Passwords02 Oct 2005
This short film just changed my life. Really.
As I get ready for my trip to India I’m trying to figure out how to reduce my dependency on my laptop. I’ll bring it to India, but I plan to leave it with my in-laws, and just bring a USB keychain loaded up with portable Firefox (a version which also works on Mac OS X can be found here) and Thunderbird with me on the road. I’ll then use FeedLounge for reading my newsfeeds. Our home voicemail will be forwarded as e-mails using VoicePulse (I was considering taking the actual phone with us, but I doubt we’ll have the ability to plug it in anywhere, and we can always use Skype). I’ve also uploaded all my contacts to Plaxo, which will soon have a Mac OS X interface.
The only thing that was bugging me was passwords. I could have brought my Palm, but with all the camera equipment I don’t want to have to charge yet another device on the road. Now I don’t have to!!! I just have to make sure to change all my passwords over to the new system before I leave!
UPDATE: From the Password Composer FAQ:
Should I use this for my on-line banking account?
In one word: no.
You should follow the instructions you were given by your bank, credit card company and such instead. Use this script only in those cases where you otherwise were tempted to re-use one of your existing web personalities. In other words, this script fits in the large non critical space between serious web applications where your real world identity is at stake, and those cases where a login can be avoided alltogether. For the last category you might take a look at BugMeNot by the way.
But I figure that about 90% of my passwords fall in this category.
<!-- technorati tags start -->
UPDATE: I’ve been implementing this and I have a few tips.
First of all, I recommend the greasemonkey version if you are using Firefox, as opposed to the Pasword Maker Firefox extension. The reason being that the simpler greasemonkey version is compatible with the web form and bookmarklet versions on Nic’s site. This means that you will have cross-platform compatibility. You can even save a copy of the source code for Nic’s web site on your own server so that you can be sure to always have it.
Secondly, the one problem with using this approach to passwords is that it is URL dependent. This is a problem because you might come to a site from different URLs (www.domain.com or domain.com), or the site you use to generate passwords might be different from the real domain name. The greasemonkey script solves the first problem, and Pasword Maker is able to handle both problems – but you still need to remember what the correct URL for login is, in case you attempt to login from the wrong one!
Third, you still need to remember your usernames. I realized that my username varies much more than I think it did. To solve these last two problems I suggest saving a single file with the domain name and username for every account. You should probably encrypt this file, but it doesn’t matter if someone else gets a hold of it, since they still won’t have your password. (The whole point of this is so that you use better passwords for eCommerce sites where you would probably otherwise use the same password for every site. But it isn’t industrial strength protection for things like your bank site.)
UPDATE: Sheesh. I had over 260 passwords stored in my password vault! I’ve eliminated about 60 of them and I’m exhausted. It is worth noting that while Pasword Maker can handle multiple accounts on a single domain (such as Gmail), the more robust solution (which works on all browsers) does not. Similarly, Password Maker can handle sites that require you to change your password regularly, but the simpler solution cannot. Since I don’t like being tied to a particular browser, I can’t use Password Maker, but I’m happy getting rid of all my other passwords. It is really nice to clean things up so that I only have to store a few critical passwords – like those for Gmail and my bank, not hundreds of useless web sites! (Half the sites I have saved passwords for don’t even seem to exist anymore!)
UPDATE: I have things working now, and I’m pretty happy with my system, but I don’t think it is yet something that would work for everyone. It is still a little complex to install and implement. For that to happen I think there needs to be some kind of a web standard in place, where each site generates its own hash. Then browsers could all automatically generate passwords based on your own master password and the site hash (rather than the URL). Sites could force an update to everyone’s password by generating a new hash for their site on a regular basis. (And sites like Gmail with multiple user accounts, could generate a unique hash for each user.) All additional information: usernames, challenge questions, etc. should then be eliminated. With a simpler system in place people would be more likely to follow better security practices.
UPDATE: Came up with a solution for multiple user accounts. Simply use the form version and then write the domain as “username.domain.com” to generate unique passwords for each user. You can then write this domain down in your encrypted list of domains and usernames.