The solution is to use one password per site (actually, even better is to ask for wide adoption of the OpenID identity system). All passwords should be reasonably hard to brute force or dictionary attack. I'd recommend at least ten characters, using a combination of alphanumerical characters [a-zA-Z0-9] and symbols (!"#¤%&/()=? ...). The longer and more obscure the passwords are, the better. All is well? Almost. How on earth will I remember all passwords? I have a terrible memory by the way. Solutions:
- The web browser remembering my passwords. I wouldn't dream of using this. It's way flawed. The default is to not use a master password and thus store the sensitive data trivially scrambled on the disk. ..drumroll.. It's also unconvenient since the data is bound to one computer.
- Writing down the passwords on post-its, in textfiles or similar. No comment.
- Storing all passwords in an AES encrypted textfile, on my USB stick. I could never remember a 128 or 256-bit key so I would use one of the better hash functions on my one-password-to-rule-them-all. This can be cross-platform automated using the excellent TrueCrypt tool, for instance.
- Storing all passwords AES encrypted on a site. A double SHA-256 on my one-password-to-rule-them-all yields the encrypt/decrypt key. Most important of all: all hashing and crypto should happen on the client side (on my machine). I use Clipperz. Even if the Clipperz database would be compromised I wouldn't worry too much (I would vote with my feet, though).
Keep in mind though, if you opt for number three or four and lose your one-password-to-rule-them-all, then you're smoked! You need to remember it. You should also make darn sure that you don't write it down anywhere, in any form. It must be reasonably strong, see above.
Bottom line: My password hygiene is now so much better than before it's not even funny. I have to remember exactly one password. I have no idea what the password for my wordpress instance on this site is. To write this article I first opened Clipperz compact in the Firefox sidebar. I entered my username and one-password-to-rule-them-all. A couple of seconds later (after all client side JavaScript crypto operations were done) I just clicked the "Fancy blog" link, bam, logged in!
I can access and add passwords from any internet connected JavaScript enabled browser. I periodically download an offline copy from Clipperz (it's really more of a JavaScript application than a site) for being safe if Clipperz would go down.
Are you feeling guilty? Raise your hand and repeat after me. "I am a password sinner." Now go do something about it. Being lazy and/or having bad memory are no excuses anymore. The one-password-to-rule-them-all method might just be the silver bullet you have been waiting for.
One Password to rule them all, One Password to find them,
One Password to bring them all and in the darkness bind them
6 comments:
Hi Olov,
thanks for your kind words about Clipperz. You made my day!
We will soon add more features to make Clipperz even more useful for your everyday life.
best regards,
Marco
Clipperz co-founder
Ironically, your post about Clipperz comes very close in time to mine about PassPack, a similar and competing (frendly competition, so far) service. They do almost the same thing from slightly different angles. I like your review and the rundown of why you should even use a password storage site rather than one password everywhere (or a store limited to one computer). I jumped right in with my PassPack review but I like the way you approached it. I was looking around Technorati for different articles about both PassPack and Clipperz and ran into yours; nicely done!
Marco - thanks for stopping by and keep up the good work with Clipperz.
David - good article on your site as well. I did make an active choice between the two. My main reason for chosing Clipperz was because I wanted a fast and secure quick-login feature (Clipperz compact, PassPack bookmarklet) and only Clipperz fulfills that of the two. Mind you, I'm lazy. The PassPack bookmarklet is flawed security wise in my opinion, since it sends the username and password in cleartext (over an SSL connection) to the PassPack server - killing the whole idea of AES encrypting them from the beginning. You can read more about this in the PassPack authors own words.
Anyways, I expect many typical web users to have as bad password hygiene as I had and in that case it doesn't matter too much which tool to use. I use Clipperz because I think it's techically better and also because I like the explicit openness on all their JS crypto code. For many users any of them will do.
If any of them would open up (as in put the code under an OSS license) both their server and client side code I'd switch to that and perhaps contribute a patch or two. I'd love to be able to setup my own hosted version of Clipperz. Look at the popular WordPress blog software and MediaWiki (the wiki software used at Wikipedia) for example. Marco, are you listening? :-)
The comment you linked to was part of a discussion that was had during the first phases of the auto-login testing (when that post was originally published). I updated the post a few days ago, but it didn't occur to me to delete the comments as well. Sorry about that, they were misleading and I've deleted them now.
So, just to confirm: With PassPack's auto-login your data *never* travels in clear text, all encryption and decryption happens in your browser, and not even PassPack staff is able to read the data passed through to the auto-login tool.
Here's how it works.
Again, my apologies for the confusion. Let me know if you have any questions.
Cheers,
Tara
Tara,
thanks for chiming in!
I read your explanation and things are indeed better then it was at the time you wrote the comment which I referred to. One question: A "mini-encrypted pack" is transferred. What's mini about it, the pack or the encryption - i.e. does it still use 256 bit AES?
The promise about a contribution of a patch or two would of course apply to you as well! :)
Hi,
Yup, the encryption is AES-256, it's the pack that's mini (it only holds the one set of username/password that you're going to login to)... which I suppose should be written as "encrypted mini-pack". :)
Thanks for pre-volunteering your time. Very cool.
Cheers,
Tara
Post a Comment