

Password Utilities as a Single Point of Failure - nnutter
http://hashedapp.com/password-utilities-as-a-single-point-of-failure/

======
chime
I use 30+ different passwords for different purposes. I never write the actual
passwords down anywhere but instead I write the hint of the username/password
for each site. Here's a fake example:

    
    
        sitename.com: c4 - t/5r
        sitemore.com: mrc - pp:9
    

If someone manually digs around, they can find what the usernames 'c4' and
'mrc' stand for. However, nobody other than me knows what 't/5r' and 'pp:9'
expand to and I will never forget what they mean. Sure, it does theoretically
make it slightly easier to brute-force my passwords but if 't/5r' =
'tempest/ariel5randa' then brute-force will take forever anyway.

If the browser doesn't auto-fill the password, I just have to look up a single
list and takes me seconds to type the password. Whenever I sign up for a new
site, I just add the username/password hint and forget about it. I've been
using this system for well over a decade and have never had any login problems
anywhere.

~~~
JoachimSchipper
Are you sure that stands up to a targeted attack? If, randomly guessing, those
are WoW accounts you now have to keep your HN, WoW and e-mail accounts
separate...

~~~
chime
Pretty sure it would stand up to a targeted attack. Here's a few of my actual
password hints:

    
    
        /-/
        **
        1m;
    

Feel free to login to any of my accounts. And I do keep most types of accounts
separate. Bank password is different from Credit Card is different from email
is different from HN.

------
lukencode
I think for a lot of people their email password would essentially act as a
single point of failure anyway. An attacker could go through the email and use
recover password on any services they find.

~~~
nnutter
Indeed, regardless of how you choose your passwords email is a huge target.
It's good to see Google and Facebook trying to thwart this by adding account
activity information, etc.

~~~
lautenbach
Every few weeks I go to gmail and search the term "password" as well as some
of my more commonly used passwords and permanently delete those messages. I'm
forever annoyed when a service sends me my password via email.

------
roryokane
I had never heard of PwdHash (linked from the article,
<https://www.pwdhash.com/>) before. SuperGenPass (<http://supergenpass.com/>)
is an alternative that uses a bookmarklet rather than a browser extension.
(PwdHash links to a bookmarklet deep on its site, but nothing happened when I
tried to use it.) SuperGenPass also allows for variable password length given
the same master password, and its site is designed better. If you’re concerned
about sites interfering with the bookmarklet using malicious JavaScript, there
are unofficial browser extensions for SuperGenPass too. I don’t use any
password manager right now, but I would recommend SuperGenPass over PwdHash.

The only factor I’m unsure about is the hashing algorithm: I’m not sure
whether either SuperGenPass’s or PwdHash’s is safe. I couldn’t find what
PwdHash’s algorithm was after a quick look on its site. SuperGenPass uses
multiple iterations of MD5 – bcrypt would be a better algorithm, but I don’t
know whether repeated-MD5 is unsafe or acceptable. (The aspect of the hashing
algorithms I’m worried about is the speed at which an attacker can brute-force
the password.)

~~~
baddox
I've been using PwdHash for a while now, and I'm really happy with it. Their
site lists extensions for Firefox and Chrome which work great. I'm also
unfamiliar with their actual algorithm, but there looks to be more info on
their project page.

------
ballard
If paranoia is a concern or if there are perceived risks for a master
password:

1) Use N-factor auth: fobs, authenticators, otps, etc.

2) N-person keying: require multiple people to enter their part of the
password known only to them.

3) Delegate lower privilege access for day-to-day usage, versus aforementioned
grand master password that is split amongst multiple people. This means
lowering the exposure of a password.

This is in addition to not using the same password anywhere else and not
having a guessable password scheme.

------
swaits
I'll once again offer my passy algorithm (with full description, and source
code). <http://news.ycombinator.com/item?id=2431480>

I've used and refined this over a number of years, and now I'm very happy with
it.

Enjoy!

~~~
throwaway32
This is very similar to a firefox extension named password hasher
<http://wijjo.com/passhash/>

This is what i use to ensure i have a differing password for every site, It
also has a standalone JavaScript webpage for mobility and ensuring that the
extension not updating doesn't screw you over purposes.

------
GrandMasterBirt
If anything the lastpass breach gave me MORE confidence in lastpass. For all
we know there was no breach. HOWEVER lastpass immedicately communicated to
everyone and discovered an issue in a very paranoid way. I think this is
security I wish every site had. However I kid myself thinking that is
possible, I rather that a single-point-of-failure is lastpass vs a crappy
website that exposes a password which compromises tons of accounts and having
to change all of them even if I was notified.

Furthermore lastpass supports youbi key so it supports two-factor auth.

