Steve brought up some interesting points when I spoke with him about my passwords post and Dan dropped by and left a comment with a few alternative suggestions (most of which I pretty strongly disagree with). I realize I didn’t go into much detail in my previous post as to why I’m making a big deal out of this.
I’ll try to explain how I see this issue a little better and why I’ve started using PwdHash and started changing my account passwords accordingly.
The Problem
Most folks I know have the same username at many different services. It’s just become something you do. When a new service is announced that looks even vaguely interesting, you go and sign up to reserve your username just in case it’s something you’ll want to use in the future. Most folks use the same password for all of these accounts as well.
As noted on the PwdHash web site:
The Common Password Problem. Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.
This is the crux of the problem. You are now trusting your account security at all of the sites you’ve signed up at to the security at some random service you signed up for 2 years ago which has long since gone tets up. That should make you nervous.
Non-Solutions
Using Hard to Guess Passwords
While Geof points out a great way to create hard to guess/easy to remember passwords – you just can’t remember enough unique passwords to have one for every site.
Tiers
When I was re-using passwords and multiple sites, I had 
tiers 
of passwords. I was using one password for random little sites, another for more critical sites and a handful that were used for only for financial sites, etc.
This certainly helps to mitigate your risk, but it isn’t a solution. There are lots of problems with this approach – first and foremost that it doesn’t solve the problem. Also, sites will fluctuate between your “tiers” over time. That hot-new-site.com that was crucial a year ago may be long forgotten today with their doors closed and their IP and customer data sold off, but you’re still trusting all of your data in all of the sites in that tier to hot-new-site.com. Tiers aren’t a solution.
Store Them in Your Browser
Letting your browser save all your passwords sure is an easy solution. You just click the ‘save’ button when you log in and you can use a unique password for each site and you don’t have to think about it again. Of course, it also means that anyone using your computer will have access to your accounts. Obviously, not such a good idea.
Sure, the vast majority of the time it’s not a problem, but sometimes things don’t go as you planned – for whatever reason. Having all of your passwords saved in one place ready to be auto-filled into the appropriate web sites isn’t a good thing. “But I use Firefox’s Master Password feature.” Congratulations, you’ve added a single point of failure – that isn’t so good either.
But that isn’t the real problem with this approach. The real problem is what you do when you get to work or get home and can’t remember the new unique password you created for a site when you were at a different computer. Which brings us to…
Trust Them to Google
Dan points out Google Browser Sync as a solution to making sure all of your computers have all of your passwords. Of course, this exacerbates the problem of storing your passwords in your browser in the first place (especially if you’re talking about having them on “3 macs […] and a couple linux and windows boxes”), but let’s ignore that and move along.
Let’s even set aside the whole “trusting your life to Google” argument1, because that’s a rats nest we really don’t need to visit right now. The real reason that a “browser sync” isn’t a solution is that you will need to use browsers that aren’t sync’ed from time to time.
Because you’ll want to access your various web accounts from browsers that don’t have all of your passwords stored on them, storing passwords in your browser isn’t a real solution. You won’t be able to remember a unique password for each account, so you’re back to re-using passwords. Welcome back to the start of the decision tree.
Same Password With a Modifier
I’ll admit, this technique isn’t really that horrible – especially if you combine it with a tiered approach. Basically what you do is take a base password like:
fuzzyslippers
and customize it for each site. For example, you might append the first letter of the domain name, like:
fuzzyslippersf
for Flickr – oops, bad example. Joking, joking… 🙂 You can also use the numeric value of the first letter of the domain name:
fuzzyslippers20
for Twitter. Other things to consider are prepending and appending the modifier based on odd/even numbers, etc.
This is a definitely better than simply using the same password at each site, but it isn’t nearly as good as a completely unique password for every site.
Problems with PwdHash
I think that PwdHash is a good compromise solution and I’m now using it. However, it isn’t perfect either.
- Using a single password as the generation point for your hashed passwords still leaves you with a single point of failure. However, at least protecting that password is on your hands, not the hands of some web site you signed up with.
- It’s a hassle to have to go generate a password before you log in to a web account from a browser where you don’t have PwdHash installed. This isn’t a common occurrence for me, so it isn’t enough of a hassle to be a deterrent.
- The PwdHash Firefox extension doesn’t work for 401 authentication, so you have to use the web interface to generate a password when logging in to a 401 authenticated service.
- This is being a bit nit-picky because I can’t remember a time this has actually been an issue for me, but using a hashed password does mean you need a password hashing tool to get your password for something. If you have to authenticate on the phone or something when you’re away from an internet connection, that could be an issue.
Summation
I’m in the process of switching all of my logins to PwdHash’d logins and I’ve turned off the password manager in Firefox. I think that both are smart moves.
Even if you’re not ready to start using something like PwdHash for all your account passwords I hope this article has made you think a little bit. This is only going to be more important in the future as we put more of our lives online. At least until everything supports OpenID.
- Yes, I know that the data is encrypted – yet another single point of failure for all of your site logins. [back]
This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.
My solution was to create easy to remember passwords for many tiers. For example safepasswd.com was my implementation of easy to remember passwords (and complicated ones upon request.
