The password problem Ryan 01 Dec 2005

47 comments Latest by Mark

It’s easier to keep keys in your pocket than in your head, and every new web service adds to the burden. Endless signups, login screens, and memory massages are major roadblocks to the happy, web-based future that is otherwise on schedule.

So what’s been done? And what can we do?

47 comments so far (Jump to latest)

8500 01 Dec 05

Roboform pass2go

Looks interesting but haven’t tried it. Anyone use this system?

Matt 01 Dec 05

This is the best thing I’ve found. Pick one ‘master’ password for all your non-critical passwords and use this bookmarklet to generate a different password for each site.

Dan 01 Dec 05

Yeah, it came with an extension for Firefox. It was ok, but very intrusive during logins and sometimes it wouldn’t quite click that I already have an entry for a site.

Give it a shot, but you might have the same luck as me… you delete it because of its annoyance.

Anonymous Coward 01 Dec 05

Roboform rocks. I can’t imagine life without it now that I’ve been using it for about 6 months. And boy, I have never seen an app updated so frequently aside from virus defs. I swear they update Roboform at least once a week. I swear if I had started using it when I first got on the web it would have probably saved me 1000 hours by now…

Rachel C 01 Dec 05

Thanks for the link Matt, I’ll check it out.

On a semi-related note, I can’t stand having to sign into some MT blogs using Typekey. Sometimes there’s just too many people wanting logins.

TheMatt 01 Dec 05

I say “Bah Humbug!” and think we should all go to OPIE! Then we’d all need OPIE calculators or lists.

Of course, I am lilke many who write down some of my passwords and keep it in my wallet. I figure my wallet has more security than my computer, so there is no problem there.

jankowski 01 Dec 05

Suggestion I came across somewhere…

Pick one (hard to guess) password.

At each site you go to, your password is the md5sum of the site’s domain name concatenated with your global password.

This is easy in some ways and ridiculous in others. YMMV.

munkyboy 01 Dec 05

I hope to see sites utilize signed personal certs in the near future. It works for servers, it’s time to make it work the other direction.

Bret 01 Dec 05

Identity Federation is a hot topic… It works much like Passport, but without Microsoft at the center like a big spider. Instead it’s decentralized, working a bit like credit card companies.

In the future, your Internet Service Provider will be replaced by your IDentity Provider, where the IDP acts as an agent for others who are interested in verifying your identity or getting access to your personally-identifying information.

I’m guessing that Google Talk will be the first major IDP, and the first major IDF will be built on top of XMPP. (Consider logging into a website transparently with the assistance of your personal agent… When the site wants to use your PII, the agent prompts you over IM, and if you allow it, it will perform that transaction (ie charge a credit card, send you an e-mail) on behalf of the requestor.

Go check out Liberty Alliance and Ping Identity (aka PingID) for some great whitepapers. Just googling “identity federation” will give you tons of interesting hits.

Wilson 01 Dec 05

Nothing real yet, but this is a great idea of what’s coming: http://identity20.com/media/OSCON2005/

Clops 01 Dec 05

Well, there are two approaches:

1) Client Solution: Store all your passwords in ONE mail box, and just keep in mind the password to that mail box
2) Web Service Solution: Scrap passwords as a whole, there is no need for them, as long as you can send “login keys” to pre-defined e-mail addresses. Some sort of “single-use hashes” to login into accounts.

kev 01 Dec 05

munkyboy beat me to the punch (PingID was a client of mine in 2002 when they had just an idea and 2 dudes. They’re huge now.) The problem with federated identity and single sign-on is that they work best in internal environments (like when you work for a company that gets purchased by another company and now you have 8 internal system to log into for different things) but are hard to sell to the web at large.

Jim Gaynor 01 Dec 05

It doesn’t get anywhere near the play that it used to, but MacOS X’s Keychain still seems to do a damn good job at storing all those passwords…

Ryan 01 Dec 05

Apple’s Keychain application is pretty good.

For the web-apps and pretty much most of all the other apps I use, it records the passwords in there. If I need to find out what the password is I can go into Keychain, authenticate and copy the password to clipboard.

Does me just fine. :D

Ben Wong 01 Dec 05

I use Keychain on my iBook and Password Safe on my PC.

Anthony Brown 01 Dec 05

I also use Apple’s keychain. Every time I go into keychain, I’m blown away by how many passwords (most of them are different) that I have for various websites and other apps!

Brendan 01 Dec 05

Rather that relying on a piece of an OS or a 3rd party software or a web browser extension/stored login why not just create a username/password combination which you can use on each and every website you visit? Perhaps a more robust password for those sites that contain sensitive financial or personal information.

Seems simple enough and I’ve yet to find a major drawback.

AJ 01 Dec 05

Yes, Keychain is nice, especially for those sites that I have to make up a weird password for (i.e. 1+ letter, 1+ number, one letter uppercase, one lowercase, etc.) What I really hate are applications (that I basically must use, like college applications), that restrict the maximum length of a password (some are still 6-8 characters). When I can login and see my SSN and other sensitive information, it bothers me that the login is relatively simple, especially since I usually use passwords at least twice that length (12-16 characters).

fakeGeek 01 Dec 05

Has anybody tried Password Safe from Bruce Schneier.
www.schneier.com/passsafe.html
Rock Solid :)

Al 01 Dec 05

It’s obvious use less passwords!

We seem to have to create log in passwords at almost every site for every service, quite frankly many are over-kill, we should adopt a more transparent and sharing attitude rather than working against the natural grain of the web.

