Before I begin to write about what the title implies, a clarification is in place. Why I haven’t blogged for so long. It has been months since I wrote anything. I do not like it, but the truth is I was extremely busy. Family, start up company, regular job, occasional projects and trying to study for an MA degree really dried up all my free time. Actually I had no time left for anything else. So blog had to wait. I have a lot to blog about, so I promise I will make up for this with a series of posts on different topics.
Ok enough about this, lets get to the topic at hand. Internet is today something we almost cannot live without anymore. Informations, social networks, blogs, software etc…, it has a lot to offer. So we spend a lot of our time on the Internet doing various activities. And among those is also creating accounts and identities for ourselves. And because, most of the time this activities are of private nature, we need to protect them, lock the doors, or in case of Internet, protect them with passwords. Your mail account, facebook account, twitter account, online backups, forums, blogs etc.. they are all protected with passwords. They all contain more or less vital information, that you do not want to share with the rest of the world.
That is exactly what Jeff Atwood blogged about in his last post The Dirty Truth About Web Passwords. He showed, what can happen if a large site like Gawker Media is compromised. They got owned completely and the attackers got hold on a large database of hashes. And because the site used a week encryption and people used week passwords, the attackers easily got hold of the real user passwords. And naturally most of the users used the same password for most of their sites. You just try Gmail for example. It is a high probability that a person will have an account there. (or Facebook) You can even make automated boots to scan most popular sites. Jeff offered (and propagates) OpenID as an alternative so you only use your password on one single spot and then authenticate through that trusted source. Well I see OpenID as a good alternative ,but there are better solutions out there, so I do not agree with Jeff on this one. What is wrong with OpenID?
- You still leave you password somewhere (we can call it master password because it controls your logons).
- If this single place is compromised (and it is possible of course) all of your sites and accounts are also compromised.
- It is not so easy to use, that every grandma will use it. It is ok for technical people out there. But this is not enough.
- It redirects you from the current page in most cases and is hence a distraction and not a natural way to do authentication.
- A lot of sites do not support OpenID.
We have quite a few drawbacks. The question that arises is, can we do better that OpenID. And the answer, as you probably guessed, is yes we can. The best protection is to have a unique and strong password for each site you log on to. Ok that is a perfect scenario, if one site is compromised, the others are in no danger at all. But how do you remember all those passwords (and strong ones please). You could have a local evidence on your computer or let the browser remember them for you. But all such solutions are far, far from perfect, or even acceptable.
That is why this ingenious solution exists. It is called SuperGenPass. What it does is very simple, yet very powerful, like most good solutions. It takes you master password and the URL of a site you are trying to logon to and creates a unique salted hash for that site (if you have a master password “grandma” and you want to logon to google, it makes a hash from something like “grandma:google”). The hash is a strong password and can be very long, so it is very, very hard to brake (almost impossible). And the best thing is ,you don’t need to remember the password. You can regenerate it every time you need it. And that is exactly what SuperGenPass does. It makes this process very simple for the user. You don’t have to store your master password anywhere. Just make sure that the master password is strong enough.
Is this to good to be true. No not really, it is a real thing. The only possible weakness is that because the solution works as a script that manipulates DOM of the page, a malicious script can be written to capture your master password, while you type it in on some untrusted site. But this can be avoided in several ways.
- Use the mobile standalone version of the SuperGenPass to avoid this
- Do not type master password on the sites you do not trust
- Use browser plugin that locally encapsulates the SuperGenPass. One such plugin for Chrome exists.
- Use NoScript plugin for Firefox
The NoScript is another gem out there. It basically prevents execution of all scripting content on every page and notifies you about blocked scripts. Then you can confirm the sites you trust with a single click and allow the scripts to execute. The NoScript then remembers that sites. Not a lot of extra work for a big increase in security. The number of possible browser attacks this prevents is huge. This way your master password cannot be stolen on sites you do not trust.
So think again on how you manage your passwords on the Internet and consider my suggestion as a possible solution to the problem. I am also open for discussion, on even better solutions if they exists. Act now and do not be sorry later.