Comments on: The web 2.0 password crisis http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/ Thu, 17 May 2012 15:25:22 +0000 http://wordpress.org/?v=2.2 By: Russell Cloran http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24321 Russell Cloran Wed, 11 Jun 2008 17:22:56 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24321 SuperGenPass is .... super. It generates a password for each site based on your master password, the site name, and a hashing algorithm. It guarantees upper and lower and numeric characters in every password (for those fussy sites). Unlike Keeppass mentioned above, you don't have to run a separate app, it's a bookmarklet that'll populate form fields for you automatically. Neat. SuperGenPass is …. super.

It generates a password for each site based on your master password, the site name, and a hashing algorithm. It guarantees upper and lower and numeric characters in every password (for those fussy sites).

Unlike Keeppass mentioned above, you don’t have to run a separate app, it’s a bookmarklet that’ll populate form fields for you automatically. Neat.

(Report abuse)

]]> By: Luke Hardiman http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24138 Luke Hardiman Fri, 23 May 2008 06:12:54 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24138 Hey Matthew, I'm pretty much doing what you suggest - my core email account password is different to all my other lesser logins. Hopefully in the future OpenID will simplify things for us as it becomes more widely adopted. This "one login to rule them all" approach seems to be gathering pace already as an option on many big sites, and there's a Wordpress plugin for it too which you guys should check out: http://wordpress.org/extend/plugins/openid/ Hey Matthew, I’m pretty much doing what you suggest - my core email account password is different to all my other lesser logins.

Hopefully in the future OpenID will simplify things for us as it becomes more widely adopted.

This “one login to rule them all” approach seems to be gathering pace already as an option on many big sites, and there’s a Wordpress plugin for it too which you guys should check out: http://wordpress.org/extend/plugins/openid/

(Report abuse)

]]> By: Robin Pietersen http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24134 Robin Pietersen Thu, 22 May 2008 20:10:59 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24134 In the majority of cases I think you are pretty safe as the passwords stored on a large service are 'generally' encrypted. As policy I encrypt all user passwords on registration and wouldn't have a clue how to decrypt them. Most developers I know do the same, it makes for a safer system (But don't bet on this, rather safe than sorry). And then of course there are efforts like openID, if better adopted, would be a great solution to all the above problems :-) In the majority of cases I think you are pretty safe as the passwords stored on a large service are ‘generally’ encrypted. As policy I encrypt all user passwords on registration and wouldn’t have a clue how to decrypt them. Most developers I know do the same, it makes for a safer system (But don’t bet on this, rather safe than sorry).

And then of course there are efforts like openID, if better adopted, would be a great solution to all the above problems :-)

(Report abuse)

]]> By: Joey da Silva http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24130 Joey da Silva Thu, 22 May 2008 14:39:48 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24130 Matthew, totally agree with your comments and avoid using the same passwords for the very reason! I been using Google BrowserSynch (Google it :) Firefox plug-in for quite a while now. Stores your bookmarks, passwords and browsing history (all encrypted) across machines - try it, it works brilliantly. Matthew, totally agree with your comments and avoid using the same passwords for the very reason! I been using Google BrowserSynch (Google it :) Firefox plug-in for quite a while now. Stores your bookmarks, passwords and browsing history (all encrypted) across machines - try it, it works brilliantly.

(Report abuse)

]]> By: Jonno Cohen http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24123 Jonno Cohen Thu, 22 May 2008 12:23:52 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24123 I saw a very interesting technique on Lifehacker a while back, and I've been using it for the past year or so. First you generate a string of 6-10 alpha-numeric characters as your password 'base' - the same guidelines as usual apply (make it impossible to guess, etc etc). The trick with it is that for every site or account for which you need a password, you append part of that site's name to your password base. For instance if I were signing up for twitter I could use my base ('password123') and add the first 4 characters of the site, resulting in 'password123twit'. The nice result of this is that you have a unique password for every account without having to track or store all of them. As long as nobody else knows your password base or your system, it *should* be bulletproof. I saw a very interesting technique on Lifehacker a while back, and I’ve been using it for the past year or so.

First you generate a string of 6-10 alpha-numeric characters as your password ‘base’ - the same guidelines as usual apply (make it impossible to guess, etc etc). The trick with it is that for every site or account for which you need a password, you append part of that site’s name to your password base. For instance if I were signing up for twitter I could use my base (’password123′) and add the first 4 characters of the site, resulting in ‘password123twit’.

The nice result of this is that you have a unique password for every account without having to track or store all of them. As long as nobody else knows your password base or your system, it *should* be bulletproof.

(Report abuse)

]]> By: Steve Crane http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24107 Steve Crane Wed, 21 May 2008 19:12:06 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24107 Like Mark I use Keepass, which is also available for Linux and probably for OS X as well. I gave up using 16 character passwords though and reduced the length of default passwords generated a bit. The reason being that it is frightening how many web sites have poor handling of passwords that prevent you from logging in next time you try. You haven't lost your password; it's in your database but just doesn't work. Here's what happens. You provide your long password and are told that it was accepted, but the field they use to store the password is shorter than the password supplied. The correct thing to do would be to notify you the password you selected is too long and some sites do that but many more simply truncate it so your password becomes the first n characters of what you thought it was. I have settled on a length that still allows for sufficiently complicated passwords but has largely done away with the problem of truncation. Like Mark I use Keepass, which is also available for Linux and probably for OS X as well.

I gave up using 16 character passwords though and reduced the length of default passwords generated a bit. The reason being that it is frightening how many web sites have poor handling of passwords that prevent you from logging in next time you try. You haven’t lost your password; it’s in your database but just doesn’t work. Here’s what happens. You provide your long password and are told that it was accepted, but the field they use to store the password is shorter than the password supplied. The correct thing to do would be to notify you the password you selected is too long and some sites do that but many more simply truncate it so your password becomes the first n characters of what you thought it was. I have settled on a length that still allows for sufficiently complicated passwords but has largely done away with the problem of truncation.

(Report abuse)

]]> By: Mark http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24106 Mark Wed, 21 May 2008 13:37:02 +0000 http://www.techleader.co.za/matthewbuckland/2008/05/21/a-web-20-password-crisis/#comment-24106 I use KeePass (Google it). It's a windows program that keeps passwords encrypted with a master password. For all my Web 2.0 services I use impossibly complicated passwords up to 16 characters long (that KeePass generates for you). Just copy-paste your password out when you need to login... simple! I use KeePass (Google it). It’s a windows program that keeps passwords encrypted with a master password.

For all my Web 2.0 services I use impossibly complicated passwords up to 16 characters long (that KeePass generates for you).

Just copy-paste your password out when you need to login… simple!

(Report abuse)

]]>