It seems like there is not a day that passes without news of yet another web site hacking incident, where the attackers made off with a set of thousands of usernames, email addresses, and either plaintext passwords or password hashes. Although the later may appear to be safer – and it is better than having your plaintext password compromised – in the grand scheme of things it is still a major concern. A hashed password is not a huge hurdle for a crafty and determined attacker to overcome, especially if they are patient and have time.

When web sites are hacked, the real concern for a user, other than stolen credit card details, should be password reuse. Come on an admit it – you are using the same password on damn near every site you visit, right? You know it is not a smart strategy, potentially dangerous even, but you do it anyways. The problem is that once a web site is compromised, and when an attacker has your password, they now have access to every web site you use.

Just imagine the implications. You have just handed the keys to your kingdom to a bad guy. Now then can impersonate you, try and siphon money from your friends and family, or worse. Having your online identity stolen is not pretty, and can have huge ramifications on your offline life.

What can you do to decrease the security risk to your accounts – to make it far more difficult for an attacker to gain access to your cherished data?

The answer should be obvious: stop using the same password on every web site.

I know what your initial reaction is going to be because I have heard it a thousand times over throughout the years: “How do you expect me to use a different password on each site and remember them all? I use facebook, twitter, gmail, yahoo, tumblr, linkedin, pinterest, dropbox, disqus, my blog, my computer, just to name a couple. There is no way I can remember a unique password for every one of those sites. It is impossible.”

So how do you use unique passwords on the dozens of web sites you visit daily, without this being a huge burden on your already overtaxed brain?

There is actually an extremely easy method for solving this ostensibly complex problem. What if I told you there is a method allowing you to use an easy-to-remember unique strong password on all those web sites you mentioned? And what if I told you this was done by remembering and entering a single “password” for gaining access.

How’s that for simplicity?

Unique passwords via a single password. Sounds so unsecure, right? Thankfully, it is not insecure at all.

So how does it work?

There is only a single tool required to make this work, although I recommend an additional few tools to make your life easier, especially when you are mobile. The tools are:

• PwdHash (required)
• 1Password for Mac or Windows (optional)
• 1Password for iOS or Android (optional)

PwdHash is the primary piece of magic behind the elegant solution to this complex problem. So what is PwdHash and why should you care?

PwdHash transparently converts passwords into a one-way domain-specific hash based on the password the user entered and the domain-name of the site being visited (ie. facebook.com). This way, the site only sees a domain-specific hash of the password as opposed to the actual password itself.

If the site is compromised, only password hashes will be exposed rather than the actual password. Although PwdHash is using a public hashing function, there is no genuine way for an attacker to determine if the password exposed is an authentic password or a hash. The beauty of this solution is that although the user is using the same “password” on every site, each site is storing a unique password.

PwdHash is the difference between an attacker seeing MyD0gF!d0roc$ and FCiDTxpsdbpq1+zO.

Put simply, PwdHash makes it easy to use a single password on multiple sites but in a secure manner because each web site is storing what appears to be a unique strong password.

PwdHash has a browser extension for Firefox, with ports for others popular browsers such as Chrome, that helps generate unique passwords based off of the domain of the site and then a “site password” you enter. Alternatively, if your browser-of-choice does not have an extension, the PwdHash web site can generate the necessary hashes for you.

Here is how easy the PwdHash extension is to use:

PwdHash generates theft-resistant passwords. The PwdHash browser extension invisibly generates these passwords when it is installed in your browser. You can activate this protection by pressing F2 before you type your password, or by choosing passwords that start with @@. If you don’t want to install PwdHash on your computer, you can generate the passwords right here.

Let me translate that to make it more understandable. Lets say you installed the extension and already changed your password using PwdHash. To login to facebook, you type in your email address as your normally do and then “tab” to the password field. Press @@ and the field changes to yellow, to indicate PwdHash is ready for your input. Type in your password and then “tab” to the “login” button. After exiting the password field, PwdHash will replace the contents of the password field with the necessary has.

Does it get much more simple than that? This is really where the HOWTO could end, however, there is an additional tool to make your unique password entering life much easier: 1Password, a tool for securely storing passwords for easy recall in the future.

Password Storage, Retrieval, and Backup

What makes 1Password valuable is that it will securely store your passwords in a database that can be backed up to DropBox or iCloud (from the iOS client). Using the DropBox integration allows multiple copies of 1Password to stay in sync. Update passwords on the desktop, save to 1Password, open up your iOS device and instantly synchronize 1Password with those new or modified entries.

