Comments on: Why your tiered password scheme is flawed, and what to do about it.

By: weblog.masukomi.org » The Circus of Interface FAIL

weblog.masukomi.org » The Circus of Interface FAIL — Fri, 13 Mar 2009 00:32:19 +0000

[...] Why your tiered password scheme is flawed, and what to do about it. [...]

By: Travis

Travis — Sat, 28 Feb 2009 23:32:35 +0000

I’d like to put in a great word for Clipperz (www.clipperz.com). It’s online, but you can download the html files to use it offline (doesn’t even require Gears). It does all the encryption locally using JavaScript (yes, they have implemented secure encryption in JS!), so your passwords aren’t even stored in cleartext on their end.

In short — no application required, web based, local encryption, offline use. And Free!

By: Richard Hurt

Richard Hurt — Sat, 28 Feb 2009 18:00:59 +0000

I really like the YubiKey[0] system and think that it solves the problem very gracefully. Basically, its a tiny USB device that acts like a keyboard. It requires no software, drivers, or battery and can use OpenID. Plus all of the server software is open source so you can run your own network (if that’s your thing :)

Read about it here[1], here[2], and here[3].

Later…
Richard

[0] http://www.yubico.com/products/yubikey/
[1] http://maymay.net/blog/2008/09/01/yubikey-and-openid-two-great-tastes-that-taste-better-together/
[2] http://www.readwriteweb.com/archives/yubikey_your_key_to_securing_the_web.php
[3] http://www.pcsympathy.com/2008/04/26/yubikey/

By: masukomi

masukomi — Sat, 28 Feb 2009 14:19:21 +0000

Tim Case: Actually, problem not solved at all, for two reasons: 1) it’s likely that if someone’s running amuck with your facebook account it’ll probably get deleted. So, contacting all those people you interact with on facebook is going to be a pain, especially if you really use facebook like many people do. I’m not sure how you’d go about telling your twitter followers about your new account, or even figuring out who they were without pouring through the old “so-and-so is folowing you” emails. What a pain. 2) If you’ve been using a tiered password scheme you now have to go through and change the from your hacked account on ALL the other sites that you entered it at AND if the hacker has tried using that passy on one of them then you’ll probably have to do the notification of friends dance all over again.

I wish it were that easy, I really do.

By: Tim Case

Tim Case — Sat, 28 Feb 2009 13:56:58 +0000

“Oh, and if you’ve got pictures to prove it, they were definitely photoshopped.”

By: Tim Case

Tim Case — Sat, 28 Feb 2009 13:54:19 +0000

“Ok just letting everyone know my facebook/twitter account has been hacked if you see anything strange here it’s probably not me.”

Problem solved!

By: Tara Kelly

Tara Kelly — Sat, 28 Feb 2009 08:55:00 +0000

–> “while it�s interface can be a bit overwhelming with … big grid of icons”

You can actually turn those off if you’d like: http://bit.ly/pfWzQ
But yes, in the next release they’ll be turned off by default.

Thanks!
Tara Kelly
Passpack Founding Partner

By: Ben

Ben — Sat, 28 Feb 2009 04:27:13 +0000

I agree that PasswordMaker could do a better job of of marketing itself, but it’s really quite simple to use once you set it up. Once you enter your master password for the hash, you just type Alt-` in Firefox and it will fill in your password. The online version is here: http://passwordmaker.sourceforge.net/passwordmaker.html which is super handy when you aren’t using your regular computer.

By: Random Observation

Random Observation — Sat, 28 Feb 2009 03:28:06 +0000

There’s a startup trying to solve this problem in a more general and securely calculated way that wouldn’t require you to maintain your own lists. Check out http://www.usable.com

By: Ozan Onay

Ozan Onay — Sat, 28 Feb 2009 01:31:13 +0000

I agree with Andrew Loe III that a pretty straightforward way to have a near-unique password for each service that you can’t forget is to have an algorithm to generate the password in your head from the name of the service.

I disagree with using the unhashed domain name in the password as, once revealed, it’ll be pretty easy to guess at your other passwords. What I do is to hash a certain number of the characters of the service name in my head, then add a short common string. There’s no way to know that I’m doing this by looking at one password – it seems like a string of random characters. If you revealed two of my passwords you would know what the common part is but you’d still have to crack the hash.

Issues are:
* Some sites only allow alphanumerics, so for the system to work with these but also maximise password strength on those sites that allow other characters, you need two different common strings
* Sometimes service names change, or there’s some ambiguity as to the name of the service (is it ING or ING direct or savings maximiser?). So sometimes it takes a couple of attempts before you remember what it was that you originally hashed.
* It can probably be cracked in a trivial amount of time if two or more passwords (and corresponding domain names) are revealed. So super-high security passwords like for banking should probably not use the same algorithm as everything else