I care about Passwords. I’ve been using PwdHash as my secure password solution since February of 2007. It’s been a good solution for me, but it has a flaw that has recently become more frequently exposed.
The way PwdHash works it creates a hash from two inputs:
- the domain of the website
- the password you type in
It then submits the hash to the website. Think of it as a black box that generates a relatively complicated password from the two plain text ingredients you give it.
If you needed to log in to example.com
and used dancing reindeer
as your password, the hash that would be sent to the website would be: vFROhCfFQR+vYcs5IZ
.
This provides a number of nice features:
- You only have to remember one password.
- Your passwords are different for every site you log in to.
- None of the secure passwords (hashes) are stored anywhere so there is no
honeypot
of passwords that can be accessed.
Having a different password for each site is important because you don’t want to have your password exposed when a single site is compromised, sold, etc.
The flaw?
The hash used as your password is based on just those two inputs (domain and your typed-in password). When a single site is compromised and you need to change your password for that site, you find yourself in an unfortunate situation. You must change the password you type in for that site in order to change the hash, but now you are no longer remembering just one password to type in.
One option is to bite the bullet and wholesale change your password for all of your accounts every time this happens. Ugh. Another option is to start using a second password you type in for these sites that have been compromised. That starts to suck too – the whole point is to not have only one thing to remember so you never have to write it down.
In the moderately recent past I’ve had to change my password for a number of sites including WordPress.org, Evernote and Twitter. Sites seem to be coming under these types of attacks more and more frequently, and I expect I’ll be needing to change more within the next six months.
A solution like 1Password handles this situation better. I can change the password for just one site while maintaining a single “master” password to unlock all of my passwords. I still don’t like the honeypot aspects and reliance on proprietary software1 for something as important as identity, but I’m thinking hard about making the switch.
PwdHash actually has another flaw as well, it doesn’t have a mechanism to handle sites that have specific password requirements (must have a capital letter, a number, can’t have special characters, must be at least X characters long, etc.). For some reason, this hasn’t been much of an issue for me – you’d think it would have come up more.
- They are doing what they can to mitigate this concern. ↩
This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.
@alexkingorg I started with PwdHash and am slowly using 1Password to gen pws for new sites or new pws as needed. Very happy with it.
Agree 100%. Made the same switch for the same reasons.
At this point a password manager like 1Password is probably the best set of trade offs available.
Regarding sites with specific password requirements, the password policy I keep having problems with are sites that require short passwords. Disappointing to be limited to some thing like 12 characters for a password.
I’ve been using 1Password for many years now – chosen because it has excellent OS X integration (and nowadays, tolerable Windows integration). If I wasn’t using it, I’d be using KeePass instead, which is open-source and very good – but focused on Windows.
The KeePass 2.x line is written in .NET, and runs under Mono, and people have written OS X-friendly ports for both 1.x and 2.x, but it’s still a bit of a pain for a primarily-Mac user.
I looked at KeePassX (the OS X port), it’s hideous!
Yes, yes it is. But it’s a good piece of software, and there really aren’t any other choices worth mentioning that I’m aware of aside from KeePass and 1Password. Many people swear by LastPass, but I wouldn’t touch such a service, personally – I want my password storage and my nominal cloud storage to be run by entirely different people, among other things.
PasswordMaker is similar to PwdHash. It supports creating profiles for sites or groups of sites that tell it what information to use when generating a password. You’d probably start with a default profile. As sites get hacked and require you to change the password, you create a profile specifically for that site and alter the settings slightly (maybe adding something to the “Modifier” field) so that the same master password will generate a different password. Profiles are also useful when you have multiple accounts at a particular URL but don’t want to use the same password for all of them. You can create a profile for each and just specify a username for each profile so that each one will have a different password.
Of course, now you’re dependent on all the profile settings, but these can be backed up easily and aren’t nearly as sensitive as honeypot of passwords.
I’ve been on 1Password for a while now after having bailed first from LastPass and previously from PwdHash where I found the exact same problem you’re having. After a few months it seemed like I had as much to remember with PwdHash as I would have had just trying to manually keep track of passwords.
To me all of this craziness still boils down to the weakness of passwords in general that has been, perhaps overly so, covered so often lately. Now if only I was smart enough to solve it from that angle….
I think there’s another flaw with the PwdHash approach: when one site is compromised, it’s not that hard for the attacker to figure out the password you’re using on all your other sites, because the the domain name is a known variable.
Using your example above, say an attacker gains access to the database server for example.com, downloads the users table, and runs rainbow tables against all the password hashes. Once s/he figures out that vFROhCfFQR+vYcs5IZ is the hash of “example.com” and “dancing reindeer”, s/he can create a hash of “paypal.com” and “dancing reindeer” to login to your Paypal account.
I personally like to use a password manager to generate unique passwords with 200+ bits of entropy for any site that I’d care if it gets hacked, and then I use a common password with a variable prefix for anything else. The prefix is unique to each site, but easily derived from the domain name. I think that’s a good balance between security and convenience.
The Problem with PwdHash : http://t.co/q16uulLDQH http://t.co/Pgj828yXQq