
Enforcing Different Passwords for Different Sites - zohaibr
http://diegobasch.com/enforcing-different-passwords-for-different-sites
======
georgemcbay
"Now, one fine day somecrappysite.com gets hacked. The next time you visit,
the web page has malicious code that sends your password in plaintext to
someone. There go your Paypal funds, your Facebook account, your online life."

What an optimist! somecrappysite.com was probably storing your password in
plaintext to begin with and it probably got pulled from the database long
before you logged in again.

Having said that, this is an absolutely terrible solution for real-world usage
because it inhibits people who are already security savvy from using better
solutions like Stanford pwdhash or similar methods.

~~~
diego
Right, but those people are the one percent. How do we help the vast majority?

~~~
georgemcbay
Other than education and pushing them to use a secure password manager, I'm
not sure, but the solution shouldn't involve breaking existing and secure
systems which are widely used even if only by a minority of users.

~~~
diego
"widely used by a minority" <\- you made my point.

~~~
georgemcbay
Not really.

The proposed solution adds little to no real world security (see my other post
about how easy it would be to guess which part is the random one which makes
this system not useful unless almost all sites use it, which will never
happen). Given little to no real world security gain from the described
system, it certainly isn't worth breaking an existing system that works just
fine and securely even if for just a minority of people.

------
sporksmith
I agree this is a major issue, and in fact was specifically covered in an
earlier xkcd (<http://xkcd.com/792/>) than the one cited
(<http://xkcd.com/936/>).

It might be a good idea to enforce non-password reuse, but the proposed
solutions seem fairly aggravating. In particular the 'webmaster' solution of
requiring inclusion of a fixed string is extremely annoying (oops, sorry users
who use cryptographically derived passwords (<http://passwordmaker.org/)>),
and doesn't solve the problem since someone with your "main" password can
probably guess the "derived" password (e.g., the main password with the
mandatory substring appended to the end).

My solution as a user is to just use a password manager. I use
clipperz(<http://clipperz.com/>), but there's plenty others out there.

* Edited to remove markdown-style links. Forgot it wasn't supported here.

~~~
diego
The point is that the mandatory substring is random and unique to you. The
problem with using a password manager is that it implies that you're already
savvy enough about the issue. Most people have no idea such thing exists. How
could you enforce the usage of a password manager?

~~~
dohko
Well.. why not do it half client-side and half in the cloud? For example, why
not build an pwd-management application which sits in the cloud.

Have the application store in a secureDB in the cloud your encrypted list of
passwords. These would be encrypted with a master pwd stored in the local pwd
repository of your (mobile) browser.

The idea would be to have the browser do all the leg work for you and have the
pwd management service available form anywhere.

The browser would automatically generate a new complex pwd for each new
website you subscribe to, then encrypt it and send it over to the pwd mgmt app
in the cloud. When you authenticate to the website, the browser queries the
pwd mgmt app for the pwd of the site. The app sends it to the client.

In this whole process the whole encryption/decrpytion happens locally, thus
limiting the attack surface. It would be easy to use and overall seamlessly
integrated with any device you own that has access to the internet.

~~~
sporksmith
That's exactly what Clipperz does :).

The main weak point is there's no way for the user to know if the javascript
they're downloading is the correct Clipperz javascript, or a trojan'd version
that will send my master password and decrypted database off somewhere. So,
pretty much all is still lost if someone is able to break into Clipperz and
modify the javascript without being noticed for a while.

A possible solution to _that_ is to implement a browser extension to hash the
javascript (and perhaps display it as a visual hash) so the user can at least
easily check whether it's changed. This has been on my "possible side-project"
list for a while...

------
tgrass
Dear god, please let me have the freedom to determine what degree of security
I need on a site.

If you restrict my password options in anyway I will use your site less.

------
tgrass
I have an algorithm for creating unique passwords.

Here is the result for HackerNews: kcahu3602122@#)*

here for Facebook: ecafu3602122@#)^

(I can create them practically in my sleep. The algorithm is personal and
easy)

To determine the algorithm, one would need plain text from two sites and be
able to match them. Now, everytime a site limits my freedom to creating the
password I want (assuming I can't provide my own security - by demanding a
capital, a number, a this a that) I default to the same password. If they get
one site with my simple pass, they get all the sites on which I use it.

When you put constraints on my password creation, you make my online life MORE
insecure, not less.

Free my password. Don't tell me what I can and can't do. Offer a full page of
help describing to those who don't care what they should do. But don't force
them.

------
wulczer
I recommend that everyone who read this contemplates this:
<http://news.ycombinator.com/item?id=3889435> (AKA the voice of reason)

------
joeguilmette
I am the only person I know who uses a unique, memorable and strong password
for every site I use. I store all of them in my head.

I have a base password and I add the first several characters of the site to
the middle.

For example:

Facebook - sdfb231a2

Hacker News - sdyc231a2

Yahoo - sdya231a2

For strong passwords I can add a suffix to further strengthen the password.

PayPal - sdpa231a2a4

I use the same suffix for all "strong" passwords. If a site requires a capital
letter I always capitalize the first letter.

I've gone to create an account with a site, been told I already have an
account and I get the password in 1 guess because I'm so consistent with
creating them.

I don't know why everyone doesn't do this.

