« Jaxtop - web desktop | Main | Create your own radio station »

June 08, 2007


Feed You can follow this conversation by subscribing to the comment feed for this post.

Tara (PassPack)

The masterpass + prefix method that you described is fairly common. While it's a little better than using the same password everywhere, it's not nearly as secure as you might think.

Here's a scenario that might illustrate why:

- Let's assume your master pass is XYZ86 and you then add a suffix to that for each domain. You'd have fliXYZ86 (flickr), amaXYZ86 (amazon), forXYZ86 (forum) and gmaXYZ86 (gmail).

- If, for example, the forum login isn't HTTPS, then a hacker can read your password as it travels from your browser to the forum's server.

- Now lets assume that the same happens for flickr. Now the hacker has a dictionary on you. He knows you use three letters + XYZ86 as your password on various sites.

- With this information he'll attempt to login to your gmail account with this formula.

- How many sites have you signed up for with that gmail account?

- The next step is to go any variety of banks or services, insert your gmail and click the "I forgot my password" link.

- With any luck, he'll get a hit, and some site will send your password to your gmail account - which he now has access to.

- He's in.

This is a very simplified version of what can happen, but it should give you an idea of how password re-use, and simple formulas can be bad news. The only remedy (alas) is to use a unique, random password for every single website and service. That's why you need a password manager.

Disclosure: I run an online password manager called PassPack. So I'm an interested party. But regardless of which product you ultimately pick, you really should choose, and use, a password manager.

If you would like to try PassPack, I've written a getting started guide on te company blog: http://passpack.wordpress.com/passpack-getting-started/

PassPack is a free service.

PassPack Founding Partner

The comments to this entry are closed.


Blog powered by Typepad

Subscribe to 'I want to'

  • Add to any service

Twitter Updates

    follow me on Twitter