Loading ...Consolidating Passwords
I’ve never been the best about IT security. Part of the reason is because in all the years I’ve been working or playing with computers (over 20 years total but about 15 years on a PC, 12 or 13 years on a Windows PC starting with Windows 3.0), I’ve seldom had any issues. I may have had a virus once, but it didn’t do any damage and was eliminated with a virus checker. But for years I ran no virus protection. Spyware is much more insidious and so I’ve run spyware checkers for a while. When it comes to passwords, I’m really lazy. I know the ideal thing to do is to have a unique username and password - or at least a unique password for every site you go to. But who wants to write all these down, let alone remember them. If you put them in a file on your computer, than you risk losing it, or someone getting access to the file. So like most people I’ve generally kept things simple and had a few variations on usernames and a few passwords, so that I can usually guess within a reasonable amount of time.
Luckily, within the last few days I heard Todd Cochrane mention something on one of his Geek News Central podcasts about a password management “bookmarklet.” I didn’t quite understand what it was, but Todd suggested it was a way to have unique passwords by just remembering one master password.
So I followed his link and found that this was indeed the answers to that kind of uneasy feeling I’ve had for a while that my way of dealing with passwords was really vulnerable. Basically, this guy Nick Wolf created a JavaScript that uses a standard encryption scheme, MD5, to generate a password by combining your own “master password” and the site’s domain name. So all you have to remember is your master password.
The “bookmarklet” is something that you link as a bookmark in your browser, possibly on a link toolbar for easy access. When you go to a given site, you click on this bookmarklet, enter your master password, at it automatically fills in your password (you need to be on the login page for it to do this of course). Of course before you get to this stage, you need to create the password. You can do this by going to the form that Nick has provided. However, while the form doesn’t save the information that you’re typing to some database, this is always a possibility, and even if you trust the site, unless it is encrypted via SSL (the URL would be https instead of http and you would see an icon of a closed lock in your browser), then there’s always the possibility that someone could intercept those bytes along the way and discover your master password. But because this is simply JavaScript, you can run it on any JavaScript compliant browser. It doesn’t need to be sitting on a web server, it can be sitting on your local PC. This way, communicating with it will not need access to the internet, and will not be sending anything outside of your PC. I’ve even tried this on my Treo 650 smartphone’s browser (Blazer) and while it took a little while to finish, it did provide me with the password needed.
There are some other people who’ve taken the script and made some changes to it that might be of value to some. For example there’s someone who changed the encoding scheme to one that allows for a potentially more random password as well as a longer one (Nick Wolfe’s is only 8 characters long). There’s another version of the script by Chris Zarate, which actually distinguishes between subdomains. This way, for example, if you had a couple of blogger accounts, bigtacos.blogspot.com, and sushicoma.blogspot.com, you could have unique passwords for both of these. Nick Wolfe’s script doesn’t distinguish between the two as their domain name (blogspot.com) are the same, only their subdomains differ.
There’s even a movie that gives you a quick demo of how it works if you’re still confused.
I think this is great and I’m starting to go through all my sites to change my passwords. But there are so many! I don’t know where to start and a lot of the sites I go to are logged in automatically via cookies, so I don’t have any recent memory of actually logging into them. I guess I’ll have to start looking through my history to jar my memory as to which sites I go to which might require passwords. As for the master password I’m using, it’s something that has a bit of meaning, but would be random enough looking to most people and included upper and lower case letters, numbers, and punctuation. It’s not hard to think up something like this especially when you consider that this will be the only one you’ll have to remember for a while. Just don’t use one of the passwords you have been using, because you never know if the server they were on has been hacked at some point.
My only wish would be that you could use this for things other than websites - mainly stand-alone applications or even network or system passwords. But I guess those will still need to be handled by some kind of password management application if indeed you have a bunch to keep track of.
Update: Chris Zarate just informed me that I got a bit mixed up. Apparently his version of this script actually ignores the subdomain, whereas the original script accounts for it. Somehow I’ve been using his script for months without noticing, oh well! Thanks for the clarification, Chris!
