»
S
I
D
E
B
A
R
«
Why your tiered password scheme is flawed, and what to do about it.
February 26th, 2009 by masukomi

First, let me explain what I mean by “tiered password scheme”. Many perfectly smart people I know have one strong password they use for one or two online banking type sites. They’ll then have a “medium security” password they use on sites that kind of important to them (maybe those sites have their credit card info stored), but not critical to day to day stuff. Then they’ll have one or two passwords they use on all the other sites like Twitter, Yahoo!, Facebook, GMail, etc.

Obviously they’re being relatively careful about the important stuff and that’s good, but the flaw in this system is in the perception of pain. People think “wow, it would massively suck if my bank account password got out, but it’s not such a big deal if my Twitter password gets compromised. I can always make another Twitter account.” Or, they’ll say “Why would anyone care about hacking my account? There’s nothing special about it.” And while there’s nothing inaccurate about those thoughts, they’re also totally missing the point.

The thing is that many of those low value sites aren’t even remotely careful with your data. They’ll store your passwords unencrypted on their servers. And while people are unlikely to try and go after your account in particular, it’s not unthinkable that someone might try to hack Twitter (just an example), or even better, one of the myriad tools that you have to enter your Twitter username and password into and are much more likely to be insecure. Now, they’ve got a list of thousands, or maybe millions, of usernames and passwords and because so many people use a tiered password scheme (or worse, only one password) those passwords are going to work all over the place.

Now, most people I talk to say “I can just make another Twitter account.” but It’s not just *that* account. How many hundreds of sites have you used that low value password at? Do you really want to go and change it on all of them? And how would you even know you need to change it on all of them. Considering how many you’ve probably used it at, it’s a safe bet that someone could be using your name and spamming people, or linking to virus ridden sites, or whatever from your account and you might not find out about it for months, if ever. Not because it’s your account, but because your username and password just happened to be in the list of thousands they stole from some site.

It is simply not realistic to claim that, if you somehow knew the password had, or might have been compromised, you are going to change it on all the sites you’ve used it at. And worse, if any of your accounts that got compromised, and probably killed by administrators, were ones where you’d made friends, built up lists of contacts, etc., then you’re going to be experiencing some serious pain and frustration when it comes to figuring out how to contact all those people, telling them that no, that wasn’t really you trying to sell them male enhancement pills, and that you’ve got a new account now…. Gods forbid this happens to your e-mail account.

So, what are you supposed to do? Well, the “simple” answer is that you’re going to have to start using a different password on every site, and, because you’re human, you’re going to have to use a password manager to keep track of them all. There are a ton of password managers out there and while they’ll all get the job done securely, the usability of these apps varies wildly. Typically the process is: load a web page that needs a password, launch your password manager (if it isn’t running already), find the entry for this site in a list, copy the password to your clipboard, switch back to the browser, select the password field, and paste in the password. That’s six steps, two applications, and possible wait time while one of them launches, just to enter a password!

“But Kate,” you say, “my browser remembers my passwords.” And that’s great. It’s going to save you from having to do this all the time, but sooner or later your browser’s cache is going to get emptied, and you’re going to have to go through the process again. Even worse, what if you’re at someone else’s computer?  The latter is a strong argument for having a password manager on your smartphone, but the usability is even worse when you’re talking about an entirely different device that you can’t copy the password from to paste into your browser.

So, again, what are you supposed to do? Well, first off, you need a password manager that’s not going to make you leave your browser. This means we’re talking about browser extensions, or maybe a web based password manager. And while there are a ton of choices, some of them are wildly complicated and most of them fail when it comes to usability. If you’re going to stick with this, and protect your identity and passwords the way you should it is absolutely imperative that you use a tool that makes it easy, easy, easy, to get your passwords in there. The act of retrieving your password and entering it into the site you want can’t be frustrating or annoying to you.

