Website Passwords

May 6th, 2006

I was trying to log in to my old Hotmail account earlier today and had to try out several passwords before I managed to get in. The chances are I probably gave Microsoft the password for my accounts at Yahoo, at school and my linux root password before I managed to log in to Hotmail successfully.

I probably have user accounts at around 30 different websites and most people would probably have about that or perhaps a little more. It'd be totally unrealistic to expect someone to use unique passwords for all of them and to remember them all. Even the most security concious person wouldn't be able to handle a unique password for every website.

Using the same password on multiple websites can be a security risk. When you provide your password to a website, not only are you trusting that site with the password but also the security of the site and the staff. A few years ago I signed up for a website using my regular password. What they didn't tell me was that someone actually had to manually check all sign ups and that they would see my password whilst approving my application.

A certain revision website I used once also made it really easy to steal passwords; you answer a secret question correctly and you get the password unencrypted. You don't get e-mailed and asked to provide a new one; you get told your existing password. If a hacker answered your secret question they'd have your password and if that password was then used on multiple sites, all of your accounts have been compromised. Someone can essentially take over your online identity - they could have access to your blog, e-mail accounts, instant messaging, MySpace, ebay and forums.

The browser's "Saved Passwords" feature can which could allow you to use unique passwords for each site without forgetting the passwords for individual sites. Using Saved Passwords can mean you only have to worry about the security of your computer rather than that of every site you register on. I've never used the "Saved Passwords" feature myself as there are several big problems with it:

  • It only works from one location and browser. I regularly have to use different computers and different browsers. I choose a complicated and different password for each site and trust Firefox to save it. When I'm surfing the web using Opera or when I'm at school, I have no way of accessing those websites as I don't know the password.
  • If the browser profile or hard drive becomes corrupted, all your passwords are lost.
  • The browser does not provide an easy way to generate a random password during the registration process.
  • The browser does not provide an easy way to change the stored password. If your password changes, you have to log out and then log in again, making sure you ask the browser to change the saved password.
  • If the URL of the site changes, there is no way to access your account and you can't find out your password (except in Firefox 1.5 but don't expect a normal user to find that feature). This could even happen if the login procedure of the website changes.

I think these are some of the problems with the "Saved Password" features in browsers.

I came across PwdHash which seems to solve some of these problems. One of the creators is Blake Ross who was one of the founders of the Firefox project. I think it's a slighty better solution but it's still not the ultimate end all solution to password security.

  1. University Admissions Website
  2. Replacing Passwords with Passphrases?
  3. Choosing a strong and memorable password
  4. Hearing your password
  5. Sensationalist reporting on

3 Responses to “Website Passwords”

  1. # Davidpk212on 07 May 2006 at 9:28 pm

    I use Firefox’s "Saved Passwords" feature, but I don’t really need it as I only have about 5 passwords. If a hacker were to guess one, he’d have access to one fifth of my information. I could easily change ten passwords, saying I had 50.

    The chances of a hacker cracking an MD5-hashed passsword more than 5 characters in length with a desktop computer is exteremely unlikely. The chances of a hacker having access to a link between a big ISP and a smaller ISP are low. Security is pretty much covered for mathematicians such as myself. Puts on lab coat and leaves.

  2. # Khloon 07 May 2006 at 9:44 pm

    There are plenty of other ways a password can be stolen. For example, one site could be run be a malicious user. That site doesn’t neccessarily have to hash the password. Even if you see an install of phpBB or vBulletin out there, someone could have modified it to log the unhashed password or not hash it at all. Or when the website sends you your password via e-mail, that e-mail could be read over your shoulder, your boss might read it, etc. 

  3. # Daguron 08 May 2006 at 10:06 am

    Many people don’t realise this but if you open   

    options -> privacy -> passwords -> view saved passwords

    in firefox you can see all your saved passwords in plain text format. So if you’re going to save your passwords in firefox you should at least use the master password feature.  

Trackback URI | Comments RSS

Leave a Reply