Hey Hey,

It's a fairly cool idea.... I see a few problems and benefits..

1) People accessing your computer... You could tell them your "password" for site X and it wouldn't be detrimental to you... (benefit)... However if this method became a popular way of protecting passwords and creating difficult passwords As more people used it they'd understand what you were doing and that would be a problem.... either way you shouldn't be giving your password out but I could see that thought running through peoples heads..

Now a couple of problems I see..

You're away from your computer.. or your computer dies (as my PC just did)... You suddently can't access your sites unless you setup the same bookmarklet..

Even though the password is more complex that's being sent. I don't see it making it more difficult... In fact I'd see it lowering security...

As a malicious person I know of this script... so now when I perform a dictionary attack, I run it four times... once with the words unaltered, once with them as base64, once with them md5'd and once with them sha-1'd... That's significantly less time than a "random" complex password brute force...

So I don't think you're really increasing the complexity of the password... it's actually more harmful to the user in the end.. they feel secure using a simple password.. but it's just as easy for the badguys to get in...

There's also the problem that when, for example, I design a database... I seldom make the password field 128 or 256/512 characters long... which would make MD5 and SHA-1 useless......


However I'll also share my complex but easy to remember password style...

websites... but never the website you're logging into..

so my account for CNN may be username: htregz password: http://www.google.ca/codesearch

My login for the computers at work might be username: htregz password: http://www.antionline.com/newreply.php

Sometimes I'll drop the page and just use http://www.computerdefense.org.

I think these make great passwords.... they're long... complex (yet only : / and . unless you use a site with a - or a number)... and because we're internet-based people these days they are quick and easy to type and remember.

Peace,
HT