.com").

There are a few drawbacks. It's not really compatible with my favorite Firefox extension, Noscript. You don't have control over what characters go into the computed password, so you're stuck if you have to use a web form with an obnoxious password policy like "must include at least one punctuation mark". And when I looked at the actual programming it turns out to be missing a standard precaution against bad guys trying passwords from dictionaries. Also it's missing some of the anti-phishing checks that "pwdhash" has.