Very interesting password system
Aug. 10th, 2009 02:16 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
johnridleyIn the past few years I've changed my theory on passwords a couple of times. I started out with 3 passwords, one just a word to use on sites like twitter.com or stupid blog sites for commenting where I really didn't give a rip if someone got hold of the account. The ones above that were garbled acronyms (punctuation and mixed case embedded) and one was for most general purpose sites, the other only for higher security sites like banking.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
However, a few incidents several years ago convinced me that even sites that should know better, like banks and credit card companies, did stupid things that compromised my security, like emailing me my password (sometimes without my even requesting it). So I decided to start using Password Safe to generate completely random passwords. I kept copies on my thumb drives, and on the machines I regularly used. That worked OK, but keeping them in sync was kind of a pain, and being completely unable to log in when I was away from one of these machines wasn't fun either.
I was actually starting to move back towards one password everywhere (for most purposes) when today I found out about SuperGenPass. This is a little javascript applet that installs as a bookmark. You then go to a site, type in a STANDARD password that you just use everywhere, and click the bookmark. A tiny applet, which is stored INSIDE your browser, combines that password with the domain name you're logging into, and generated a random-looking password and automatically plugs it into the password field.
Since it's entirely stored on your machine, your master password never leaves the browser. Even when you're at someone else's machine and use the mobile version, it just loads the javascript locally and doesn't send anything over the wire.
Since they use the MD5 algorithm, even if a site is hacked and they find out that you used password "89vA3Baeq3" at that site, that password is useless elsewhere, and there's no way for them to know that your master password is "cricket" or whatever. End result is that you get to use a common password everywhere, but each site actually has different passwords which can't be linked to one another.
This is still vulnerable to malicious scripting and keyloggers, but then again, everything is.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
...continued
Date: 2009-08-19 04:34 pm (UTC)WARNINGS:
You are still vulnerable to spyware getting onto your system. Nothing can stop that. If you have spyware watching your keystrokes and taking snapshots of your screen, you're just out of luck no matter what system you use.
Also, while there's no way for an attacker who gets hold of one of your site passwords (say, they broke into LiveJournal's database and found your "c290d0fb1" password) to directly find your password, they can still run the same algorithm as you do - they know half of the equation, "livejournal.com" - so they can for instance run a "dictionary attack" - have some software run every word in the dictionary through this and see if any of them result in "c290d0fb1". So it would actually not be a great idea to use the word "squirrel" for instance - it would only take a few minutes to find that.
However, due to the fact that changing it from "squirrel" to "5quirrel" or "squirre1" would COMPLETELY change the output string, it doesn't take much to make a password that would be significantly harder to guess.
Personally I like acronyms. I might think of the phrase "I have a lot of very nice friends" and that would become "Ihalovnf". The only way they're going to find that is by starting with "a", going to "z", then "A" to "Z", then "aa" to "az" to "zz" to "Aa" to "Az".... and that's not even including using punctuation, numbers, etc. It quickly becomes more of a pain than it's worth.
It doesn't take all that much really. Unless you're a very juicy target (you have passwords that give you control of some cool systems, or you have a heck of a lot of money in some accounts), or someone specifically has it in for you, all you have to do is not to be low-hanging fruit. They'll go steal passwords from people infected with spyware, or people using "password" or "swordfish" as their password.
As they say, you don't have to outrun the bear, you only have to outrun the slowest guy in the group. OK, since there are N bears, you have to outrun the slowest N guys.