PasswordMaker
Ever since I discovered PasswordMaker.org, I’ve been recommending it, especially in my cryptography trainings. What it does is take a hash of your super secret password with the url of current site and creates a password. Your super secret password is never transmitted, and since the hash is secure, it cannot be reversed to your password. So each site has a different password, so if any one of them is compromised, then you only need to reset that one password.
Joel was looking for a solution to his password storage and syncronization issue over at StackOverflow. So I sent him an MP3 quote and they played it on their podcast. Joel liked the solution, Jeff not so much, but his solution is to just memorize a few passwords.
Their podcast is hosted by IT Conversations now. They played at 57:14 - The audio quality isn’t great.
Tags: cryptography, open source, passwords, podcast
June 12th, 2008 at 10:28 pm
If I was to write spyware, I would certainly sniff browser frames for anyone going to passwordmaker.org and snatching all the input.
And since the idea is that you could use this online service from anywhere, that is exactly what people will do - use it anywhere on computers of potentially unknown security states.
Even tho the data doesn’t go anywhere but the browser frame, if you use a computer you can’t trust 100%, you might as well just hand over your credentials to strangers on the street. Not only could you expose a password to an innoculous site you don’t care about but every site you have ever used with it and ever site you will use with it until you realized you have been comprimised (if ever) and switch your scheme.
Then the cycle can start again.
That is, provided someone hasn’t just created a huge rainbow table and is using a seemingly safe site to phish for credentials.
Better off to use your brain.
June 13th, 2008 at 1:38 am
Interesting points. I think for your main accounts (email, banking, etc.) you are better off using your brain, but for the 100’s of other sites that need user names and passwords I still believe PasswordMaker.org is a better solution.
It is worth pointing out that Password Maker’s main method of use is as client software that you download. Plus, if you are using a compromised computer, especially one that is publicly accessible, then all bets are off, even if you are using just your brain. Using password maker or not will not strengthen or weaken your position.
As far as using rainbow tables against Password Maker I would hope that Password Maker salts the hashes, but I guess it is possible they don’t. If they do not, then an individual site could generate a rainbow table with their domain and attempt to reverse the passwords used there to get your master password. I didn’t see anything about salt on Password Maker’s site. Good question! But if a site is compromised, and you are using a finite set of passwords from memory, then you are screwed then too.