PS there are a couple of sites I would keep a password/cert for e.g. my bank, although on second thoughts you can help yourself to my overdraft ;)

regards
Al

Alex Aguilar 01 Dec 05

Wilson
thanks for the link to that Identity 2.0 pitch.
Gotta love the ‘Lessig’ presentation style

Brandon 01 Dec 05

I just use Firefox to remember passwords. I set a good master password and just enter it at the beginning of each session and FF remembers all my logins passwords.

manuel 01 Dec 05

people, you remember pen and paper?
just write them down and lock them away.
hackers usually dont break into houses.

if you think it would be worth to break in: buy a safe.

Darrel 01 Dec 05

I use a piece of paper and write them down.

Ernie Oporto 01 Dec 05


First start by thinking in passphrases rather than passwords. Use non-alphanumeric characters mixed with lower and upper case characters and numbers. In _some_ places replace i with 1, S with 5, E with 3 and so on. For example, “My dog is really stupid lately” becomes !Md1r5L?

Pick three passwords:

1) One for forums and minor websites you participate in. Basically a throw-away in case you forget it…it’s not as important. This could be in use in hundreds of places.
2) One for your major personal things like email and escrows. These are not synced, but if you change it in one place, change it in all. This should not be more than a dozen.
3) Another for work. This should be in use in very few places. If syncing is done correctly you only need to change it in one place)

You can rotate these once a year by taking one of the non-alphanumeric symbols from the top row of the keyboard and shifting to the next one to the right, looping back to the ~ after you get to +. Think of it as spring cleaning.

Vishi 01 Dec 05

I need a password service which stores all my passwords and a firefox extension fills them for me automatically when I go to a site needing a password.

By the way that service should not have my real passwords.

Nolan Eakins 02 Dec 05

I already saw Password Safe listed, and it’s worth it. I started using different passwords on every site with, and had to create my own version, MyPasswordSafe (http://www.semanticgap.com/myps/), when I got out of Windows.

Passwords do need to go the way of the dodo. CACert.org uses your cert to login which is kind of nice. The browser could be a little kinder, as would a smart card to carry around with my keys.

Jabber also got mentioned above too. You could send a message to verify some one’s identity. Mix in keys and smartcards again you can get into Jabber without a password and have all your messages signed.

The road is visible. It just needs to be paved.

Simon Willison 02 Dec 05

OpenID is simply brilliant. It doesn’t try to solve the whole problem (identity information etc) but it /does/ solve the authentication problem - you can build the rest on top. Check it out.

Nathan 02 Dec 05

I don’t think it has been mentioned yet, but while using Keychain on Mac OS X it actually will help you make a password. I have mine set to make rememberable ones at 12 characters. This is pretty useful. Just name it appropriately, have it make a password. Copy it. Paste it.

Brian 02 Dec 05

I had used a password program at one time and then I had to doosh my box so I lost it all. Now I am with the Index Card and Pencil method.

brad 02 Dec 05

Hey, look at that, for once in my life I was ahead of the times. SVN, September 2003

onepassword.com 02 Dec 05

A simple but effective solution…

Robert Tolmach 04 Dec 05

You don’t need to remember 100 passwords if you have 1 ruleset for generating them.

For instance, start with the same few letters each time, plus something generated by the name of the site, itself. For instance, you might use the last consonant PLUS the last vowel PLUS the first two consonants. So if you always start with pdq, then your password for Yahoo would be PDQHOYH, and your password for SalesForce would be PDQCESL.

Easy to remember, hard to guess. Of course, there are a million variations, and you can make it even harder (the letter after the first consonant, etc.), just so long as you remember the rule.

Jeremy 05 Dec 05

The problem I see with password generation rules is that there are so many different password requirement variations. Many sites require different things in a password: at least one number, no numbers, alphas-only, somtimes > 5 chars, sometimes

Jeremy 05 Dec 05

(hmmm… above post got cut off)

David E. 06 Dec 05

I agree with Jeremy. Sites often often have overly restrictive requirements for passwords. If you can’t steal from me or seriously invade my privacy on a site, I should be able to use “dog” as a password.

My big pet peeve is sites that won’t accept @ in the login. It usually means I’m not coming back.

bzikofski 08 Dec 05

my friend recommended me this method and i’ve been using it ever since:

i assume using the same username (or a set of usernames, which you will probably remember because they’re kinda “personal”)

first i’ve come up with my master password - for this example let it be “mAster_Pass!”.

now for every service i sign up, i add a prefix or a suffix to my master password, which, the prefix or the suffix, is related to the site name, for example the first letters of the words that create the company name (microsoft => ms).

lets say i’m signing up for eBay.com, so my password would be “e#mAster_Pass!” - i added the prefix to my master password, separated the prefix with the “#” and there you go - you got your password!

another example: istockphoto.com - “isp#mAster_Pass!”
and so on, and so on..

there are endless posibilities, uppercase, lowercase, separate with any symbol, etc.. and the method is easy to remember.

you actually remember the METHOD not the PASSWORD itself, which practically means that you can remember UNLIMITED number of passwords.

cheers !!!

bzikofski 08 Dec 05

aha didn’t read the comment above.
anyway this is the best method.

Vitaliy 08 Dec 05

Use Roboform, the best passwords remember.
Find it with google.

Robert Tolmach 11 Dec 05

Jeremy,
As to your concern that “there are so many different password requirement variations”:
I use a rule that generates an 8 digit password, which includes letters and numbers. I’ve used it perhaps a hundred times or so and have had only had one site where it didn’t work (they stupidly limited passwords to 5 digits).

Mark 19 Feb 06

Take a look: http://www.mykeybox.com
seems somebody already working on this.
Left my email adress to try their beta.