I ran out of adjectives starting with “S” to describe what I believe is the very best password management solution currently available, PasswordMaker. PasswordMaker is an implementation of the on-the-fly site-specific web password hashing system.
How many accounts/passwords do you have? One for your Email? Bank(s)? Credit card(s)? Phone companies? School? Work? Utilities? Google? Yahoo? Facebook? MySpace? Amazon? Ebay? NYTimes? Torrent trackers? That annoying website that made you register just to use the simplest feature? (Oh wait, every website is like that nowadays.) I think you get the point. Even the average, casual Internet user can easily have dozens of accounts/passwords. In this day and age, computerized password management systems are absolutely necessary for even casual Internet users, and PasswordMaker is the king of password management.
“Manual” password management using one’s memory or secret black notebook is dangerous and inefficient
Unless I am missing some incredibly clever trick, there are only a few methods and variations for managing dozens of passwords without a computerized system.
The most common method, and the most insecure, is to use the same easily-memorized password on all your accounts. First, easily-memorized passwords are generally also weak passwords that are easily cracked or guessed or compromised somehow. Second, even if your single password is incredibly strong, if just one of your accounts is compromised (due to human error, security flaw, accident, anything), all your other accounts are compromised, no matter how impenetrable their security systems are.
A variation on this method, one that I used for a long time, is to rotate between several well-memorized strong passwords. You don’t have to remember which password you used for a particular account; you just try each of your regular passwords until one works. The more passwords you have in your regular rotation, the more secure your accounts are since fewer accounts share the same password. However, the more passwords you rotate with, the more inconvenient this method becomes. It often takes multiple tries before you can get into an account as you keep typing in the wrong password. This becomes a big problem with sites that lock you out after a few incorrect password inputs (which is not a bad idea since it protects you from password cracking and guessing).
The other common method for handling lots of passwords is to make unique passwords for each account and write them down on paper. Storing passwords on paper is obviously terribly insecure since the passwords in plain text can be easily stolen or lost. It is also very inefficient as you need to consult your notebook before you can log into accounts, and you must meticulously keep track of what password corresponds to what account, and add new passwords as they are created.
Finally, you can rely on your superb memory to memorize strong and unique passwords for every one of your accounts. My Dad claims he can do it, but I’ve discovered that some of his passwords are extremely weak. Normal human beings simply cannot easily and reliably memorize dozens of strong, unique passwords. Furthermore, the likelihood of forgetting your passwords this way is even higher than losing the notebook with your passwords in them.
Psychologist and security expert Kim-Phuong Vu sums up the problem of manual password management well: “Many users have half a dozen passwords to remember. That’s why the most common password is ‘password.’ The usual solution is to write it down. But how secure is that? Practicality wins. The probability of remembering six passwords is not that great. Half the people who say they never write down their passwords need to have their passwords reset because of forgetting.”
What to look for in a computerized mamangement system
Professor Spafford is a leading expert in information assurance and security. He lists the following requirements for good computerized password management systems.
- The programs use published, strong ciphers to encrypt the contents. (e.g., AES). I don’t need to worry about some random person getting the encrypted database and then decrypting all my keys.
- The programs are cross-platform so that I can use the same program on my PDA, my laptop, and my home system. This keeps me from creating keys and passwords then forgetting them because I don’t have the vault program at hand.
- The different versions of the program sync with each other, and allow the database to be backed up. If I lose my PDA, I’m not completely locked out of everything — I can do a restore, unencrypt, and carry on as before.
- I don’t store the database and the encryption routines on someone else’s machine. That way, I don’t have to worry about the owner of a remote site altering the encryption routines, or making a surreptitious copy of my keys.
Read on to see how different password managers stack up against these requirements.
Most password managers are at best inconvenient, at worst disasters waiting to happen
Most popular computerized password management systems are essentially password vaults. These vaults lock up all your passwords using strong encryption that’s difficult to crack, and you only need to remember one password for this vault to unlock all your passwords. So, no matter how many accounts and unique, unmemorizable passwords you have, you only need to commit to memory one single password, that of the vault’s.
