

Why your tiered password scheme is flawed, and what to do about it. - raganwald
http://weblog.masukomi.org/2009/02/26/why-your-tiered-password-scheme-is-flawed-and-what-to-do-about-it

======
tptacek
It's kind of hard to take a security article seriously when it says that GMail
is a low-value account. GMail is your highest-value account.

Also, without claiming that password managers are a bad idea, I can
confidently say that the thing you can do that is worse than having a "tiered
password scheme" is _not_ having a "tiered password scheme". I just watched
someone in the security industry go through this:

Blog SQLI -> Blog Password -> Yahoo Mail Password -> GoDaddy Password, Bank
Password.

~~~
falava
If you are like me and you have forgotten all your passwords sometime, GMail
is where all the "this is your password" or "reset your password" tend to go.

An email with your password is a sign of a bad security policy. Better put a
unique password for that site. Use this for remember all those passwords:

<http://www.clipperz.com/>

And in the event of losing GMail access I download all my GMail emails to the
local client.

That said, I trust more in Google than in my own ISP or domain registrar, I
have lost my personal domain with my personal email address one time due their
errors in the renovation.

------
tjogin
What I do is I have an algorithm. Based on the name of the website/service and
its purpose, I can calculate what my password should be on it in my head.

This means that every account I have uses a _unique_ password composed of both
alphabetical and numerical characters.

I store each of them in my head, or re-calculate it if I forget them, but I
actually tend to just remember them, maybe because they follow an algorithm
(or rather, a set of rules) it makes it easier to remember them.

And, I'm not contingent on any software to remember my passwords.

~~~
katamole
Sounds like if I were targeting your accounts specifically, I'd have a pretty
easy time of it. As soon as I get hold of one or two of your passwords I can
work out the algorithm and then start calculating your passwords myself.

While it might be a better approach than just using the same insecure password
on every site, based on the attack suggested in this article, there isn't much
benefit from your approach.

~~~
tjogin
I don't think you could work out the algorithm, because it's not mathematic.
It's a handful of quirky arbitrary rules.

But hey, give it a shot; here are three random passwords (calculated using a
slightly different algorithm than the one i actually use):

hotmail: 3m4m349 facebook: w45c033 aol: t41m325

Now, tell me what my Gmail password is.

~~~
jfornear
is your hotmail password a typo? should it be m34m349?

~~~
tjogin
Nope. But it could have been if for a different service/purpose.

------
bk
FTA:

> Many perfectly smart people I know have one strong password they use for one
> or two online banking type sites.

Unfortunately, banks are among the worst offenders when it comes to
disallowing special characters and limiting password lengths.

------
greatreorx
I started using SuperGenPass a few months ago from a recommendation here and
have been really happy with it.

<http://supergenpass.com/about/>

It's a bookmarklet so you can review the code behind it and use it on any
computer. You only have to remember your master password and it converts to a
new password for each site. Usability-wise it's usually only 1 extra click -
you put your master password into the web form's password field and the
bookmarklet writes the generated password for that site over it.

I still wouldn't use it for banking or my email, but for most other things
it's worked well.

------
psadauskas
I use KeePassX ( <http://www.keepassx.org/> ) and dropbox to keep my password
database synced across computers.

~~~
eli
Yup, I do the same. I tried PWSafe too, but I like KeePass better -- it works
on OS X and Windows

------
cool-RR
I use a tiered password scheme, and I don't agree with this article.

I think it's too much of a bother to be using a password manager all the time.
Especially when using public computers. It's not just the effort that bothers
me. I have a feeling that doing something as extravagant as using a different
password for each service will somehow make it more probable for people to
steal your passwords.

I've been using the internet since the mid 90s, and I remember only one time
when my password was compromised. (Granted, it is possible there were more
cases that I just never found out about.) It was about 3.5 years ago, and I
logged on to ICQ in a sleazy internet cafe. Some kid had a keylogger installed
there and he later stole my ICQ account. I changed this password in all the
places I used it.

------
patio11
I have a tiered password system, so I'm interested in the advice here and
(candidly) unlikely to follow it. That being said, if you're putting email
accounts in your low-security tier, revisit that assumption. Now. It makes
every password which can be reset or recovered as secure as the least secure
site you have ever signed up with.

Think of how much fun life would be if you woke up one morning and someone had
compromised gmail, had godaddy send a password reminder, and then used your
credentials to initiate and then authorize a transfer of your business domain
to their registrar. Then a month from now you get a call: $2,000 or your site
goes dark within the next minute.

------
ROFISH
The article states that stored passwords are in the cache. I use Safari on Mac
which stores passwords in your Keychain. It doesn't delete without your
permission, backed up on Time Machine, and moves with a standard restore or
system migration. His suggestion of a third-party app really just needs to be
changed to better handling of stored passwords in Firefox.

And that goes without saying things like OpenID or equavalents. Ideally you
just have one Very Trusted person to give a password to. (Of course OpenID has
its own share of problems. )

------
DenisM
Shameless plug: check out my "memengo wallet"
<http://www.memengo.com/?src=hackernews> \- it's a password organizer for
iPhone with optional sync to, and editing from the cloud. Client-side AES
encryption and server-side AWS S3 backups every 30 minutes.

Bottom line is that your passwords are always with you - either on your
iPhone, or (in a pinch) on any nearby PC with a web borwser.

------
kragen
A few years ago, Ka-Ping Yee wrote <http://passpet.org/> with my assistance.
Unfortunately we never got it to the point of being really _released_ as such,
although the darcs repository is available. It's a variant of the
sha1(sitename + secret) approach that's been mentioned in other comments, with
some extra features to improve its strength against phishing and password-
guessing attacks.

------
finnw
@masukomi, have you tried 1passwd? I was about to buy it so if you have tried
it and found a serious flaw I'd be interested to know.

~~~
masukomi
I haven't, but one nice thing about 1Passwd is that I'm pretty sure that even
if you don't use .mac it put your passwords on your iPhone (if you have one)
with 1Passwd Touch for use when you're away from your computer.

Overall it looks like a pretty nice app, and I like that it works across
browsers and makes it so easy to retrieve your passwords.

I really don't like the reliance on .mac for syncing between computers though.
I feel that .mac is totally overpriced.

~~~
Timothee
The good news is that you don't have to use .mac to sync: it works just fine
with Dropbox (and I don't see any reason why it wouldn't with other sync
system).

To be honest, I don't use the iPhone app so much mostly because I would still
have to type my primary password there and it's not convenient on the screen
keyboard. Also it uses a custom browser (or a browser element inside the app)
and not the regular Safari. That can be an issue for some sites. But I still
have it in case I need access to one of my randomly-generated password.

Overall I highly recommend 1Password.

------
markessien
So the flaw is that if one site is hacked, all the sites are hacked? And
because of that, people will start sending spam from my account?

That argument does not make sense. Most sites do not send things out using my
name, and those that do have very limited options for spammers. For example
flickr, or Hacker News.

~~~
philh
I use the same pseudonym for several sites, some of which have my email
address in my profile. If I was using the same password for all of them,
access to any would mean I was compromised.

I certainly wouldn't consider "they may know my password, but they'll never
guess my email address" to be reasonable security.

------
katamole
This will be considered off-topic, but I'll say it anyway: I really like the
design of that site.