[Update: A number of people have felt that I'm trying to promote Passpack below. Passpack just happens to be one of the few services that meets all of my personal criteria, but there are other services out there and I encourage you to explore them. Furthermore, web based services aren't right for everyone. Some of us prefer Firefox Extensions, or apps that live on our phones.  Really, I just want you to go find a tool that will help you to practice good password hygene, and am offering up what I've discovered whilst searching for tools for me.]

So far I’ve only found one that I’m really willing to recommend: Passpack. Unlike most web-based password managers it can work offline, if you have Google Gears installed. It’s got a ton of features (probably far more than you need), and while it’s interface can be a bit overwhelming with all it’s options and it’s big grid of icons, it appears relatively easy to use, and most of the time you’re just going to click its bookmarklet when you want to log in to some site you’ve stored the password for. Once you’ve saved a password for a site it’s two clicks the next time you need to retrieve your password and log in. I definitely recommend checking out their video tour. [Update: the icon grid, can be turned off, and will be off by default in the next version.]

When it comes to browser extensions I simply haven’t seen any that get the usability right. Some have daunting management screens, or just bad tools for initiating the action of getting the password and almost all of them finish by copying the password to the clipboard and making you paste it in to the form, which is just brain-dead considering that extensions have access to essentially every feature of the browser. Many (most?) of them are going to leave you screwed if you need to access a site from someone else’s computer. The same can be said for desktop apps. The things the extensions do typically do right is generate good passwords for you, store them securely, and save you from having to open another app. But, all of the ones I’ve seen simply aren’t painless enough when it comes to usability, or management, or both. Actually, there was one exception that got the usability right, but ultimately encouraged users to go with something resembling a tiered password scheme.

[Update] I’m hearing a lot of good things about PasswordMaker from readers. Unfortunately their site does a terrible job of explaining just how simple it’s usage can be. It does have an ugly GUI that’s got way too many options, but apparently you never really have to deal with that, and I hear tale that there’s a web page component that’ll let you generate your password when you’re at someone else’s computer. It sounds like a real win.  If only it’s site could convey it’s coolness…

It’s my opinion that a plugin based password manager should be able to get your password into the form you’re currently using with two actions: one click / keypress to activate it and one to get the password into the field you want. I’m not counting authenticating yourself to the password manager, which, theoretically you would only need to do once per session. It should also have a way to securely access, or regenerate, your passwords without installing anything when you’re at someone else’s computer, and create/use a different password for every site. If you can recommend a browser extension (for any browser) that can meet those requirements, and has a nice, simple, user interface please leave a comment.

If I were in your shoes right now, I’d go check out Passpack and accept the sad fact that it’s going to take a while to change your password on all the sites you use, but it’s a task worth doing. Me? Every time I go to a site that requires me to login I just swing over to the change password screen and use my tool. I’ll get to them all eventually, but the important ones I use every day are getting changed first.


23 Responses  
  • Tim Case writes:
    February 27th, 2009 at 12:09 am

    1password is great on the mac and comes with a safari + firefox plugin that generates passwords. However, all these solutions are flawed and your hundred bucks is sure to be wasted, I’ve resigned myself to the inevitability that all my accounts will soon get hacked so I’ve taken the preemtive step of spamming all my friends and generating tons of false data about myself as a way to avoid my online identity ever reflecting who I truly am. The question is a bit of an existential one in that if the keys to your life are stolen have you really lost your life? What I’ve found is that the bigger lies I generate about myself, the more my friends enjoy it. My true identity however is guarded with something way stronger than 1024 bit encyrption.

  • masukomi writes:
    February 27th, 2009 at 12:34 am

    Damn it, why can’t I vote up comments?!

  • finnw writes:
    February 27th, 2009 at 9:13 am

    This has just been linked from HackerNews

  • Peter Jansson writes:
    February 27th, 2009 at 9:22 am

    OpenId has a nice solution to the “multiple-password-problem.” (http://www.openid.net)

  • Erik writes:
    February 27th, 2009 at 9:55 am

    I use a sort of hybrid tiered system. Very sensitive sites such as the bank and paypal have unique strong passwords which I store in a password manager. Sensitive things I need to access on a daily basis (webserver, computers) have unique “pronounceable” passwords. I don’t tend to store much private data on any social/forum sites, so I use a handful of simple (non word) passwords for those.

