E figured out how to climb a landing this week. As you can tell by my voice, I’m not exactly thrilled about this newfound mobility. We are in trouble!
My setup: Password Hasher and KeePass
My friend Aaron recently blogged about an innovative way to generate and remember many passwords using convenient password cards. His post has inspired me to share my own method for randomizing my passwords across many sites. Let me say at the outset, though, I really like Aaron’s approach, and don’t mean to imply by this post that I think my approach is superior to his (in fact, for portability and forward compatibility, his solution is perhaps superior to mine). The point is to find a method that works and then discipline yourself to stick to it.
Let me start with a short story. You may remember that I used to be the proprietor of the Homestar Runner Wiki and its accompanying discussion forum. Well, there was some drama there one year (as there was every year and as there is with all online fora) and one of our members decided to start his own forum and tried to persuade other members to leave us and join him since we were so dumb and he was so cool. I almost signed up on his forum just to see what all the fuss was about, but before I got around to it, one of our forum’s moderators signed up on his site. Shortly after she signed up, he was able to retrieve her password from his own forum’s database, and, since she had used the same password for his site as she had used on our site, he was able to log into our site using her password.
Total chaos ensued. Using her moderator abilities, he was able to delete a significant chunk of our forum’s posts, though it was slow going because he had to delete the posts one at a time, and the activity was eventually noticed and blocked by one of our admins. I was mortified as I imagined what would have happened had I signed up there as I had been considering. He would’ve had much greater permissions to delete whole sections of the board much faster, and could have done a lot more damage. The take home lesson from this little story is obvious: no matter how secure you think any two sites are, don’t ever use the same password twice, or you risk a disgruntled administrator using your password from one place to log in somewhere else.
How ’bout you? Do you currently use the same password in many different places across the web? Imagine what someone could do if they were to obtain that password. Could they log into your e-mail and steal all your contacts? Your blog and delete all your posts? Your bank and transfer all your money to their secure off-shore account?
Password Hasher
Of course, managing unique passwords across hundreds of sites is no easy task. Enter Password Hasher, an algorithm for generating secure passwords from a site tag and a master password. Since the passwords are regenerated using the same algorithm every time you need them, there’s no need to actually store the password anywhere. As long as you remember your master password and the tag you used for each site (the easiest way to do this is simply to use the domain name itself as the tag), you can regenerate the password whenever you need it.
A Password Hasher Firefox extension makes it easy to generate these passwords whenever you need them on your own computer (be it a Mac, PC, or Linux box), and a JavaScript version of the same algorithm makes the system portable (say when you’re using a library computer or a friend’s computer, and don’t have your Firefox extension handy).
Not only does Password Hasher let you generate unique passwords for each of the sites you use, but it also makes it dead simple to use much more secure passwords than you normally would. I’ve set my default password length to significantly more than eight characters, and I make sure to use special characters on any sites that allow them. I rest easy knowing it is that much more difficult for any of my passwords to be cracked.
KeePass
Now, once in a while I have need of passwords outside of my browser, where opening up my browser and firing up my Password Hasher extension is a bit impractical. For instance, user passwords for web servers, FTP passwords, instant messengers, &c. For these kinds of outside-the-browser passwords, I supplement my security scheme with an open source multi-platform tool called KeePass.
KeePass has a nice password generator built in, but instead of generating your passwords on the fly each time you use them, your passwords get stored in a strongly encrypted master-password-protected database. I store this database on my Dropbox and use Portable Dropbox and Portable KeePass on my thumb drive for when I’m on the go, and this has worked very well for those passwords where Password Hasher just isn’t a good fit.
Drawbacks
I’ve been using Password Hasher and KeePass for a couple years now, and they continue to serve me well, but there are a few niggles. For one, I find myself using Google Chrome more and more on my Mac and PC, and of course there is no Firefox at all on my iPad and iPhone, so consequently I’m using the JavaScript version of Password Hasher more and leaving the more convenient Firefox extension behind.
