Flutterby™! : Automatic logins 2008-11-12 23:11:21.868613+00

Automatic logins

2008-11-12 23:11:21.868613+00 by Dan Lyke 13 comments

Dear lazy web, I want a Firefox plug-in that lets me automatically log in to a bunch of sites. Several sites seem to think that "remember me forever" means about a day, and at other times I think Firefox may have long-term cookie memory issues, but I want a button that goes and logs me in to all the different sites I come across.

Bonus points for a tool that doesn't give me a button, but recognizes when I'm going to a site and logs me in invisibly. This shouldn't be hard, it could be simple URL matching and some basic "go to this URL, fill in this form" capabilities.

I've been using Clipperz to manage my myriad website passwords. It has a "direct login" feature that's pretty close. You still have to log into Clipperz fist. It stores all of your passwords encrypted on their server. The passwords are sent to your browser and decrypted locally. It's good enough that I've donated to their effort.

I think, with some more manpower and polish, something like Clipperz could become a killer-app. I'd really like to see it integrated more closely into the browser. I don't like the way Firefox or IE "remember" passwords.

I'm pretty happy with the way Safari does this for me. I wonder if that bit is in the open-source bit or if it's in Apple's proprietary additions.

I'm old school paranoid: I'm using 20+ logins and password combinations, some of the low security ones are formulatic, most are pretty darn random. A few are written on a piece of paper in a locked safe in case I die.

That was part of a heck of a pass phrase - It was hard to type correctly even when you knew it, and it was hard to forget.

My biggest problem is that I have to keep up with IDs and passwords on a dozen or so different systems and each one has a different password strength rule and expiry cycle.

I just got my new federal credential that stores all kinds of encrypted stuff directly in the RFID-enabled card. To unlock it, I have to enter a 6 digit PIN and scan a finger print. Every other PIN I've ever used has been 4 digits. So I had to create a new one. Hopefully I'll remember that PIN when I have to use it again in that capacity!

I've got enough interesting SSH keys on this machine that I'm reduced to thinking about it as a matter of physical security. Get to my computer, you've got it all, but 'til then...

However, the main thing I want explicit login for are things like LiveJournal, LumberJocks, and a few other discussion forums. When I'm working from my user account on this laptop, I should never go to one of those sites and not be logged in. Not terribly high risk if those accounts are lost, but an annoyance if I have to do several clicks to get my cookies set right.

OpenID may yet, but everybody wants to be a provider, nobody wants to be a consumer.

Doesn't solve this particular problem, but would solve yours and be a step towards solving mine.

I played around with using signed certificates to authenticate web users. Got it working too (not terribly hard really, but the CA I created expired on me---oops). Unfortunately, you have to install the certificate in the browser, but if you are only logging into a site from a single computer (or just a few well-protected ones) then it seems like a decent idea. Automatic expriation, evokation, etc.

#Comment Re: made: 2008-11-15 04:22:09.87595+00 by: dexev [edit history]

I've been using GreaseMonkey scripts for something like this -- in my case, I wanted to remember passwords even if the site didn't want them to be.

We got the client certificate stuff working when I worked here. All of the major browsers will generate certificate requests and install the certs automatically, if you know how to ask properly.

OpenID: I wouldn't be surprised to see some large media companies starting to act as consumers in the very near future.

Can you point to instructions (or a tutorial) on how to get browsers to generate certificate requests and install certs automatically? That sounds like something interesting to do.

Certificates: No tutorial, sadly...everything had to be figured out from bits and pieces. Most browsers listen to Netscapes 'keygen' tag, IE uses the 'Enroll' javascript library. IE7/Vista juses a different interface that didn't work as of last year.

I'm reluctant to be too explicit here -- I'm not sure how much I'm allowed to talk about -- but since all of the code (except the actual certificate generation) is browser-based, a look at a working example should give you a good start. This is the page that I had a hand in.