I think ultimately you need to use tiers. Having separate passwords for real critical things (bank accounts, etc.) and shared ones for things you don’t really care about.
I think I laid out pretty good arguments against tiers, so what are your rebuttals to my arguments against using tiers?
Thanks for a good article. I have been thinking through some of the same issues myself. I have been using a tier system, which as you say is better than nothing. I don’t think that random little sites are very likely to become top tier sites, although if that happened I would need to remember to change the password to something stronger. For key banking and investment sites, I use a unique password which is stored in a decidedly low-tech way: written on a piece of paper hidden at home. Even if someone broke into my house and stole my computer, chances are almost nil that they would also take my entire file cabinet and go through it page by page (assuming that my list is even in the cabinet). And a few of the most important passwords are recorded as a cryptic hint rather than the password itself.
I have looked at several password hash programs, but I’m not sure how much I like cutting and pasting the hashed password. I would like a tool that would create the password and automatically fill it in on the form. Then if it supported entry of the master password once/session it would be very convenient, almost as easy as storing the password in the browser but much more secure. But none of the programs that I looked at seem to have this capability.
Um, that’s exactly what PwsHash does… you only need the web interface if you aren’t using a browser with the extension installed.
I use the password modifier mechanism, plus tiers. There are some sites that have absolutely no relation to my base passwords, but most are pretty close.
No, it’s not as good as a completely unique password. But it’s not bad enough, for me, to warrant changing all of my passwords everywhere.
My primary password aggravation is sites with ridiculous password requirements that force me to deviate from my pattern. “Your password must contain between 6 and 8 characters” or (this was just today at source forge) “Your password can contain only numbers and letters”. How ridiculous and insecure is that?
Well, you forced me to defend myself. 🙂
My solution doesn’t have any single points of failure except maybe someone retrieving my password db from one of my local machines and then cracking it somewhere else, which you know is highly unlikely. More unlikely then someone getting to your “password page”.
I refer to the “password page” from your previous post but I’m still unclear as how that page works. And I’m assuming that is the only way for you to get passwords from a new previously unused computers. Hmmm…hope you reset the browser cache.
So in defense I don’t have a “single point” of failure. Like everyone should I have all of my computers locked down with a system password and never stays unlocked while I’m away. I believe this is the single point of failure, if you’re worried about someone using an account of yours (locally) then you should be more worried about them getting into your apps, documents or stealing the damn computer and cracking somewhere else.
As for the trust Google thing. I have to; I use Gmail. They already know more about me then my mom or wife.
To detail what I do:
Multi-Tier
Modifiers
System password which is extremely hard to guess and locks down the computer on a 5 min. screensaver
Sync by GBS and a “Master password”
And when I’m away from any of my systems I can easily remember my passwords. Something you can never do with a hash. And I’m more worried of someone getting my master list through keylogging, screenshots or other malicious ways then them using the same method to get into one of my tiers.
I’m ranting a little and if you don’t mind I’ll continue.
We live in a world that we need to be paranoid and aware. If you limit yourself to just making your passwords long and impossible to crack then you’re allowing someone to locally break into your machine or someone tampering with your or anyother machine with something that logs your keys and/or hashes.
There are a lot of points of failure in the processes we use but you cannot deny the more common singe point of failure is trusting an untrusted machine. Which reminds me of a friends insight.
Dan, I’m afraid your arguments ring hollow. No matter what you do, if you use a machine with a key logger installed you’re screwed. If you’d like to know how PwdHash works, read the web site. It’s explained in much detail.
Apparently, I explained the same thing after inspired by your first article about passwords. Unfortunately, my post is written in Thai (my native language) hence you can’t make a good reference to it as a supportive post. Anyway, I’m trying PwdHash too.
Here the post is: http://www.rangwan.c[...]lar-firefox/
Hollow? Read the site? A little dismissive don’t you think? My points didn’t just include keyloggers. And, I have read the pwdhash page including the standford page and skimmed Blake’s posts. If you are referring to my question about the password page I never followed the link you provided since I was relying on pwdhash to provide the marklet nor understood that your page was the homepage of pwdhash–until now–, my fault. :s
Anyways, personally I’m waiting for a better solution to come around. you’ve documented well the disadvantages of pwdhash in this post and the advantages still don’t out way them–for me–.
Just another time to look towards what’s ahead, like openid.
I only responded to the keylogger issue because my post already refutes the other techniques you suggest and you didn’t offer any reasons to counter my arguments on them.
My page isn’t the home for PwdHash, as I noted in my previous post I merely created a better web interface than the one they offered.
I don’t intend to be dismissive, but it’s hard to engage in a “debate” when half of my responses are simply “go read what I wrote”.
Frankly, from your usage description I can’t see how using PwdHash would be a burden to you. Instead of replicating your passwords on every machine you’d just install this extension (which clearly you can do, since you’ve installed the Google extension).
I responded to this post with a proposed solution.
[…] on other things). The only plugin I’m using is the PwdHash plugin (for reasons previously discussed)1, and I have the web interface so I’m not completely reliant on the […]
[…] This is one of those situations where it’s no fun to be right. […]