S60 and Password Maker

Published by at

David Gilson tackles that age old problem of how to manage web passwords using your desktop and smartphone - and he ends up at a solution that most readers won't even have heard of. It's also a solution that doesn't actually store your passwords anywhere at all, making it device-independent and utterly secure from hacking, in the case of theft or loss. Read on...

Password management is a tricky topic at the best of times, and even more so on mobile devices. The simplest form of password management is to use the same password everywhere. This has the obvious flaw that if one website is compromised, all of your online identities are at risk. Therefore, the sensible alternative is to have different passwords for every web site/service that you use. As ever, security and convenience conflict; with the wide range of services that many people use, it can be difficult to remember a password for each of them. Fortunately, all modern web browsers offer to remember log-in details. However, those details are not always stored in an encrypted file.

If you want to be serious about handling passwords, you could opt for a password management application; and there are quite a few for S60. However, many of these are dead-end silos, which make it difficult to share passwords with any other device. There are other solutions, such as LastPass, which gets around the sharing problem by storing your passwords in the cloud, and provides mobile access via native applications. Of course, this type of solution requires you to trust a particular company with all of your passwords.


Mobile password management

Using a native application to store passwords means that if you lose your phone, the local store of passwords is at risk of being cracked. Even though recent versions of S60 have a remote wipe feature, you should assume that a copy of the password file could be made in the intervening time. As such, your phone's new owner can take their time in cracking your password file via brute force methods. Therefore, any stored passwords need to be considered vulnerable.

An alternative to storing passwords is to calculate them on the fly. Fortunately, there is an open source tool to do this, called Password Maker. In simple terms, Password Maker works by combining a master password with the URL of a website to create a cryptographically strong password. Therefore, by just remembering one password, you can generate a different password for every web site you log into. Using Password Maker can be this simple, but there are plenty of other parameters you can set to increase password complexity. E.g. which hashing algorithm and a range of allowed characters.

Password Maker desktop edition running in S60 5th Edition Web

For desktop users, Password Maker comes in a wide range of formats: from native applications, to browser plugins, to HTML versions. There isn't a native S60 version of Password Maker, but the HTML versions work just as well. There are two HTML based versions, a Javascript-powered desktop version, and a PHP driven mobile version. Both of these can be used from the Password Maker website, http://passwordmaker.org/passwordmaker.html and http://m.passwordmaker.org/, respectively. However, they are also freely available for self hosting, which also allows you to customise the code.

Password Maker mobile site

Password Maker mobile site

The desktop version of Password Maker won't work with Opera Mini, because of the real time Javascript password generation. Thus Opera Mini users will need to use the mobile version (which requires PHP running if you choose to self host). Note however, that all generated passwords will be passing through Opera's pre-rendering servers (twice if you count authentication processes). Fortunately, Web supports copy and paste in text fields, and so transferring passwords from the Javascript version of Password Maker to a login form is quite easy.

The advantage of using Password Maker is that only you know your master password and the parameters used to generate your passwords. Therefore, even if you lose your phone, your passwords are safe because they were never stored. Also, accessing passwords from device to device is made trivial.

David Gilson for All About Symbian, 1st June 2010.