colin dellow's bln

Three things you may know about me:

1. My UW password (and thus, my GMail, TD Canada Trust, Bank of America, and cldellow.com passwords) were recently exposed by the ineptitude of my university


2. I dislike multi-factor authentication schemes that have become popular at banks recently. They aren't truly multi-factor and they result in more work for me.


3. CodeCompete, which started in May, is now finished, so I have a spare SSL certificate kicking around.

Granted, the widespread nature of (1) is my own fault. I trusted my university not to expose my password, and thus I was sloppy and used the same password in multiple places. Bottom line: accidents happen, passwords get leaked. Plan for it.

So, once bitten, twice shy. . .



The above is my vision of a tool I've named the Cookie Injector. It is composed of two parts:

1. An IP/STS residing on my machine, that knows all of my passwords and has the ability to automatically talk to web-based authentication servers (e.g., google.com, uwaterloo.ca) to exchange my passwords for HTTP session cookies; and


2. A C#.NET application that can invoke CardSpace to retrieve a token from the above IP/STS, extract the session cookies, and inject them into Internet Explorer on the given computer

Ideally, this will allow me to:

• have different passwords for google.com, microsoft.com, tdcanadatrust.com, bankofamerica.com, and uwaterloo.ca; and


• not remember a single password, ever; which means:


• I'll never type a high-value or long-lived password into an untrusted machine


• I'll have complex, hard-to-remember passwords


• ...which can change on a weekly basis, automatically

I'll be tinkering with this over the next month or so, and will publish any interesting progress.

Labels: cardspace, cookieinjector