One password to rule them all

I admit that I've had the worst web password hygiene until now. I've used more or less one password sprinkled over many sites. The number one reason for why this is a terrible idea is that I can't seriously trust all those sites (authors). Heck, it's not totally impossible that one or two sites actually store my username and password in cleartext somewhere (how horrible that would be). Imagine one of those sites being compromised. Add the fact that I'm typically olov, olov.johansson or olov.lassus on most sites. Impersonated!

The solution is to use one password per site (actually, even better is to ask for wide adoption of the OpenID identity system). All passwords should be reasonably hard to brute force or dictionary attack. I'd recommend at least ten characters, using a combination of alphanumerical characters [a-zA-Z0-9] and symbols (!"#¤%&/()=? ...). The longer and more obscure the passwords are, the better. All is well? Almost. How on earth will I remember all passwords? I have a terrible memory by the way. Solutions:

1. The web browser remembering my passwords. I wouldn't dream of using this. It's way flawed. The default is to not use a master password and thus store the sensitive data trivially scrambled on the disk. ..drumroll.. It's also unconvenient since the data is bound to one computer.
2. Writing down the passwords on post-its, in textfiles or similar. No comment.
3. Storing all passwords in an AES encrypted textfile, on my USB stick. I could never remember a 128 or 256-bit key so I would use one of the better hash functions on my one-password-to-rule-them-all. This can be cross-platform automated using the excellent TrueCrypt tool, for instance.
4. Storing all passwords AES encrypted on a site. A double SHA-256 on my one-password-to-rule-them-all yields the encrypt/decrypt key. Most important of all: all hashing and crypto should happen on the client side (on my machine). I use Clipperz. Even if the Clipperz database would be compromised I wouldn't worry too much (I would vote with my feet, though).

I was thinking about doing number three until I found the excellent Clipperz site (number four) and started using that instead.

Keep in mind though, if you opt for number three or four and lose your one-password-to-rule-them-all, then you're smoked! You need to remember it. You should also make darn sure that you don't write it down anywhere, in any form. It must be reasonably strong, see above.

Bottom line: My password hygiene is now so much better than before it's not even funny. I have to remember exactly one password. I have no idea what the password for my wordpress instance on this site is. To write this article I first opened Clipperz compact in the Firefox sidebar. I entered my username and one-password-to-rule-them-all. A couple of seconds later (after all client side JavaScript crypto operations were done) I just clicked the "Fancy blog" link, bam, logged in!

I can access and add passwords from any internet connected JavaScript enabled browser. I periodically download an offline copy from Clipperz (it's really more of a JavaScript application than a site) for being safe if Clipperz would go down.

Are you feeling guilty? Raise your hand and repeat after me. "I am a password sinner." Now go do something about it. Being lazy and/or having bad memory are no excuses anymore. The one-password-to-rule-them-all method might just be the silver bullet you have been waiting for.

One Password to rule them all, One Password to find them,
One Password to bring them all and in the darkness bind them

Visuals and more

Did some more Ruby on Rails fiddling on the CamDB site:

• List of all known manufacturers, linked to queries
• Recent added/edit sort order
• Increased precision printout (per suggestion)
• Blog integration
• Better visual design
• ..and a bunch of bug fixes

CamDB and repoviews

I deployed my first Ruby on Rails hack a couple of days ago: http://camdb.fancy.se.

The CCD and pixel geometries can be calculated for any camera by adding its most wide-angle focal length, the corresponding 35mm equivalence and its native resolution. The geometry won't be fully exact if the focal length parameters aren't. You are encouraged to add and edit!

It's also an experiment of a wiki'ish database. Anyone can add, edit and delete content. So far so good but for the future I will need to add user accounts and/or revision control.

I've been hosting Fedora package listings (repoview based) for some time now, check out the repoview page for more info. This can also be reached from the "Pages & Links" top-menu item.

{name: 'Olov Lassus', was: 'Olov Johansson'}

The wedding was fantastic and yesterday I got a confirmation of my family name change. Will need to update this on a multitude of places, both in real and virtual life. Personal ID and VISA prio one, I suppose. My primary private Google mail and talk has changed from olov.johansson to olov.lassus.