A Software Developer's Advice on Passwords

Anyone who follows the news knows that using the same password everywhere is a very very bad idea.  A number of very popular online services have had their users' passwords stolen in recent months.  The mere fact that these sites store passwords in such a way that they can be stolen is disturbing.

That being said, I suspect that the vast majority of people reading this do use one password on many many sites.  The reality is that the average person can not easily remember multiple passwords.  It just isn't practical.  Your choices are to use a few passwords frequently, or to use many passwords and write them down.  Either is dangerous.

There is another option though.  Recently a Firefox add-on named PwdHash has been released (and been ported to other major browsers) that allows you to use a single password in a much safer way.  The add-on works by creating a unique password for each site you visit.  This unique password is based a password that you must remember, and the site's domain name.  Your original password is never sent to the site.

For example, if I had remembered a password of 'monkey' and I visited google.com then the add-on would generate a password of 'k3XrjUkt'.  If I visit yahoo.com then it would generate 'Rt0UnWkn'.

It works by creating an MD5 hash of the site's domain name, and your original password.  The hash is then modified a bit to make a short and simple password.  This calculation is done entirely in javascript on your machine.  This means that your original password is never sent over the wire.

It isn't perfect though.  There are some issues.  The biggest being that MD5 has been broken, and is now reversible.  So, if some one gets one of these passwords and knows the algorithms involved then it is possible that they will be able to reverse it, and obtain your original password.

I think this is rather unlikely to happen though.  If a site is hacked, and your password is stolen, then it is likely to be one of many that are stolen.  If this happens then the culprit is likely to use a script to try the passwords that they obtained, and will probably not pay much attention to passwords that don't work on other sites.  After all, you don't need to be faster than a bear to survive a bear attack.  You just need to be faster than the guy next to you.

Even if someone is specifically targeting you, and has one of these passwords it is unlikely that they will realize that you use PwdHash, and the passwords that are generated look like simple random passwords.  Nothing about them screams "I'm a hash!".  So, if you don't trust someone, don't tell them that you use PwdHash.

There are some very nice aspects to this solution as well.  The best part is that it is so easy to use.  Once the add-on is installed you can simply enter @@ before entering your password, and it will automatically convert it to the hash for you.  Simply get in the habit of typing @@ before your password, and it will take care of the rest.

You can even generate a password without installing the addon-by going to http://www.pwdhash.com and using the form on the site.  It works entirely in client side javascript, so it is just as secure as using the add-on.

One can argue that this is just a bit more security by obscurity, but in this case I think it is a big step in the right direction.  Hopefully a future version will use a better hash algorithm, which would make this a mu

– Micah Gorrell
Micah is a software developer at Messaging Architects.