RoboForm is probably the most popular password management software. It is free of charge but proprietary. Although it does claim to use published encryption algorithms like AES, I don’t consider RoboForm as satisfying Spafford’s first requirement of trustworthiness. I do worry since RoboForm is marketed as the successor of Gator, one of the most shady and notorious malware ever. RoboForm uses questionable marketing tactics like software bundling (correct me if I’m wrong; I might be confusing it Roboform with other bundled toolbars) and aggressive affiliate programs (how many glowing reviews of RoboForm were influenced by the affiliate payouts or downright bought?). Moreover, it is not open-source so who knows if there are any hidden backdoors or security flaws in the program? Furthermore, RoboForm doesn’t satisfy requirement #2: it is not cross-platform and is mostly limited to Microsoft platforms.
KeePass and Password Safe are two mature, open-source, and free password vault applications. They both use published encryption algorithms and have gone through extensive peer review and thus are very trustworthy. KeePass has been unofficially ported to many different platforms so it is, unofficially, more-or-less, cross-platform. Password Safe is Windows-only but there are programs on other platforms that support is storage format. Anyway, using KeePass or Password Safe on different platforms is not the easiest thing to do.
Synchronization of your password database across computers and platforms is inconvenient with all three password vaults. The procedure is basically the same as backing up your database. You need to manually copy your database from one computer or device to another. Backing up is absolutely necessary because you will be locked out of all your accounts if you lose your database for whatever reason.
PassPack is a promising online password management service. However, it immediately runs afoul of Spafford’s forth requirement: not storing the database and encryption routines entirely on someone else’s machine. While PassPack promises that it is impossible for them to decrypt your passwords, the fact remains that your password database is entirely at a third party’s mercy. PassPack’s service may fail for any number of unforeseen reasons (natural disaster, bankruptcy) other than intentional malice or negligence.
On-the-fly web password hashing to the rescue
The password vault is not the only way of managing passwords using computerized systems. Several computer scientists, security experts, and programmers from around the world came up with the concept of on-the-fly and site-specific web password hashing. I believe Nic Wolff released the first working implementation to the public. See the “other implementations” section below for other pioneers of this password management concept.
Web password hashing works like this. You create and memorize one single master password. When you need a password for a website, you derive a complex and unique password specific to that site by generating a one-way hash of the combination of your master password and the site’s domain name. Hashing is like sticking a piece of wood into a wood chopper to create random-looking bits that don’t resemble the original, except with hashing, the result is always the identical given the same input (thus, like a “fingerprint” of the input). Read more here about why password hashing is so effective, especially with a salt which PasswordMaker supports.
masterpassword+facebook.com => hash process => #GFg3IJ@)5h*@(Fhf9ehf
Since the hashing process generates the same result when given the same input, there is no need to save any of your site-specific passwords. Each time you need to login, you can re-generate the same password on the fly by hashing your master password and the domain name of the site. There are many implementations of this idea, software that simplify the process of hashing your master password + domain of the site. PasswordMaker is by far the most polished, user-friendly, and convenient.
PasswordMaker satisfies all the requirements and more with flying colors!
- PasswordMaker is open-source and uses published hashing algorithms. There is no worry that someone can steal your entire database of passwords because there is no such database. There is only one master password locked away in your mind, and site-specific passwords that are generated on the fly but never stored anywhere.
- PasswordMaker is usable on literally any platform (that supports at least a basic web browser; you wouldn’t need your web passwords on a platform that can’t surf the web, right?).
- PasswordMaker doesn’t need to be backed up or synchronized. You just need to remember your master password, and PasswordMaker will generate your site-specific passwords wherever you are.
- PasswordMaker doesn’t store your password database or encryption routines on a remote server, or anywhere for that matter. Again, there is no password database, just your master password in your mind.
As if that’s not enough, PasswordMaker has other advantages over most password vaults.
Tired of recording what password corresponds to what website? Whenever you tell PasswordMaker to fill in a password, it hashes your master password with the domain name of the site you are on. No records to keep, no manually typing in your password and the domain name you want to hash.