    As far as I’m concerned, my email account is the key to my online identity, thus it has the hardest password I can remember.

  • Nic writes:
    February 27th, 2009 at 10:15 am

    I do essentially the same thing using a little simple Javascript bookmarklet: http://angel.net/~nic/passwdlet.sha1.1a.html

  • Ben writes:
    February 27th, 2009 at 10:43 am

    Have you looked at PasswordMaker http://passwordmaker.org/ ? It has a Firefox plugin that automatically fills in password fields and uses a hashing algorithm to generate a unique password for each site so that no passwords are actually stored anywhere. You can even use it through a web form without installing anything.

  • Hugh writes:
    February 27th, 2009 at 11:32 am

    This is a 1-click solution, and gives you remote access as well: http://supergenpass.com/

    It’s not a password manager — instead, it hashes your master password with the domain name a bunch of times, and ends up with a mixed-case password with numbers that is as long as you want.

    Upside: great security, fantastic usability
    Downside: you can’t chose your own passwords, you can’t use the same password on different domains, and its harder to use this to get passwords for applications or anything outside your browser.

    Really, I urge you to try it. I used to use password managers, this works much better for me.

  • Tim Keating writes:
    February 27th, 2009 at 12:49 pm

    Second the recommendation for OpenID. If only ONE major web service (Google, Amazon) would start accepting it, I think that would get it the momentum it needs to really become pervasive.

    Well, that and a generic Firefox add-on that works like Verisign Seatbelt, but for ANY OpenID provider.

  • W. Andrew Loe III writes:
    February 27th, 2009 at 2:14 pm

    Why not just use an algorithm in your head that lets you use your tiered password scheme, but with a dynamic component unique to the site?

    Example:
    weak: foo
    strong: foo!bar
    epic: foo!b4|2baZ

    You have your 3 tiered passwords, and you just add some salt to them… like the domain.

    So my twitter password is: footwitter.com my facebook is foo!barfacebook.com and my bank is foo!b4|2baZbankofamerica.com.

    This doesn’t require a password manager, and you have different passwords on every site. It protects you from automated spamming. This doesn’t solve the case of the person who looks at your footwitter.com password and reaizes hey I bet this works at digg like foodigg.com, but at that point they really want to be you and you’re probably screwed already right?

  • weston writes:
    February 27th, 2009 at 3:13 pm

    Sxipper, a firefox add-on, doesn’t match all your requirements but it’s worth looking at as the user experience is pretty good. It fills forms and works with OpenID as well. Full disclosure, I did some work on it.

  • masukomi writes:
    February 27th, 2009 at 3:43 pm

    sxipper does have the usability down well, but I refrained from mentioning it because it seems to encourage users to go with a preset list of passwords they use when adding one to a new site, which, essentially, results in a tiered password scheme. I’m sure it can do a different password for every site but it looked like the selection UI would become a pain if you had more than a handful. I’d like to see skipper get the password handling right. It’s really a slick looking extension.

  • Issac Kelly writes:
    February 27th, 2009 at 7:50 pm

    I use passwordSafe SWT for everything. I have three Password databses, Personal, Work and Work Shared; All of them are stored on a WebDav location. I can get to them from anywhere, it’s a well-used program, and its platform agnostic.

  • Ozan Onay writes:
    February 27th, 2009 at 8:31 pm

    I agree with Andrew Loe III that a pretty straightforward way to have a near-unique password for each service that you can’t forget is to have an algorithm to generate the password in your head from the name of the service.

    I disagree with using the unhashed domain name in the password as, once revealed, it’ll be pretty easy to guess at your other passwords. What I do is to hash a certain number of the characters of the service name in my head, then add a short common string. There’s no way to know that I’m doing this by looking at one password – it seems like a string of random characters. If you revealed two of my passwords you would know what the common part is but you’d still have to crack the hash.

