Monday, August 15, 2005
The Password Problem: Day 1, pwdhash
I have dozens of web site passwords. Betcha that you do too.
So everybody winds up using the same password all over, even People Who Should Know Better. The most clueful people use three or four passwords, saving the longest and most elaborate for home banking and using the junkier passwords for things like their New York Times registration.
There is a better way. It's easy for a computer to create a separate password for every place you visit. You can invent and use just one strong password, and the computer can create a new one from it for each web site.
That's what today's featured software does. The Firefox extension pwdhash (also available for Internet Explorer)adds a new feature to the way password entry fields work. When you click in a password entry field you can either type in a password like always, or you can begin by pressing F2 or by typing "@@". Then the magic takes hold. If you type in a regular strong password after the double @ or the F2, pwdhash will rewrite it to be a mathematical combination of your password with the name of the web site you're visiting.
This is cool in several ways. First, the Stanford team that wrote this wisely chose their math so that the web site you're visiting can't calculate your master password. They see the rewritten password but the only way they can get your master password is to guess it (so pick one that's hard to guess).
Notice that you don't have to remember the per-site password. Even if you lose all your stored passwords, you can still get back to all the web sites because pwdhash will calculate the same password each time. Even if your computer burns down and you don't have pwdhash installed any more,you can re-create your passwords at http://crypto.stanford.edu/PwdHash/RemotePwdHash/.
The developers point out another bit of coolness. Suppose someone tricks you into typing your online banking password while you're on the bad guy's web site. It won't work! You'll hit F2 and your master password, but the scammer will see and steal a different password than the one that goes to your bank.
I took a look at the actual programming and found more coolness and a quibble. Notice how everybody's got different requirements for passwords? This program can adapt. To start with it builds a password as long as your master password, made entirely of numbers and mixed-case letters (and pluses and slashes). That should be safe anywhere. But what if a web site demands that you include some more exotic characters in your password, the password that pwdhash is making for you? Then just put some comic-book profanity into your master password. Pwdhash checks whether you've done that and says to itself "Hmm, the user is trying to drop me a hint here, I'd better stick some comic book profanity onto the password I just calculated".
Needs more salt
"The hash needs more salt" sure sounds like something you'd hear at a diner. What it means is that your master password is too easy to guess. They should be stirring into the calculations a number which stays the same for any given user but is different from one user to the next. That's a quibble, though: first, you're safe if you use a good password to begin with and second, bad guys have much easier ways to make trouble.
|
So everybody winds up using the same password all over, even People Who Should Know Better. The most clueful people use three or four passwords, saving the longest and most elaborate for home banking and using the junkier passwords for things like their New York Times registration.
There is a better way. It's easy for a computer to create a separate password for every place you visit. You can invent and use just one strong password, and the computer can create a new one from it for each web site.
That's what today's featured software does. The Firefox extension pwdhash (also available for Internet Explorer)adds a new feature to the way password entry fields work. When you click in a password entry field you can either type in a password like always, or you can begin by pressing F2 or by typing "@@". Then the magic takes hold. If you type in a regular strong password after the double @ or the F2, pwdhash will rewrite it to be a mathematical combination of your password with the name of the web site you're visiting.
This is cool in several ways. First, the Stanford team that wrote this wisely chose their math so that the web site you're visiting can't calculate your master password. They see the rewritten password but the only way they can get your master password is to guess it (so pick one that's hard to guess).
Notice that you don't have to remember the per-site password. Even if you lose all your stored passwords, you can still get back to all the web sites because pwdhash will calculate the same password each time. Even if your computer burns down and you don't have pwdhash installed any more,you can re-create your passwords at http://crypto.stanford.edu/PwdHash/RemotePwdHash/.
The developers point out another bit of coolness. Suppose someone tricks you into typing your online banking password while you're on the bad guy's web site. It won't work! You'll hit F2 and your master password, but the scammer will see and steal a different password than the one that goes to your bank.
I took a look at the actual programming and found more coolness and a quibble. Notice how everybody's got different requirements for passwords? This program can adapt. To start with it builds a password as long as your master password, made entirely of numbers and mixed-case letters (and pluses and slashes). That should be safe anywhere. But what if a web site demands that you include some more exotic characters in your password, the password that pwdhash is making for you? Then just put some comic-book profanity into your master password. Pwdhash checks whether you've done that and says to itself "Hmm, the user is trying to drop me a hint here, I'd better stick some comic book profanity onto the password I just calculated".
Needs more salt
"The hash needs more salt" sure sounds like something you'd hear at a diner. What it means is that your master password is too easy to guess. They should be stirring into the calculations a number which stays the same for any given user but is different from one user to the next. That's a quibble, though: first, you're safe if you use a good password to begin with and second, bad guys have much easier ways to make trouble.
# posted by Frederick @ 8:27 PM Email to a friend:
Haloscan: they provide trackback