Object-based Password (ObPwd) prototypes

Please keep in mind that these prototypes are still in progress. Please email (mmannan at gmail.com) your feedback. ObPwd was first presented at HotSec'08 (paper, slides).

What is ObPwd?

ObPwd is a technique to generate strong text passwords from any web object (selected text, images, and URLs), or your personal digital content - such as your photos, audio/video files, and documents. You must keep your password generating digital object (local files or a pointer to web objects), but do not need to memorize the generated password. Using ObPwd tools, you can always re-create your password from your web content or files whenever you want. ObPwd related FAQs.

ObPwd Firefox extensions and Applications (Mac, Windows)

• Get ObPwd Mac Application (OS X 10.5, i386)

  Usage: Drag and drop any file, image (including iPhoto), URL, and text block to the ObPwd application window, or select a file using the file dialog button. Your ObPwd password will be generated from the selected object. Preferences are also available from the application menu.

• Get ObPwd Firefox extension from Mozilla

  or Install from here (version: March 28, 2010)

  (Tested on Firefox versions 3.0.15, 3.5.5, 3.6.2.)

  Usage: While using Firefox, bring up the context menu (i.e., right-click) after selecting some text, an image, or a link of your choice on a web page. If you want to generate ObPwd from your local file, you don't need to select any particular web object. You will see one (or more) of the following four menu items under the Object-based Password (ObPwd) menu:

  • Get ObPwd from Local File: Generates ObPwd from a local file (a file dialog is used to get your selection).
  • Get ObPwd from Selected Text: Generates ObPwd from your selected text on a page. Pure text is used from the selection without any formatting information.
  • Get ObPwd from Image: Generates ObPwd from the selected image (the one you right-clicked on).
  • Get ObPwd from Link: Generates ObPwd from the link that you right-clicked on. Only certain types of HTTP and HTTPS links are supported (e.g., pdf, mp3, avi, txt).
  
  Auto filling password box:
  If you right-click inside a password input box and generate a password through ObPwd, the extension will directly copy the generated password into the password box. If you initiate the extension from anywhere else on the page, you will be given an option to copy the password in your clipboard (which you can then paste at any site of your choice).
  
  Preferences (use with caution):
  Now you can change the password length, include some special characters, and enable password creation from any URLs. Once you have changed these preferences, your password will be generated accordingly; i.e., ObPwd preferences are global, not site-specific, and the extension does not remember your settings for any specific site. So if you generate a password with certain preferences, you must make sure that the same preferences have been selected when you want to re-create the password.

  Example screenshots of the extension are also available.

• Install ObPwd Firefox extension (version: June 09, 2009)

  Usage: Same as above, except that this does not support preferences.

• Install ObPwd Firefox extension (July 01, 2008)

  Usage: Same as above, except that this does not support generating ObPwd from local files, and have no preferences.

  Example screenshots of the extension are also available.

• Windows Application (unzip to run the obpwd C# application inside, you may need to install the Microsoft .NET Framework)

  Usage: Click on the `Select File' button on the application, and select any local file through the file dialog. Your ObPwd password will be generated from the selected file.

Recommended files / web objects for ObPwd

• Choose any file or web object personally meaningful to you - as you must recall this when you want to re-create your password.
• System files (e.g., windows applications) should not be used - as they may be automatically updated.
• Publicly accessible files (e.g., personal websites, social networking sites), or files shared with others should not be used.
• Web objects that generally do not change should be chosen (e.g., snapshots of old pages as archived at archive.org).

Notes on the generated password

• The password length is 12 characters, alphanumeric.
• There is no special character in the generated password.
• At most the first 100,000 bytes of your object (file/URL/text) are used for generating a password.

Please send any bug reports or other feedback to: mmannan (at) gmail.com