I came across PasswordMaker on the most recent MozillaZine Independent Status Report. It’s a password generator – a bit like Blake’s PwdHash, but it takes the approach I recommended in my comments of getting people to take an explicit action to fill in the password.
Unfortunately, I can’t recommend it, because (and this is why this post is in the Usability category) the authors seem to have gone out of their way to make the program extra complex. To see what I mean, have a look at the online version, which you are supposed to use when you don’t have access to a copy of the extension.
Now, the ideal UI for something like this would be one where you enter your master password once, and then enter URLs, and an appropriate password comes back to you. At most, you have to enter two pieces of information. However, with PasswordMaker, you also need to enter:
- “Use l33t” – whether you want to put the text through a l33t-speak generator at various points in the process. I can’t see the point of this, apart from to create more settings to remember. It doesn’t make the generated passwords any more compatible.
- “l33t level” – a parameter for configuring the l33t feature.
- “Hash algorithm” – why would a user ever want to choose the hash algorithm? The implementor should just pick any of the suitable ones, and stick with it. Yet another thing to remember, and gratuitous incompatibility and complexity. Note the number of JS algorithm libraries the page has to include.
- “URL components” – choose which URL components are included in the hash to make up the password. I can’t see a use for this either – clearly, you should include the protocol, port, domain and path but not the query parameters. Sadly, in the online UI, that’s not one of the options – “query parameters” are bound to “path” in the same checkbox.
- “Length of generated password” – this should just be the length which is long enough to be secure, and compatible with most restrictions people place on forms. I’d suggest 8, but you’d need to do research.
- “v0.1 compatibility mode” – a.k.a. they didn’t think about all this stuff hard enough first time round ;-). Note that you can only select this if you remember that version 0.1 used MD5 as the hash algorithm – but it doesn’t say that anywhere.
In summary, PasswordMaker is an excellent idea, but it has a terminal case of featureitis. My recommendation: do a (backwardly-incompatible) version 2 with sensible defaults and no configuration, and it could really take off.