Chris's Wiki :: blog/web/WebPasswordApproach Commentshttps://utcc.utoronto.ca/~cks/space/blog/web/WebPasswordApproach?atomcommentsDWiki2009-02-19T10:58:51ZRecent comments in Chris's Wiki :: blog/web/WebPasswordApproach.From 97.119.200.31 on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:2ccffd8f96e72ab8cf9ed1f3dc39caf858ef5979From 97.119.200.31<div class="wikitext"><p>I use Password Gorilla and a free Dropbox account to maintain a database of passwords accessible from virtually anywhere. I can also carry Password Gorilla and the password db on a USB stick. I don't know any of my important passwords besides the very complex password to my Password Gorilla database.</p>
<p>I sure hope PWG is secure...</p>
<p>- Grant (gaustin gmail)</p>
</div>2009-02-19T10:58:51ZBy Chris Siebenmann on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:2e6e95bc70e4dadbb94c4c0cdd8c2bfa8301619cChris Siebenmann<div class="wikitext"><p>For me, browser memorization is important because it drastically reduces
the annoyance and pain of having different passwords for each website.
Without that, I'm not sure that I'd actually use different passwords; it
would start getting awfully tempting just to have a couple of different
classes of website and a (not pure random) password for each class.</p>
<p>(I would expect to wind up memorizing the passwords through frequent
enough use, thus sparing myself the hassle of looking them up every
time.)</p>
</div>2009-02-18T13:37:57ZBy nothings on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:3876fe0d9782db0230ea35c733be718bb86465canothings<div class="wikitext"><p>Yeah, ok, then your policy is the same as mine, we would just describe them differently.</p>
<p>My password policy is "I store all my passwords in one or more text files on my home machine".</p>
<p>The fact that I do or do not let the browser memorize them seems secondary to me, even if it's not secondary in terms of practical actual typing-in-of-passwords. (Possibly I see it this way because I have a different policy towards browser-remembering at home than at work, so I can't easily summarize that side of it at all or claim it's a clear-cut approach.)</p>
</div>2009-02-18T08:10:15ZBy Chris Siebenmann on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:47dba08b4c7ef9343defbf1efd14519ecb280589Chris Siebenmann<div class="wikitext"><p>I keep a copy of all of my non-critical passwords outside the browser;
among other reasons, it's insurance against accidents that destroy
my browser profile. (I used to run a bleeding edge compiled from source
version of Firefox, so this was a not insignificant concern.)</p>
<p>For various reasons I have never really warmed to the various site-based
hash approaches, partly because they are enough less convenient to be
unattractive. (On the sites that I take this approach for I have already
decided that convenience is more important than utter security, so I have
little interest in compromising convenience for only a little bit more
security.)</p>
</div>2009-02-17T13:46:24ZBy nothings on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:6e4500cd4017d21c4b0ea4ff6d5e4cf6f44a9521nothings<div class="wikitext"><p><em>I deal with regularly using multiple machines by letting the browsers on all of them remember my passwords (or at least the passwords for sites that I regularly use from that particular machine, which isn't the full set).</em></p>
<p>How does a browser on machine B "remember" a password that you invented and entered on a browser on machine A? I believe this is the issue that motivates the comment that you replied to with the above text.</p>
</div>2009-02-17T08:32:02ZFrom 69.134.27.198 on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:c4c2c50ceda11f591f5f04d142d7d5c713c5f9cfFrom 69.134.27.198<div class="wikitext"><p>I like <a href="http://crypto.stanford.edu/PwdHash">PwdHash</a>. I've scanned the javascript and stored it locally. There are more places where it doesn't work well than they claim (e.g., acm.org and their Safari subscription service) , but it does do reasonably well on most sites. They use the master key character set to determine the character set for a site.</p>
<p>I HATE sites that prevent use of punctuation in passwords "for security purposes". I have yet to see one that informs you of that before you attempt to pick a password, never mind mentioning it in the prompt when you're entering the password (typically, for the first time in several months).</p>
</div>2009-02-16T18:05:51ZBy Chris Siebenmann on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:3f583a0cbf7bbb4961510e9764169ba656389cb9Chris Siebenmann<div class="wikitext"><p>I deal with regularly using multiple machines by letting the browsers on
all of them remember my passwords (or at least the passwords for sites
that I regularly use from that particular machine, which isn't the full
set).</p>
<p>As for the security implications: is there a way to extract stored
passwords through JavaScript and the like, entirely from the web, or
does it require getting access to the actual system? I'm not too
concerned about system level access; if you compromise my machine to
that level you can probably install a keylogger, or just fish the
passwords out of my archived email.</p>
<p>(And just in general, if you compromise my machine to that level I
have much bigger problems than the fact that you got my passwords
for places like Slashdot, LiveJournal, Fedora's Bugzilla, and so on.)</p>
</div>2009-02-16T17:43:56ZFrom 198.178.191.2 on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:ed0e9f5f174ac3e7e3a2c056e4c8a2fada2745fbFrom 198.178.191.2<div class="wikitext"><p>Your solution is an interesting alternative, and in terms of security of course it's better to have a unique password for every site. However, besides the security implications (passwords stored by Firefox & IE are easily extracted), the other major issue I see with letting your browser or computer remember the password for you is limiting yourself to a single machine. Most people have multiple computers between home & work, as well as Internet capable mobile devices. Accessing sites from any machine that isn't your primary one all of the sudden becomes a nightmare.
Having said that though, like you said your solution is still better than having a single password for everything.</p>
<p>Clay
<a href="http://blog.techscrawl.com">http://blog.techscrawl.com</a></p>
</div>2009-02-16T16:10:39ZFrom 72.14.228.89 on /blog/web/WebPasswordApproachtag:CSpace:blog/web/WebPasswordApproach:19b6b2d15dcd0434e0be4142b2856cf72632b1dbFrom 72.14.228.89<div class="wikitext"><p>My personal choice is just to use <a href="http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/">password composer</a>. It's a simple approach: take the md5sum of <site basename> + ":" + <master password>, and then take the first 8 characters of that. I don't use it absolutely everywhere - although I probably should - but I do use it on any new site that asks me for a password.</p>
<p>Now, I have unique passwords per site that I still have access to when not at my machine, thanks to the web form on the "password composer" site. (Though this reminds me, I should update their bookmarklet to let me specify the site name the way their greasemonkey script does)</p>
</div>2009-02-16T15:47:22Z