Steve brought up some interesting points when I spoke with him about my passwords post and Dan dropped by and left a comment with a few alternative suggestions (most of which I pretty strongly disagree with). I realize I didn’t go into much detail in my previous post as to why I’m making a big deal out of this.

I’ll try to explain how I see this issue a little better and why I’ve started using PwdHash and started changing my account passwords accordingly.

The Problem

Most folks I know have the same username at many different services. It’s just become something you do. When a new service is announced that looks even vaguely interesting, you go and sign up to reserve your username just in case it’s something you’ll want to use in the future. Most folks use the same password for all of these accounts as well.

As noted on the PwdHash web site:

The Common Password Problem. Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.

This is the crux of the problem. You are now trusting your account security at all of the sites you’ve signed up at to the security at some random service you signed up for 2 years ago which has long since gone tets up. That should make you nervous.

Non-Solutions

Using Hard to Guess Passwords

While Geof points out a great way to create hard to guess/easy to remember passwords – you just can’t remember enough unique passwords to have one for every site.

Tiers

When I was re-using passwords and multiple sites, I had tiers of passwords. I was using one password for random little sites, another for more critical sites and a handful that were used for only for financial sites, etc.

This certainly helps to mitigate your risk, but it isn’t a solution. There are lots of problems with this approach – first and foremost that it doesn’t solve the problem. Also, sites will fluctuate between your “tiers” over time. That hot-new-site.com that was crucial a year ago may be long forgotten today with their doors closed and their IP and customer data sold off, but you’re still trusting all of your data in all of the sites in that tier to hot-new-site.com. Tiers aren’t a solution.

Store Them in Your Browser

Letting your browser save all your passwords sure is an easy solution. You just click the ‘save’ button when you log in and you can use a unique password for each site and you don’t have to think about it again. Of course, it also means that anyone using your computer will have access to your accounts. Obviously, not such a good idea.

Sure, the vast majority of the time it’s not a problem, but sometimes things don’t go as you planned – for whatever reason. Having all of your passwords saved in one place ready to be auto-filled into the appropriate web sites isn’t a good thing. “But I use Firefox’s Master Password feature.” Congratulations, you’ve added a single point of failure – that isn’t so good either.

But that isn’t the real problem with this approach. The real problem is what you do when you get to work or get home and can’t remember the new unique password you created for a site when you were at a different computer. Which brings us to…

Trust Them to Google

Dan points out Google Browser Sync as a solution to making sure all of your computers have all of your passwords. Of course, this exacerbates the problem of storing your passwords in your browser in the first place (especially if you’re talking about having them on “3 macs […] and a couple linux and windows boxes”), but let’s ignore that and move along.

Let’s even set aside the whole “trusting your life to Google” argument¹, because that’s a rats nest we really don’t need to visit right now. The real reason that a “browser sync” isn’t a solution is that you will need to use browsers that aren’t sync’ed from time to time.

Because you’ll want to access your various web accounts from browsers that don’t have all of your passwords stored on them, storing passwords in your browser isn’t a real solution. You won’t be able to remember a unique password for each account, so you’re back to re-using passwords. Welcome back to the start of the decision tree.

Same Password With a Modifier

I’ll admit, this technique isn’t really that horrible – especially if you combine it with a tiered approach. Basically what you do is take a base password like:

fuzzyslippers

and customize it for each site. For example, you might append the first letter of the domain name, like:

fuzzyslippersf

for Flickr – oops, bad example. Joking, joking… 🙂 You can also use the numeric value of the first letter of the domain name:

fuzzyslippers20

for Twitter. Other things to consider are prepending and appending the modifier based on odd/even numbers, etc.

This is a definitely better than simply using the same password at each site, but it isn’t nearly as good as a completely unique password for every site.

Problems with PwdHash

I think that PwdHash is a good compromise solution and I’m now using it. However, it isn’t perfect either.

• Using a single password as the generation point for your hashed passwords still leaves you with a single point of failure. However, at least protecting that password is on your hands, not the hands of some web site you signed up with.
• It’s a hassle to have to go generate a password before you log in to a web account from a browser where you don’t have PwdHash installed. This isn’t a common occurrence for me, so it isn’t enough of a hassle to be a deterrent.
• The PwdHash Firefox extension doesn’t work for 401 authentication, so you have to use the web interface to generate a password when logging in to a 401 authenticated service.
• This is being a bit nit-picky because I can’t remember a time this has actually been an issue for me, but using a hashed password does mean you need a password hashing tool to get your password for something. If you have to authenticate on the phone or something when you’re away from an internet connection, that could be an issue.

Summation

I’m in the process of switching all of my logins to PwdHash’d logins and I’ve turned off the password manager in Firefox. I think that both are smart moves.

Even if you’re not ready to start using something like PwdHash for all your account passwords I hope this article has made you think a little bit. This is only going to be more important in the future as we put more of our lives online. At least until everything supports OpenID.

1. Yes, I know that the data is encrypted – yet another single point of failure for all of your site logins. [back]

This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.