Furthermore, on iPad and iPhone, there is simply no way to access my KeePass database, so I find myself either reading my passwords from my Mac or PC and typing them into my iPad or iPhone, or copying and pasting my password into Simplenote on my Mac or PC and subsequently copying and pasting it out of Simplenote into the app or website on my iPhone or iPad. This is not exactly ideal—and of course this only works if I’m near my Mac or PC, and I rarely prefer to use my iPhone or iPad when I am—but until I find something better, it suffices. In light of this, though, I’m seriously considering replacing KeePass with 1Password, even despite my deep consternation about replacing an open tool with a proprietary one.
Conclusion
These days the only password I have memorized is my computer login password (I wish there was an easy way to copy and paste a password on an initial computer login screen, but oh well), but even that password is generated with Password Hasher, is not the same password I use anywhere else, and is changed on a regular basis. All my other passwords are either stored in KeePass or generated on the fly with Password Hasher.
I hope I’ve encouraged you to come up with a system to keep your passwords more secure and armed you with some tools to make this easy (though, if you think my system is too complicated, by all means, check out Aaron’s). You never know what can happen on the world wide interweb series of tubes, and it’s always better to be safe than sorry.
See also
“Blessings” by Laura Story
My new favorite Christian music track is “Blessings” by Laura Story. Here are the lyrics:
We pray for blessings,
We pray for peace,
Comfort for family, protection while we sleep.
We pray for healing, for prosperity,
We pray for Your mighty hand to ease our suffering.
All the while, You hear each spoken need,
Yet love us way too much to give us lesser things.‘Cause what if your blessings come through raindrops?
What if Your healing comes through tears?
What if a thousand sleepless nights
Are what it takes to know You’re near?
What if trials of this life are Your mercies in disguise?We pray for wisdom,
Your voice to hear,
And we cry in anger when we cannot feel You near.
We doubt Your goodness, we doubt Your love,
As if every promise from Your Word is not enough.
All the while, You hear each desperate plea,
And long that we’d have faith to believe.‘Cause what if your blessings come through raindrops?
What if Your healing comes through tears?
What if a thousand sleepless nights
Are what it takes to know You’re near?
And what if trials of this life are Your mercies in disguise?When friends betray us,
When darkness seems to win,
We know the pain reminds this heart
That this is not, this is not our home.
It’s not our home.‘Cause what if your blessings come through raindrops?
What if Your healing comes through tears?
And what if a thousand sleepless nights
Are what it takes to know You’re near?
What if my greatest disappointments
Or the aching of this life
Is the revealing of a greater thirst this world can’t satisfy?
And what if trials of this life,
The rain, the storms, the hardest nights,
Are your mercies in disguise?
Chew, chew, chew
His oath, his covenant, his blood
Yesterday morning in Bible study we discussed Luke 22:14-20 where Jesus institutes the Lord’s supper and asserts that the new covenant is sealed with his blood:
And he took bread, and gave thanks, and brake it, and gave unto them, saying, “This is my body which is given for you: this do in remembrance of me.” Likewise also the cup after supper, saying, “This cup is the new covenant in my blood, which is shed for you.”
In our study we then connected that back to the new covenant promises found in Ezekiel 36:22-38:
Then I will sprinkle clean water upon you, and ye shall be clean: from all your filthiness, and from all your idols, will I cleanse you. A new heart also will I give you, and a new spirit will I put within you: and I will take away the stony heart out of your flesh, and I will give you an heart of flesh. And I will put my spirit within you, and cause you to walk in my statutes, and ye shall keep my judgments, and do them.
My forgiveness, my assurance of salvation, my living a new life, my having God’s spirit in me, is all grounded upon an oath, a covenant that God has made and which has been sealed with Christ’s blood shed for me.
With all that in mind, I was particularly struck by the third verse of the hymn, “The Solid Rock”, which we sang in worship service this morning:
His oath, His covenant, His blood
Support me in the whelming flood;
When all around my soul gives way,
He then is all my hope and stay.On Christ, the solid Rock, I stand;
All other ground is sinking sand,
All other ground is sinking sand.
Are we leaning on other people in our lives—parents, spouses, friends? Are we leaning on ourselves and our own abilities? Or is our salvation built on Christ and Christ alone, his oath and covenant sealed with his blood, which is our only “hope and stay”?