The only drawback to 1Password, if you could even call it that, is its price may be objectionable to some folks: $49.99 for the Desktop version and another $17.99 for the iOS version. For me, the cost is absolutely worth the peace of mind and ease of use.

1Password also has the ability to generate strong unique passwords from within the application, thus allowing users to create truly unique passwords for each web site. Using this functionality ultimately changes the context of remembering passwords though. If 1Password is generating strong passwords, that makes this application required – it is no longer an optional component of this strategy. There are a couple tradeoffs to consider:

1. Using PwdHash to generate strong passwords does not require any additional software. Users can continue to use a single password for all web sites albeit in a secure manner. Using the PwdHash browser extension, or visiting the PwdHash web site, users can generate the secure hash required to login to any web site desired.
2. Using 1Password to generate strong passwords now makes 1Password a required application, thus turning this solution from free to paid. Additionally, you are now dependent upon 1Password for logging into web sites because you are using a truly unique password for each web site, rather than a hash based on a single password. Optionally, you can memorize all those unique passwords and forego 1Password altogether.

What this really comes down to is: do you want to be forced to use 1Password for logging into web sites? While I adore the application, I enjoy the additional flexibility of PwdHash. In my solution, 1Password is a mere convenience, not a required variable in the equation.

Stop talking and tell me how to make all this work!

So now that I have told you all about these nifty toys, here are the steps to implement them as smoothly as possible:

1. Download and install PwdHash browser extension (Firefox or Chrome).
2. Purchase, download, and install 1Password for your favorite desktop operating system as well as your go-to mobile operating system. Personally, I use Mac & iOS, and find the tools to work flawlessly together.
3. Configure 1Password to synchronize with DropBox.
4. Install the 1Password browser extensions (Safari, Firefox, and Chrome)
5. At this point you are ready to start generating unique secure passwords, as well as saving them in 1Password for cataloguing. This facilitates mobile synchronization and data back-up to the cloud in the event there is a catastrophic failure with your hard-drive.
6. Visit all your favorite web sites and change your password using PwdHash. Save all these newly generated passwords in 1Password with the browser integration. Now you have unique strong passwords on all your web sites, and are safely storing those for later recall, and backup, via 1Password.
7. Live with the peace of mind that your online identities are a whole lot safer than previously.

What is great about this solution is it is cross-platform and not dependent upon operating system-specific applications even though they are available. While I do encourage the use of 1Password, it is purely optional. I wholeheartedly recommend 1Password for its versatility as a password storing application as well as its ability to securely store other sensitive information, such as credit card details, driver’s licenses, and other important data.

Additional Notes

• If a web site is compromised after you start using this method, and password data was stolen, I highly recommend you change your password for that site even though the site was only storing a password hash. At least your account itself was not compromised, and by extension all your other online identities, but you still remain at risk. Do yourself a favor and change passwords.
• The previous concern is where the use of 1Password excels. Even though you may have one or two sites using a different “password”, the correct password hash will be stored in 1Password. Your access is always only a fingertip away.
• If offered, two-step authentication should be turned on to the maximum extent possible. Google has this capability, as does DropBox, App.net, WordPress (hosted and wordpress.org), and more. Twitter is claimed to be working on this as of April 30, but has not yet released this functionality.
• If you have multiple accounts on a single service – save multiple Gmail accounts – then PwdHash fails to a certain extent. Since the password hash is generated by the user-entered password and the site domain, multiple accounts may end up with the same hash unless you use a unique per-account password in this instance. This is another area where 1Password excels; in the few cases where you have multiple accounts on a single service, using 1Password to recall the password is invaluable. This way your accounts may use unique passwords but they are securely stored and easily recallable.

Conclusion

The internets today is like the wild west back in the late 1800’s. Protection is a must, and you start by securing access to your online identities. The simplest way to do that is to use unique a password for every web site you visit. The best, and least inexpensive, way to do that is with PwdHash. Coupled with 1Password and you have a solution for creating unique per-site passwords that are backed-up and safely stored should you ever need that data at some point in the future.

Be part of the solution, not the problem. Use strong passwords and protect your online identity.

This post is part of the thread: Security – an ongoing story on this site. View the thread timeline for more context on this post.