Comments on: More on Passwords

By: Browser Usage: Catch-22 | alexking.org

Browser Usage: Catch-22 | alexking.org — Wed, 18 Apr 2007 19:34:54 +0000

[...] on other things). The only plugin I’m using is the PwdHash plugin (for reasons previously discussed)1, and I have the web interface so I’m not completely reliant on the [...]

By: Brad Fults

Brad Fults — Mon, 26 Feb 2007 00:13:00 +0000

I responded to this post with a proposed solution.

By: Alex

Alex — Tue, 06 Feb 2007 17:27:43 +0000

I only responded to the keylogger issue because my post already refutes the other techniques you suggest and you didn’t offer any reasons to counter my arguments on them.

My page isn’t the home for PwdHash, as I noted in my previous post I merely created a better web interface than the one they offered.

I don’t intend to be dismissive, but it’s hard to engage in a “debate” when half of my responses are simply “go read what I wrote”.

Frankly, from your usage description I can’t see how using PwdHash would be a burden to you. Instead of replicating your passwords on every machine you’d just install this extension (which clearly you can do, since you’ve installed the Google extension).

By: Dan

Dan — Tue, 06 Feb 2007 15:24:37 +0000

Hollow? Read the site? A little dismissive don’t you think? My points didn’t just include keyloggers. And, I have read the pwdhash page including the standford page and skimmed Blake’s posts. If you are referring to my question about the password page I never followed the link you provided since I was relying on pwdhash to provide the marklet nor understood that your page was the homepage of pwdhash–until now–, my fault. :s

Anyways, personally I’m waiting for a better solution to come around. you’ve documented well the disadvantages of pwdhash in this post and the advantages still don’t out way them–for me–.

Just another time to look towards what’s ahead, like openid.

By: Aoyoyo

Aoyoyo — Tue, 06 Feb 2007 07:45:57 +0000

Apparently, I explained the same thing after inspired by your first article about passwords. Unfortunately, my post is written in Thai (my native language) hence you can’t make a good reference to it as a supportive post. Anyway, I’m trying PwdHash too.

Here the post is: http://www.rangwan.c[...]lar-firefox/

By: Alex

Alex — Tue, 06 Feb 2007 06:23:58 +0000

Dan, I’m afraid your arguments ring hollow. No matter what you do, if you use a machine with a key logger installed you’re screwed. If you’d like to know how PwdHash works, read the web site. It’s explained in much detail.

By: Dan

Dan — Tue, 06 Feb 2007 05:26:26 +0000

Well, you forced me to defend myself.

My solution doesn’t have any single points of failure except maybe someone retrieving my password db from one of my local machines and then cracking it somewhere else, which you know is highly unlikely. More unlikely then someone getting to your “password page”.

I refer to the “password page” from your previous post but I’m still unclear as how that page works. And I’m assuming that is the only way for you to get passwords from a new previously unused computers. Hmmm…hope you reset the browser cache.

So in defense I don’t have a “single point” of failure. Like everyone should I have all of my computers locked down with a system password and never stays unlocked while I’m away. I believe this is the single point of failure, if you’re worried about someone using an account of yours (locally) then you should be more worried about them getting into your apps, documents or stealing the damn computer and cracking somewhere else.

As for the trust Google thing. I have to; I use Gmail. They already know more about me then my mom or wife.

To detail what I do:
Multi-Tier
Modifiers
System password which is extremely hard to guess and locks down the computer on a 5 min. screensaver
Sync by GBS and a “Master password”

And when I’m away from any of my systems I can easily remember my passwords. Something you can never do with a hash. And I’m more worried of someone getting my master list through keylogging, screenshots or other malicious ways then them using the same method to get into one of my tiers.

I’m ranting a little and if you don’t mind I’ll continue.

We live in a world that we need to be paranoid and aware. If you limit yourself to just making your passwords long and impossible to crack then you’re allowing someone to locally break into your machine or someone tampering with your or anyother machine with something that logs your keys and/or hashes.

There are a lot of points of failure in the processes we use but you cannot deny the more common singe point of failure is trusting an untrusted machine. Which reminds me of a friends insight.

By: Brett

Brett — Tue, 06 Feb 2007 00:11:02 +0000

I use the password modifier mechanism, plus tiers. There are some sites that have absolutely no relation to my base passwords, but most are pretty close.

No, it’s not as good as a completely unique password. But it’s not bad enough, for me, to warrant changing all of my passwords everywhere.

My primary password aggravation is sites with ridiculous password requirements that force me to deviate from my pattern. “Your password must contain between 6 and 8 characters” or (this was just today at source forge) “Your password can contain only numbers and letters”. How ridiculous and insecure is that?

By: Alex

Alex — Mon, 05 Feb 2007 22:45:46 +0000

I have looked at several password hash programs, but I'm not sure how much I like cutting and pasting the hashed password. I would like a tool that would create the password and automatically fill it in on the form.

Um, that's exactly what PwsHash does... you only need the web interface if you aren't using a browser with the extension installed.

By: Ken

Ken — Mon, 05 Feb 2007 22:41:25 +0000

Thanks for a good article. I have been thinking through some of the same issues myself. I have been using a tier system, which as you say is better than nothing. I don’t think that random little sites are very likely to become top tier sites, although if that happened I would need to remember to change the password to something stronger. For key banking and investment sites, I use a unique password which is stored in a decidedly low-tech way: written on a piece of paper hidden at home. Even if someone broke into my house and stole my computer, chances are almost nil that they would also take my entire file cabinet and go through it page by page (assuming that my list is even in the cabinet). And a few of the most important passwords are recorded as a cryptic hint rather than the password itself.

I have looked at several password hash programs, but I’m not sure how much I like cutting and pasting the hashed password. I would like a tool that would create the password and automatically fill it in on the form. Then if it supported entry of the master password once/session it would be very convenient, almost as easy as storing the password in the browser but much more secure. But none of the programs that I looked at seem to have this capability.

By: Alex

Alex — Mon, 05 Feb 2007 20:41:23 +0000

I think I laid out pretty good arguments against tiers, so what are your rebuttals to my arguments against using tiers?

By: Robert Accettura

Robert Accettura — Mon, 05 Feb 2007 20:34:59 +0000

My solution was to create easy to remember passwords for many tiers. For example safepasswd.com was my implementation of easy to remember passwords (and complicated ones upon request.

I think ultimately you need to use tiers. Having separate passwords for real critical things (bank accounts, etc.) and shared ones for things you don’t really care about.