~~~
jasonkester
What do you do when you log in to your bank and they tell you that your
password has expired and that you need to create a new unique 6-8 character
password with exactly one capital letter and one number but no special
characters? And that it can't contain any part of any of your old passwords?

I guess the same thing you'd do if you ran across a site with this well
intentioned but terrible idea: write it down or email it to yourself.

The only sane thing you can do as a developer is let users chose any password
they like, regardless of how insecure you think it is. Store it correctly and
that's the end of your involvement. Let your users do what they want, or
you'll just make things worse.

~~~
joeguilmette
I have a standard set of characters that I add to passwords. So far Craigslist
has been the only site to really throw me for a loop. I try to be consistent
but I end up using 'Forgot my Password' more than I should with them.

They are the only ones.

------
jtm45
This sparked an idea for me that I think I'll implement going forward - if you
sign up with your email address and password, my server will try to login to
your email account with those credentials, and if successful, say something
like "hey, did you see that email [snippet of first email in inbox]". I feel
this might encourage the user to use a different password.

~~~
sp332
Reading someone's email without permission is a crime. Nice idea though :)

~~~
ken
Add some fine print in the user agreement, "During sign-up (only) for service
X, I hereby authorize web service X to open my inbox and read one (1) email
message, if I choose to provide my email account's password as my password for
website X."

No longer a federal crime, maybe? Probably still get an angry mob with
pitchforks outside your window.

------
cheald
Big ol' hole here: You can't identify web apps by domain. Are you going to
tell me I can't use "password123" as my password on store.foo.com and
secure.foo.com (when they both point to the same database and the same user
record)? Are you going to assume that passwords may be shared across all TLDs?
(so I can re-use passwords on multiple separate apps on the same TLD)

It's a nice idea, but in practice, it would drive you _insane_ because the web
is not a nice uniform entity where everyone plays by a pre-arranged set of
rules.

Just use LastPass and let it autogenerate passwords for you. It's stupid easy,
and super effective. LastPass will even tell you how many sites you're using
the same passwords on! (
[https://lastpass.com/index.php?securitychallenge=1&fromw...](https://lastpass.com/index.php?securitychallenge=1&fromwebsite=1&lpnorefresh=1)
)

~~~
diego
Nobody gets the point. The point is that you can't _force_ 99% of the people
to use something. What I advocate is enforcement on the part of the browser
and / or sites. If the user has the choice to be lazy, no solution works.

------
fintler
So instead of having websites that require "upper, lower, numeric and special"
characters, we'll have sites that require "randomly generated word from two
years ago that we hope you remember". It's just another constraint that will
never be standard and will be near impossible to remember.

~~~
diego
If you use a different password for every site, it's a given that you won't be
able to remember them. Storing your passwords securely is a different problem.

------
vicaya
The desire to enforce unique password across sites is understood. You might as
well advocate all browsers to implement a builtin password manager a la
LastPass and a protocol to auto-gen a password (by the site to enforce cross-
site uniqueness) to be managed by the password manager. Imagine zero password
fiddling signups!

Force a per site password policy on end users other than length is super
annoying. The worst kind are those who restrict you to use only alpha-numeric
passwords.

Down with manual password policies!

------
fluxon
Because browsers already optionally store passwords, adding the "password
same" warning would be quite a welcome feature (or add-on), for _me_ anyways
(in mobile browsers too).

I advocate the use of password managers, but they don't offer "password same"
warnings either.

My point: it's a best-practice feature _option_ which should be implemented
widely. People can turn it off if they want.

------
baak
I'm no expert, but why does this have to be done on the password level? Why
can't we just assign usernames to our own sites, and force people to login
with those? I know that's incredibly annoying for a user, but it would at
least guarantee the user credentials for your site are unique from any other
site.

