With all the recent database compromises going on lately, I’ve decided to step my passwords up a notch.
My old “password scheme” was pretty simple, I had 4 different levels of passwords so that if a lower one got compromised the more sensitive passwords would still be safe. The flaw in this scheme is that if one of your sensitive passwords are exposed then all your other sensitive sites are. I used to think that my banking websites would have pretty hardened systems, but that’s not necessarily the case.
The only safe way to handle passwords online is to have a unique password for every site you use. A lot of people complain that memorizing passwords is hard, but I find it actually pretty easy (I memorized thousands of Kanji after all). The real hard part is remembering which password you used for what site. When you have 4 passwords, you can just iterate through them without getting locked out but it doesn’t work when you have tens or hundreds of passwords to try.
Luckily there are a few companies with products to solve this problem. I looked at services like LastPass and 1Password. 1Password was way to expensive and LastPass was hard to use, ugly, and for some inexplicible reason stored your passwords on a server. No matter what encryption they use today, it’ll be completely inadequate in 5 or 10 years.
Enter PasswordMaker, it’s an open-source extension for Firefox that generates passwords for websites based on the URL of the site you are visiting hashed with a master password. This is probably the only scalable solution to the password problem. It also does this without storing your password anywhere which makes it the most secure solution I’ve found yet. Plus the algorithm for generating passwords is simple so if I’m ever in some kind of a pinch, I can regenerate my passwords by hand (with the help of the md5 utility).
The main problems with PasswordMaker is that it doesn’t work very well on mobile phones. There’s an Android port, but it’s about as bare as can get. It could use some UX love. For example, It could take advantage of Android’s Share intent to get rid of the whole URL input dance that you have to do now.
Although this setup is working for me without too much pain, I still think that the whole username/password system is way too complicated. The fact that I need a program to manage them definitely makes it a smell. I loved OpenID, but apparently it’s also too complicated for users, so now I’m really rooting for Mozilla’s recently announced BrowserID. As more and more software and services move to the cloud, BrowserID, or something like it, is pretty much going to be required to keep login-creep at bay. It should help reduce the anxiety that people like my wife have when thinking about whether or not they should sign-up for some new site.