KeyCutter

(author:  Robbert van Renesse, 2000)

This browser does not support Java applets

• Do you use the same password at each Web service provider?  If so, what prevents a malicious employee of one provider to use your password at another?   What if a hacker got your password at one provider
• Do you use a slightly different password for each Web provider?  If your password for Amazon is something like "secret4amazon", a malicious employee at Amazon may guess your Sears password.
• Is your password unguessable?  E.g., the name of your spouse.
• Do you store your password in a file?  Is that file encrypted?  Do you bring it along anywhere you go

Web service providers store passwords in clear text along with credit card information.   Although SSL and X509 certificates protect this information in transit over the Internet, it doesn't protect against malicious use of passwords by employees of the providers themselves.  Equally dangerous, a hacker who broke into one Web provider may use the passwords s/he found anywhere else.  It is therefore important that you use unguessable passwords, and a different one for each provider.  But remembering these passwords is virtually impossible, while writing them on a piece of paper or storing them in a file is a bad idea.

The KeyCutter tool fixes this problem.  It uses no storage, yet is able to maintain a different, unguessable password for each service provider.  The tool is available as an applet on the web, and can be accessed using the same browser with which you access the vendor's web site.

The way it works is simple:  the user is identified by the triple (User ID, Birthday, Personal password).  The user can pick his own id (for example, mine is "rvanren").  The password should be kept secret.  After this information is entered, the user can type in the service provider's name or URL, and a password is generated by a so-called cryptographic hash function applied to all the information entered.

For convenience, KeyCutter can either generate a password or a PIN code, which some sites use rather than a password.  (You can also use the tool to generate different PIN codes for your various credit cards.)