Why I secure passwords with SuperGenPassWednesday, January 12, 2011
There’s been a lot of talk about security, passwords, and authentication. As we put more about us online, our passwords become ever so important. Everything from banking to commerce, friendships to resumes, and even our day jobs require passwords.
Passwords are broken
Having worked in information technology auditing, I can tell you that people hate passwords. If I had so many to remember and they were all necessary for me to get my job done, I would simply pick one, easy-to-remember password. Unfortunately, businesses believe this is unsafe and force users to follow silly rules (8 characters, 2 must be numeric, and you must change this password every 60 days). Due to these rules, things become less secure. Two examples:
- Passwords start showing up on sticky notes next to computers. Or they are all written down in a handy notebook right next to the computer (typically open to the most frequently-used password). Now that “easy to remember” to me password in my head, is now written down and easy to access by anyone.
- Similarly, we use a database like 1Password or some other encrypted database to store all these fancy, super-secure passwords. But, then we protect them behind a single, “easy to remember” password. Now it only takes one password to unlock all your passwords, and we’re right back at square one.
Alex and I feel strongly about password security and he’s written about it many times. Here’s my thoughts and what I’ve found works best for me.
- Enter a “master password” (eg: puppies)
- Hash that password against the current domain (eg: facebook.com)
- Generate a secure string using those two inputs (eg: 4ced9d6f52dc88d02028d34a3625e43d)
- Truncate the result to X characters (eg: 10)
Here’s how SuperGenPass describes itself:
Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.
Arguably, the concept of a “master password” means you have one “easy to remember” password that anyone can get to and then use to generate your secure passwords. But, there are a few counterpoints:
- An attacker would need to know I use SuperGenPass (whoops)
- They would need to know how long my generated results are (8, 10, 20 characters long?)
- I use a secure master password which is unguessable and not something I’d write down or use elsewhere
Now that we’re all convinced (right?), the mechanisms of using a password hashing utility are super simple.
- Browse to site
- Type in master password
- Use Bookmarklet or Mobile site to generate hashed password
Since I use Safari, I have SuperGenPass added to my Bookmarks Bar and I can use Command + 1 on any page to trigger the bookmarklet to enter my password. It then finds any “password” fields on the page and auto-populates them with the hashed version. This is very fast and hardly any more intrusive than simply typing a password into a form.
Still not convinced? Drop a line or leave a comment to share your thoughts…