    Issues are:
    * Some sites only allow alphanumerics, so for the system to work with these but also maximise password strength on those sites that allow other characters, you need two different common strings
    * Sometimes service names change, or there’s some ambiguity as to the name of the service (is it ING or ING direct or savings maximiser?). So sometimes it takes a couple of attempts before you remember what it was that you originally hashed.
    * It can probably be cracked in a trivial amount of time if two or more passwords (and corresponding domain names) are revealed. So super-high security passwords like for banking should probably not use the same algorithm as everything else

  • Random Observation writes:
    February 27th, 2009 at 10:28 pm

    There’s a startup trying to solve this problem in a more general and securely calculated way that wouldn’t require you to maintain your own lists. Check out http://www.usable.com

  • Ben writes:
    February 27th, 2009 at 11:27 pm

    I agree that PasswordMaker could do a better job of of marketing itself, but it’s really quite simple to use once you set it up. Once you enter your master password for the hash, you just type Alt-` in Firefox and it will fill in your password. The online version is here: http://passwordmaker.sourceforge.net/passwordmaker.html which is super handy when you aren’t using your regular computer.

  • Tara Kelly writes:
    February 28th, 2009 at 3:55 am

    –> “while it’s interface can be a bit overwhelming with … big grid of icons”

    You can actually turn those off if you’d like: http://bit.ly/pfWzQ
    But yes, in the next release they’ll be turned off by default.

    Thanks!
    Tara Kelly
    Passpack Founding Partner

  • Tim Case writes:
    February 28th, 2009 at 8:54 am

    “Ok just letting everyone know my facebook/twitter account has been hacked if you see anything strange here it’s probably not me.”

    Problem solved!

  • Tim Case writes:
    February 28th, 2009 at 8:56 am

    “Oh, and if you’ve got pictures to prove it, they were definitely photoshopped.”

  • masukomi writes:
    February 28th, 2009 at 9:19 am

    Tim Case: Actually, problem not solved at all, for two reasons: 1) it’s likely that if someone’s running amuck with your facebook account it’ll probably get deleted. So, contacting all those people you interact with on facebook is going to be a pain, especially if you really use facebook like many people do. I’m not sure how you’d go about telling your twitter followers about your new account, or even figuring out who they were without pouring through the old “so-and-so is folowing you” emails. What a pain. 2) If you’ve been using a tiered password scheme you now have to go through and change the from your hacked account on ALL the other sites that you entered it at AND if the hacker has tried using that passy on one of them then you’ll probably have to do the notification of friends dance all over again.

    I wish it were that easy, I really do.

  • Richard Hurt writes:
    February 28th, 2009 at 1:00 pm

    I really like the YubiKey[0] system and think that it solves the problem very gracefully. Basically, its a tiny USB device that acts like a keyboard. It requires no software, drivers, or battery and can use OpenID. Plus all of the server software is open source so you can run your own network (if that’s your thing :)

    Read about it here[1], here[2], and here[3].

    Later…
    Richard

    [0] http://www.yubico.com/products/yubikey/
    [1] http://maymay.net/blog/2008/09/01/yubikey-and-openid-two-great-tastes-that-taste-better-together/
    [2] http://www.readwriteweb.com/archives/yubikey_your_key_to_securing_the_web.php
    [3] http://www.pcsympathy.com/2008/04/26/yubikey/

  • Travis writes:
    February 28th, 2009 at 6:32 pm

    I’d like to put in a great word for Clipperz (www.clipperz.com). It’s online, but you can download the html files to use it offline (doesn’t even require Gears). It does all the encryption locally using JavaScript (yes, they have implemented secure encryption in JS!), so your passwords aren’t even stored in cleartext on their end.

    In short — no application required, web based, local encryption, offline use. And Free!

  • weblog.masukomi.org » The Circus of Interface FAIL writes:
    March 12th, 2009 at 7:32 pm

    [...] Why your tiered password scheme is flawed, and what to do about it. [...]



Leave a Reply

»  Substance: WordPress   »  Style: Ahren Ahimsa
© Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.