Afraid of getting locked out of all your sites if you lose your password vault database (I told you to backup! :P)? You’ll never be locked out of your sites with PasswordMaker as long as you remember your master password and your selected hashing process. Check back for a future post with tips on using PasswordMaker; remembering your hashing process is sometimes almost as important as remembering your master password.
Afraid of your password manager (like PassPack and Roboform) going out of business and taking your passwords down with the sinking ship? With PasswordMaker, you can always re-create all your passwords with the master password and hashing process. In fact, you can download different versions of PasswordMaker to your own computer, like the JavaScript version that runs in any web browser, so you will never ever be unable to regenerate your passwords.
Ever fallen for phishing schemes where a rogue website pretends to be a legitimate web site requiring your username/password? Password vaults do not prevent you from actively handing your username/password over to a phisher. Since PasswordMaker generates passwords with the domain name of the site, and the phishing site has a different domain from the site it is imitating, the password generated would be different from the one for the real site. Thus, the phishing site would have stolen a password that does not correspond to any of your real passwords.
Does registering a new account take forever because you have to think of a new password or input the password and website into your password vault? With PasswordMaker, registration takes literally seconds as you press one button and your password is generated for you. You can even have PasswordMaker fill in other form fields for you, like email and username. Of course, logging in is also a one-click affair.
PasswordMaker can generate passwords that are as complex and as long as you want, using whatever character set you choose.
In the worst case scenario where your master password is compromised, traditional password vaults would give up all your account information including the usernames, passwords, URLs. If your PasswordMaker master password is compromised, the hacker still must find out what your selected hashing process is and what websites you have accounts on. (Still, don’t be stupid; guard the single master password with your life. 
)
Conclusion
Wow, this turned into my longest post yet. PasswordMaker is a truly great password management system that everyone should use. If you are hesitant or confused, check back later for tips on how to get started with PasswordMaker. Or just dive right in and start exploring PasswordMaker. It is very simple and user-friendly as long as you can wrap your brain around the concept of on-the-fly password generation with hashing functions. Be sure to read the FAQ for tons of good information.
Other implementations of site-specific web password hashing:
PwdHash
Password Hasher Firefox Extension
SuperGenPass
Password Composer
Nic’s Password generator
References:
Security Myths and Passwords
Passwords and Myth
Password Security: What Users Know and What They Actually Do
Passwords and human memory
Password Security is Her Game
Are Hash Codes Unique?
Deconstructing Common Security Myths
Stronger Password Authentication Using Browser Extensions
If you liked this post, please subscribe to my feed. Thanks for visiting!
Very nice article! One comment. You wrote: “A group of students at Stanford University (including Blake Ross of Firefox fame) came up with the concept of site-specific web password hashing.”
Actually, Nick Wolff is the first person to come up with and publish this idea. His page is at http://angel.net/~nic/passwd.html. Both myself and Blake Ross came up with the idea independently of Nick, but Nick definitely had the aforementioned web page before PasswordMaker and PwdHash.
Thanks for the comment! My apologies for the bad facts. Will correct ASAP.
How is a URL-hash-based system any more secure than a vault? (except for not having to make backups?)
The only way I can think of for someone to get access to your vault is if he has taken control of your system. In this situation the URL-hash system would fail too, since he’d just have to wait for you to enter your master password (and find out which sites you use), no? And added secrets for each particular URL would defeat the whole purpose, it seems.
On a different nore, I find some programs’ claim that the master pw can be saved in “encrypted” form highly dubious. The encryption key would have to be in the password program, right?
random commenter: Thanks for your input. I think you’re correct that, in general, proper password vaults are no less secure than on-the-fly password hashing. My main issue with vaults is the annoyance of having to backup the vault and transport the vault to other locations. If you are using a public workstation or some computer that you don’t want to install your vault onto, you’re locked out of your accounts.
Some password vaults also don’t protect you from phishing schemes. You can easily retrieve a secure password from your vault and hand it over voluntarily to a clever phisher. (I think Roboform has phishing protection though.) Such phishing schemes don’t work with on-the-fly password hashing.