Silly, John. Everyone knows that a big, dumb, balding North American ape, with no chin, is spelled Kwyjibo.
Yeah, it is a bit of a catch-22.
Optimal safety would be using a different set of credentials at each site you go to. Having one username/password compromised would only allow the attacker access to that site.
But, most people don’t want to memorize 15 different username/password combos - so they use the same username/password for all 15 anyway. As demonstrated by Jeff (and yes, I’m guilty of this too, I think most of us are). In this case, I know my user/pass and I’ve also given it out to 15 other websites and I’m trusting each of them to property secure that information (and many of them won’t). That makes much worse than OpenID.
With OpenID, you can trust a single provider with your username/password to authenticate you. Now, you know it, and one very respectable company that you might trust more than ‘JoesRandomWebsite’ know your information.
Now, if you are the type of person who was following the best practice approach of completely different credentials for each website; you can still do that with OpenId. You just need to create multiple OpenIds (I’m fairly confident you can do that without any trouble).
Jeff,
you forgot to check the ONLINE MD5 dictionary, apparently.
I still claim this was a hoax, to boost visits to this site.
MD5 lookup? C’mon. This has been around for years and you fell for it.
Ownz0red ? 
So, it was a simple problem, after all: if you put all your eggs in a basket, you have to be sure that the basket is well protected. Specially it the basket is provided by someone else (in the case, Jeff putted some logins with the same password… and the password wasn`t secured in one site).
Come on Jeff, tell us if he got the award :-).
And tell us the password, too! We`re curious about it…
Oh, and just to be more precise :
- Programmers are the enemy.
- Hey … wait a second, I’m a programmer!
- GOTO 1
- Profit!
And that’s why programmers rarely get rich…
I use SuperGenPass (http://www.supergenpass.com/).
It works pretty much the same. I did not know PasswordMaker, thanks for the tip!
I converted all of my passwords to use the bookmarklet from http://www.supergenpass.com once I heard Jeff’s password got stolen. I’ve been reusing the same 2 or 3 passwords for all of my sites for the last couple of years, so I was pretty vulnerable.
SuperGenPass is great because it’s a bookmarklet that creates hashes your password with the domain name of the site you’re on. You can fairly safely use the same password on multiple sites and it creates a unique password based on the domain. I took it a step further and use the Advanced options (http://www.supergenpass.com/customize/?advanced) to include a Stealth Password in the generated bookmarklet.
Yeah, you have to guard your master password, but I think this is much better than having to keep track of unique passwords for various sites. Add to that, an attacker would have to know you use the SuperGenPass algorithm to use your master password.
Stop using MD5. Stop using MD5. Stop using MD5.
There is code out there to quickly generate meaningful MD5 collisions. Get out of the stone age and use SHA-256.
Nice Approach.
Just to remind people, your most important password these days is your email’s password. Don’t ever use it for more than just the email and have it as weird as it gets.
Aaron G: All of the MD5 vulnerabilities are about creating checksum collisions, not reverse-engineering the original password. Therefore, if the password was salted but stored as MD5, it wouldn’t be possible to reverse the hash back into the original password.
I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboFormís capabilities for use that arenít even touched on in the Userís Manual for RoboForm. You can get that Report here:
http://www.theroboformreport.com/indexb.html
There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!
Jeff,
So, if you are not using RoboForm (or some other password manager) to create random passwords for every site the only explanation I can come up with is you are either Cheap, Lazy or Stupid. Which is it? Heck RoboForm even has a free version for up to like 10 sites. Use for high value logins like your bank/openid provider/etc.
RoboForm (1Password for Macs) is drop dead simple. You only have to remember 1 password and that password is only used locally.
BOb
What will you do with the guy? I say let’s give him the SO badge, he seems nice
Actually I’d say you’re wrong about most OpenID providers being vulnerable to a dictionary attack. Most password schemes require like letters a number and at least 6 characters (maybe 8) long. Being this is common, most brute force tools will actually tack a number on, or even change case Bunnies1 is probably vulnerable to most tools, but would get bye a fair number of webapps as an acceptable password.
Interesting to have this happen a few days after most of the internet backed up 37 Signals when it came out they weren’t storing salts with their passwords. Has the internet forgotten already?
you forgot a key issue of the problem here: that you’re using md5. use ripemd-160 with a salt. there’s a ripemd-160 provider built into the base .NET libraries.
Many of the current hashes were made back in a time that it wasn’t practical to reverse them in to their possible origins. That’s no longer the case. Even with salting - although that does make it exponentially harder.
Instead, I like to:
- encrypt the password - this almost randomises the ASCII and makes use of the full spectrum, even values you can’t logically use such as zero. The encryption of the password can be salted.
- hash the password - this removes the option of storing an actual password.
- repeat steps 1 and 2 using different algorithms.
If you know what you are doing then the longer it takes you to calculate and store the value the longer it will take to hack.
Oh - and I don’t bother with standard algorithms. I like customising them a bit. I don’t need to keep to any standards because the password is limited the specific software and doesnít need to be interoperable.
A lot of hash and encryption systems are for encrypting and signing at one place by a sender and verifying and opening at another place by a receiver ñ in this situation the software is both the sender and receiver, and is in-place. So using a standard algorithm just makes it easer for a hacker.
Personally I feel that we should make sure that anyone working on security has certifications in security rather than an every-day non-certified programmer. I’m not saying an every-day programmer can’t do security, just that anyone doing security should certify that they are capable and competent.
Dude, I told you in the last part, and I’ll tell you again: not being a dictionary based word is hard. And do you know how dictionary attack works? http://www.merriam-webster.com/dictionary/ is a pretty poor dictionary check.