Jan 08
Secure Passwords with PwdHash
Using secure passwords is often overlooked by users because of the hassle involved with it. Generally, secure passwords need to include numbers, upper and lower case, and possibly even punctuation marks. Also, they should be reasonably long, and contain no dictionary words.
These stipulations make these passwords very hard to memorize. Also, it’s generally a good idea to have a unique password for every website or service, which makes things even harder.
There are many solutions that exist to create and help remember strong passwords. Some recommend creating some sort of acronym for something that you’ll remember, and insert numbers and punctuation. This helps, but it’s still tedious to remember lots of these. Also, there are password managers that will create pseudo-random passwords and remember them. This is another step, but requires that you have access to your password manager wherever you are.
Another solution, which I am fond of, is called PwdHash. Started as a research project at Stanford, it basically creates a strong password that is a md5 hash of your unique “master password,” and the domain name of the site you’re creating a password for. The result is a strong, unique password for each website that is reproducible only with both parts– master password and domain. The convenience is that you only need to ever remember one strong “master password,” and the same hash can be regenerated every time.
What really sells PwdHash is that it has also been implemented as a Firefox extension. Once installed, you can press F2 in any password field, enter your master password, and then PwdHash will replace it with your generated strong password. Works wherever Firefox does.
To cover those instances where the Firefox extension isn’t available– on a public computer, in Internet Explorer, or in a standalone application– there is still a way to retrieve your passwords. Navigate to pwdhash.com, enter the domain and your master password and press Generate. Simple as that.
In summary, PwdHash is a good way to start using strong passwords. You only need to ever remember one password, and strong passwords are generated uniquely for each domain you visit. It is very well integrated in Firefox, and also available in situations where the extension isn’t an option.
If you're new here, you can subscribe to automaticable's RSS feed by clicking here. Or, you can get post updates through your email. Thanks for visiting!
January 8th, 2008 at 11:53 pm
One question about this service. It seems pretty good at keeping your password secure, but that also makes you completely reliant on it. Is there some kind of contingency set up by PwdHash or something the user can do to plan if (and, inevitably, when) the service goes down temporarily or permanently? Not to be too doomsdayish with this kind of thing, but if a service like this lost support a few months/years down the road, it seems like it would put you in quite the pickle trying to get all of your passwords reset on all of these sites since you don’t really know what the password is for each.
Thoughts?
January 9th, 2008 at 1:20 am
You raise a good point, but I wouldn’t worry too much about it for the following reasons:
– The primary use is through a Firefox extension. That means that it’ll be around as long as Firefox is. Right now it’s listed as compatible through Firefox 2.0, but I’m sure upgrading the extension would be pretty easy.
– The other use is through their website, which uses a simple form and some javascript; there’s nothing going on server-side. This means that you could easily save the files associated with the webpage and run it locally. You could probably easily write a Greasemonkey script.
– Finally, everything has been released as open source. With the following that it has, I think somebody would probably pick it up if the software needed updating.
But, with the “doomsdayish” outlook, it’s also worth noting that you could backup each password inside a password manager such as open-source KeePass. If anything happened, you would still have access to your stored passwords.
June 16th, 2008 at 10:45 am
[...] you have secure, domain-specific passwords generated by PwdHash? Well, the handy Firefox extension just got an update that brings support for the latest Firefox [...]
July 3rd, 2008 at 4:50 pm
[...] desktop implementation of the PwdHash password-generator, written for Ubuntu. We’ve written about PwdHash before, but if you’re not familiar: PwdHash automatically replaces the contents of [site address and [...]