My approach to website passwords (and why it is the right one)

February 16, 2009

Recently, I read yet another article that asked people how many of their accounts would be compromised if someone got their password on a non-critical website. My answer is simple: none. And I think that this should be the answer for most everyone, to the point where it irritates me that it isn't.

I always use unique passwords for each website, generally a strong random one. For non-critical websites, I have my browser memorize them for me (and I get irate when this is not possible for stupid reasons). For critical websites, I write down the password on a physical piece of paper and then keep careful track of where it is; this is no particular burden, because there are very few critical websites.

In theory, this is hideously insecure; a single system weakness on my workstation could give an attacker access to many of my accounts. In practice, there are two things wrong with the theory. First, I have already decided that those are non-critical accounts that I don't care too much about the security for, and second, in practice it is far more likely that one of the websites I use will have its account database or login system compromised; in fact, such compromises are routine.

The clear conclusion is that using different passwords and allowing my computer to memorize them is in practice the more secure approach. Of course, this is not the approach most people are taught, which irritates me a great deal; it is a perfect example of mathematically correct security.

The website security fantasy, pushed by at least some security practitioners, is that people will use separate passwords on all websites and memorize them. This is not happening, because it is a pain and people don't do painful things. So we have two real choices; either people memorize one password and use it everywhere, or people use different passwords everywhere and have their computer memorize them. Sadly, teaching people the fantasy generally winds up with the reality being the first option.


Comments on this page:

From 72.14.228.89 at 2009-02-16 10:47:22:

My personal choice is just to use password composer. It's a simple approach: take the md5sum of <site basename> + ":" + <master password>, and then take the first 8 characters of that. I don't use it absolutely everywhere - although I probably should - but I do use it on any new site that asks me for a password.

Now, I have unique passwords per site that I still have access to when not at my machine, thanks to the web form on the "password composer" site. (Though this reminds me, I should update their bookmarklet to let me specify the site name the way their greasemonkey script does)

From 198.178.191.2 at 2009-02-16 11:10:39:

Your solution is an interesting alternative, and in terms of security of course it's better to have a unique password for every site. However, besides the security implications (passwords stored by Firefox & IE are easily extracted), the other major issue I see with letting your browser or computer remember the password for you is limiting yourself to a single machine. Most people have multiple computers between home & work, as well as Internet capable mobile devices. Accessing sites from any machine that isn't your primary one all of the sudden becomes a nightmare. Having said that though, like you said your solution is still better than having a single password for everything.

Clay http://blog.techscrawl.com

By cks at 2009-02-16 12:43:56:

I deal with regularly using multiple machines by letting the browsers on all of them remember my passwords (or at least the passwords for sites that I regularly use from that particular machine, which isn't the full set).

As for the security implications: is there a way to extract stored passwords through JavaScript and the like, entirely from the web, or does it require getting access to the actual system? I'm not too concerned about system level access; if you compromise my machine to that level you can probably install a keylogger, or just fish the passwords out of my archived email.

(And just in general, if you compromise my machine to that level I have much bigger problems than the fact that you got my passwords for places like Slashdot, LiveJournal, Fedora's Bugzilla, and so on.)

From 69.134.27.198 at 2009-02-16 13:05:51:

I like PwdHash. I've scanned the javascript and stored it locally. There are more places where it doesn't work well than they claim (e.g., acm.org and their Safari subscription service) , but it does do reasonably well on most sites. They use the master key character set to determine the character set for a site.

I HATE sites that prevent use of punctuation in passwords "for security purposes". I have yet to see one that informs you of that before you attempt to pick a password, never mind mentioning it in the prompt when you're entering the password (typically, for the first time in several months).

By nothings at 2009-02-17 03:32:02:

I deal with regularly using multiple machines by letting the browsers on all of them remember my passwords (or at least the passwords for sites that I regularly use from that particular machine, which isn't the full set).

How does a browser on machine B "remember" a password that you invented and entered on a browser on machine A? I believe this is the issue that motivates the comment that you replied to with the above text.

By cks at 2009-02-17 08:46:24:

I keep a copy of all of my non-critical passwords outside the browser; among other reasons, it's insurance against accidents that destroy my browser profile. (I used to run a bleeding edge compiled from source version of Firefox, so this was a not insignificant concern.)

For various reasons I have never really warmed to the various site-based hash approaches, partly because they are enough less convenient to be unattractive. (On the sites that I take this approach for I have already decided that convenience is more important than utter security, so I have little interest in compromising convenience for only a little bit more security.)

By nothings at 2009-02-18 03:10:15:

Yeah, ok, then your policy is the same as mine, we would just describe them differently.

My password policy is "I store all my passwords in one or more text files on my home machine".

The fact that I do or do not let the browser memorize them seems secondary to me, even if it's not secondary in terms of practical actual typing-in-of-passwords. (Possibly I see it this way because I have a different policy towards browser-remembering at home than at work, so I can't easily summarize that side of it at all or claim it's a clear-cut approach.)

By cks at 2009-02-18 08:37:57:

For me, browser memorization is important because it drastically reduces the annoyance and pain of having different passwords for each website. Without that, I'm not sure that I'd actually use different passwords; it would start getting awfully tempting just to have a couple of different classes of website and a (not pure random) password for each class.

(I would expect to wind up memorizing the passwords through frequent enough use, thus sparing myself the hassle of looking them up every time.)

From 97.119.200.31 at 2009-02-19 05:58:51:

I use Password Gorilla and a free Dropbox account to maintain a database of passwords accessible from virtually anywhere. I can also carry Password Gorilla and the password db on a USB stick. I don't know any of my important passwords besides the very complex password to my Password Gorilla database.

I sure hope PWG is secure...

- Grant (gaustin gmail)

Written on 16 February 2009.
« How CPython optimizes allocations for some built-in types
Design versus construction »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Feb 16 00:49:01 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.