Saturday, June 25, 2011

Web site password manager

If you're like most people, you use a bunch of different web sites, including some that handle some pretty important stuff -- like money -- but you use the same password for all of them. And it's probably not a very strong password, either.

That's a really bad idea. If one of those sites gets hacked, the attacker could get your password and then start trying other places it might work. Essentially, the security of all of your web accounts is only as strong as the weakest one.

But the reason we do that is because it's just danged hard to remember a whole bunch of different passwords. I'm hopeful that eventually OpenID will solve this problem but in the meantime I found another nice solution:

It allows you to store all of your passwords in one place, and it even provides a little button you drag onto your bookmarks that automagically types the right password for each web site you visit. So, I've now gotten rid of my one password for everything and replaced it with a bunch of passwords, one for each web site I use -- and I never have to actually type any of them. I just go to, for example, "", then click the "Passpack it" bookmark and I'm automatically logged in. And the password is something like 3yPtdkogzh8H, which I could never remember, but don't have to. Or even something like "ò-èuÓ¿¸>8ÝAÖ" for sites that can accept the strange characters -- I don't have to type it so there's no reason to limit it to something I can type.

This *also* works from any computer that has a web browser. I do have to remember my "passpack key", which is what secures all the rest of my passwords, but as long as I know that, I can log into passpack from anywhere and then use it to log into other web sites. Do be cautious about using passpack from public computers, though... there are ways that a deeply hacked computer could extract your passwords if you unlocked them while using it.

Finally, I also had Kristanne set up a account, and then I "shared" my passwords with her. So she can use them to log into web sites, too, so that we both have access to our bank account, credit card accounts, etc. If I ever change the password for one of them, I just update it in passpack and then when she uses it to log in she'll get the right one -- and won't even know that it changed because she never sees or types the passwords.

How all of this works is pretty complex, and very technical. Suffice it to say that it appears to be done right from a security perspective. Your passwords and your passpack key are never sent to in "plaintext". Software running in your browser applies a salted secure cryptographic hash function to your passpack key to produce a 128-bit AES key which is then used to encrypt your passwords. The encrypted passwords are sent to and stored there (which is how it can work from a browser on any computer -- they encrypted copies are downloaded). Password sharing is done by generating a 1024-bit RSA key pair which is used to exchange AES session keys to make it possible for people you share your passwords with to use them. Actually, you can also use the sharing service as a form of highly-secure e-mail.

If the preceding paragraph is gobbledygook, just trust me. Or if you'd like to understand it, just ask sometime and I'll explain it in as much detail as you could possibly want :-)

If that paragraph isn't gobbledygook to you, and you see a bunch of possible holes, that's because I left out all of the details.

My collection is complete(ish)!

I drive an electric car, a Tesla Model S. Generally, I never worry about how or where to charge it. It has a large battery and a long range,...