Superpass Password Hasher

Superpass Password Hasher.

This site has a rather novel approach to dealing with passwords. I see this a lot in both my personal and professional life, especially when people lose their computers. The question looms ‘Did you… ?” and usually the answers aren’t very good at least from a security standpoint.

One of the biggest things that people can-and-should do is keep individual passwords for every single site they access. Most people could approach this via tools like my beloved 1Password but this may be another approach that might also work. It uses an encryption staple called a hash to generate a multi-character password based on some simple password, a salt (which is used to increase the randomness that is added to the encryption routine) and the domain you are working with. It’s quite elegant in that it offsets the need to store individual passwords because it, supposedly, relies on stable domain names to provide password reproducibility. Each time you enter your simple password, and the domain name hasn’t changed, you should get the same hash over and over again. I still think that 1Password is still the best choice for everyone, but this might be a good starting place especially if cash is tight and you can’t swing a 1Password license.

UPDATE: After trying this out I discovered that it only really works well on plain sites like Google.com. If you go to any other sites, like Apple or nytimes.com the code breaks down on Safari. I couldn’t get it to even work on Firefox 13 on the Mac, so perhaps this isn’t as robust as I had hoped. The idea is still good, however. For what it’s worth.

Robin Hood's Barn

Yesterday I attended a meeting with other like-minded individuals and this merry band of people got to discussing password management. There are a lot of different (and all equally valid) ways of managing your passwords and as I listened to some of these people describe their solutions it struck me, again, just how good I really do have it. I have to admit that once I switched over to 1Password and integrated it with Dropbox I’ve been spoiled rotten. The solution is such a perfect match that I stopped thinking about password management altogether, freeing me to concentrate on other things.

Then I heard about some of the things that my work peers have elected to do. One of them manages it with a password-protected Excel Spreadsheet and then uses Sysinternal’s SDELETE program to securely delete the file after he’s done using it. I sat there, stunned as I followed his description of the procedure that he has to follow and grinning-on-the-inside as others around the table brought up a series of criticisms of his procedure and pointing out pitfalls and the like. I sat back marvelling at 1Password, how I didn’t have to worry about any of this, and I discovered in that moment a hidden value to 1Password that just reinforces the perception of value that product has for me – I don’t have to think about this stuff anymore! It saves me time, brainpower, and attention-span. Just for that I couldn’t imagine not having 1Password in my digital life.

All along this meeting I heard comments peppered throughout that all had to do with a paranoid fear of security loss by taking advantage of cloud services. This isn’t the first time I’ve come across this, it was the central axis that featured prominently in my Webmail Plus v. Google argument that I so spectacularly lost so many moons ago. People fear the cloud. They fear what these companies will do with the data once it’s entrusted to their care. This has always mystified me and left me speechless. Now, don’t get me wrong here, I’m not saying that it’s wise to simply put 50,000 Social Security Numbers in a plaintext file and send them right up to Dropbox, hell, I wouldn’t do that with Amazon S3 service or any other provider for that matter. But what I would do, and perhaps this is what boggles my mind, that people don’t already do this, is encrypt the data using AES. With the data in this format, even if the file security is compromised, without the password, what they have is just as good as noise.

This is where 1Password is great, the central database file is encrypted using AES, so I can put it up on Dropbox and then access it from every device I use that can reach the Dropbox service! This has saved me innumerable hours and a world full of worry. Even if one site is compromised I don’t have to worry because each site has its own unique 16 character random password assigned to it and managed through 1Password. I don’t even care if a site forces me to regularly change my password, because every new password will be a random 16 character entry from the password generator that is already in 1Password. I can’t express how much time, energy, and attention-span I’ve been able to save with using this product. When something like 1Password is built, and built well, I can’t help but rave about it. Everyone should be using this software, it would make everyone so much more secure.

1Password Bug

I ran into this little nasty earlier today. First to set the scene:

  • Mac OSX 10.6.6
  • 1Password Version 3.5.3 (build 30812)

I got an email from Trapster.com informing me that my account may have been compromised. Since I started using 1Password I’ve been making unique 16-character passwords for each individual site, so if a hacker gets my password for one site, he may own that, but nothing else. So I opened up 1Password and my highlight was on another entry related to another item. I went to the search field, typed in “trap” and found the entry for Trapster. I edited it, clicked on the password generator and made a new 16 character password. I clicked the “copy” button in the Password Generator dialog box and 1Password decided to replace the password for the previous highlighted item with the generated password that I meant to go into Trapsters entry. I did this three times just to make sure I wasn’t losing my marbles.

The way around this is to not use the search feature at all. If you browse and highlight the Trapster entry and put in a new password that way, everything is fine.

I just thought I would blog about this to help anyone who might have run into this bug on their own, it isn’t your mind, it’s the program. I’ve forwarded the bug report to the people who write 1Password, we’ll see what response we get.