#FF00AA

This is not very new, and I might even have heard about it but not investigated further, but SuperGenPass [via] is a fantastically simple and clever idea: whenever you need to register to a new website, you just click a simple bookmarklet, input your master password (which isn’t stored anywhere), and the script takes combines that master password and the website’s domain name to compute (and fill in) a undecipherable password unique to that website. The same combination of master password and domain name will always output the same password, so you don’t need to remember or even know it at all, but a rogue website admin can not reverse-engineer the password you registered with to access your other accounts (well, not trivially, anyway). And phishing scams don’t work, because if a site pretends to be someone else they won’t have the right domain name.

Okay, so you’re in trouble if a website changes domain names after you registered (better save a copy of the backup version so that you can manually figure out your password for any domain — or you can use the algorithm for anything other than a website, actually). And, since SuperGenPass uses JavaScript to display in the current page, I suppose someone could theoretically craft a page that would detect SuperGenPass and steal your master password, but the risk of that is infinitesimal.

Come to think of it, I might just delete the bookmarklet but just save a copy of that backup version (which uses JavaScript locally, works offline, etc. — well, I haven’t checked the code, but I assume as much) to create my account passwords. I don’t need to type them in anyway (I have Safari and the Keychain for that); all I want is a way to retrieve my passwords if my saved passwords database ever gets lost.

(If you ever get to use it, you absolutely have to save a copy of that backup script in case you lose the bookmarklet: the algorithm might change down the line — it has apparently changed before — or the site could go under, and you would be sorry for your loss.)