How to easily use different passwords on every site you visit
Here's yet another article on some site which had thousands of passwords broken.
Unfortunately, technical bloggers casually toss out warnings like that and indicate out stupid users are, without providing any solutions. I mean be reasonable. Over the years I've managed to accumulate passwords to hundreds of sites—how on earth could I manage to keep track of them if every one of them was different?
I'm glad you asked.
Once upon a time I had a two-password model. A “secure” password for sites I trusted, and an “insecure” one for sites that I had less confidence in. There are a couple problems with that, but the biggest one is simply that it's impossible to predict who's going to get broken into next. So let's just forget that idea.
There are two simple solutions out there to this problem. One commercia. One free. Both have slight drawbacks, so you'll need to pick the best fit for you. But either one is better than doing it yourself.
The commercial solution is a product which generates passwords (and fills in web forms) for you. I use a product called “1Passwd”, which runs on the Mac, but there are others (on the Mac and PC). (Feel free to put some references to them in the comments.) 1Passwd generates passwords for every site I visit, and it can remember everything I enter in any form. When I visit a site, I simply hit a hot key and it fills in the password. I don't even need to know what it is. So long as I keep my computer secure (1Passwd stores its password in the Mac's KeyChain, which is locked with my login password), my passwords are secure. And because they are randomized, long, and complex, they aren't likely to get broken by a normal password breaker. And if they are, they don't expose my information on any other site—because every site has a different password.
The drawback to a password generator is that you're pretty much up a creek if you don't have your computer with you. (And you'd certainly better back up your passwords!). Most products have versions for Palm and other handheld devices, and ways to export or print the information. And if you do have to type in your password on some other machine, it's going to be a pain (especially if you're on an iPhone or Treo or some such).
The second solution is far simpler, and more portable. It's called SuperGenPass. It creates a bookmarklet (a small javascript bookmark that you drag to your browser's bookmark area). When you go to a site where you need to generate (or enter) a password, it popups a window prompting you for a master “password”. That password is the same all the time, and it's never stored anywhere—only you know it. It uses that password, in combination with the domain of the site, to generate a pseudo-random password, which it then inserts into the form. If it can't figure out where in the form to put it, it tells it to you instead. This works really easily, the bookmarklet can be installed on just about any browser (including Safari on the iPhone and iPod/Touch). Your master password can be simple and easy to remember—the quality of the final password doesn't depend on the quality of the master password. And if you're on the road without your computer, you can go back to the SuperGenPass site and quickly generate a new bookmarklet.
There are a couple weaknesses to this solution. First, if someone happens to see you type the master password, you've basically given them access to every site you use. Secondly, if the site moves to a new domain you'll need to go to the old domain, have it generate the old password, go back to the new domain, paste it in—because passwords are generating using the domain part of the URL. Thirdly, if you ever have to change your password (as I did, for instance, when Second Life has a security breach) you'll have to use a different master password, and remember that you need to use that particular master password on that particular site. Not the end of the world, but keep it in mind.
Which is the right solution? It's really up to you. How secure is your computer? Are you using shared machines a lot? SuperGenPass might be the best solution. Do you want a really secure password repository, where you can easily change passwords, and you usually access things from your desktop? Then maybe 1Passwd is the right solution. And of course, the two systems aren't incompatible. You can always use SuperGenPass to generate the passwords, and let 1Passwd remember them.
But my final advice is simple. *Don't* hand generate passwords. *Don't* use the same password on multiple sites. There are solutions out there, they are simple, cheap, and effective. Use them.
Technorati Tags: iphone, passwords, privacy, security, social, technology
1 Comments
Leave a comment
TrackBack URL for this entry: http://www.marrowbones.com/cgi-bin/mt4/mt-tb.cgi/40
0 TrackBacks
Listed below are links to blogs that reference this entry: How to easily use different passwords on every site you visit.
Thanks for the post! I'm glad to hear 1Passwd is helping you secure your online sites.
I agree with you that portability is a weak point of 1Password. We have been working on addressing this with two new features.
One new feature is Sync to iPhone, where we encrypt all your data into a bookmarklet. This bookmarklet is a completely self-contained website that allows you to securely access your information within Safari on iPhone, without any hacks and without an Internet connection.
The second feature we are working on is the new my1Password web service, which allows you to encrypt your data and export it to the my1Password web service. You can then use any modern web browser to securely access your information. All information is decrypted within the browser so only the owner of the information will ever see it.
These two new features will greatly improve the portability of your 1Password data. Sync to iPhone is available in version 2.5 which is in public Beta now, while my1Password is still currently in closed Beta but will be available soon.
Cheers!
--Dave Teare
Co-author of 1Password