~~~
PeterisP
This would mean that there are two "passwords" that I have to remember - the
userid and the actual password. Chances are, your site isn't worth it to
remember a new uid. (I counted that only 5 out of my 150 stored account
passwords are for something worth remembering anything at all.) If you are
important (say, paypal or gmail) - do two factor authentification. If you are
not - don't bother me. Even creating an account is already more effort than
most sites are worth.

~~~
MiguelHudnandez
It is equally obnoxious to generate a random string of garbage and:

* insist it's the username,

* insist it is in the password somewhere, or

* make them type the string in a third logon field

It adds friction to the process in order to solve a problem that is not "ours"
to solve.

An option with less friction would be to ask them to choose a picture from 16
candidates. The 16 candidate photos would need to be generated from the
username to avoid the ability to refresh the page and find the persistent
image. Each image could have the random characters associated with it to be
used as an addendum to the salt, or for whatever purposes on the back end
which the random characters are supposed to accomplish.

------
mudil
After Gawker was hacked (and my account with it), I have created a website
that tells average folks how to solve these issues: <http://www.passmix.com/>.
It's not a perfect solution, but it's way better than the same password for
different websites.

~~~
anonycoward
From what I've read this (and methods like it) seems to be a common way to
generate passwords. This seems to be a somewhat weak implementation though -
imagine you used this method with the same base everywhere, and 2 sites were
hacked, let's called them InLinked and Kergaw. Using the examples from
passmix.com with base 'house cat' I might end up with: 'housei!n8cat' and
'housek!e6cat'. Say I'm targeting you specifically, I look at these two
passwords, and I see that they both follow 'houseX!Y#cat' format. It's only a
moment longer before I've a good guess at how the password is constructed, and
then try it against your email. Once I've cracked your email I can just use
the forgot password feature of any other site to reset your password there.

It would be quite easy to write a script to detect the similarity with the two
passwords (9 characters in common, same positions, same length = 12).

You should never use the same password across sites, nor should you use the
same password system unless that system is secure. Assuming you can keep your
algorithm for password generation private, passing this through a one-way hash
function might then strengthen your password a bit (at least a hacker couldn't
easily visually derive your password algorithm, or that you are using one) but
this still isn't perfect.

Generally it's not a good idea to tell people how to construct passwords
unless you're an expert in cryptography. I'm not, so please don't take any of
this as advice on how to construct a password. It's advice on how not to, if
anything.

------
gms
This will never work for normal people.

For everyone else, there are programs like LastPass and 1Password that make
this easy.

------
drivebyacct2
I cry everytime I read these threads on HN. I've never seen such stubborness
than people desperately convinced that they need to be able to memorize their
passwords, or that password managers are the devil.

I'll say it again, just use a password manager. It generates random, complex
passwords. It memorizes them for you. It pre-populates forms. They are locally
encrypted and can be synced by themselves or with other tools. They can even
be protected with two factor auth.

My _mother_ uses LastPass. So can you.

~~~
diego
See all my other comments on this thread. Why does your mother use LastPass?
How did she learn about it? How about the other 99% of the people? How do you
_make_ them use LastPass?

This is not about us.

~~~
res0nat0r
> Tell the user: your password must contain the following word: “hzru”

Enforcing this kind of thing on the masses won't make for stronger passwords,
it will just have them opening up notepad.exe and saving this sites too-hard-
to-remember-because-it-has-too-many-rules password on ~/Desktop/logins.txt

~~~
diego
Now you'd have to prove that having passwords stored in a file is worse than
massive password leaks. I suspect that it isn't. People already carry laptops
with browsers that save passwords automatically. Losing your laptop already
implies a password-change-fest.

~~~
thedufer
Are you implying that browsers save passwords in cleartext? A quick search
indicates that all major browsers encrypt passwords to user accounts, and some
give the option of a master password as well.

~~~
Devilboy
They do encrypt passwords but that doesn't matter. You can still log in to
their accounts and do anything you want. And if for some reason you really do
want the actual passwords you can obtain those too, obviously they get
decrypted to send to the website you're logging in to so just capture it at
that point. Normal people don't configure master passwords.

