Help your users stay more secure by giving them fewer passwords to remember.
At first glance, this hack might seem counterintuitive. Shouldn’t you be using strong passwords that are unique to every account? Well, yes you should, but let’s face it: that’s hard to do. IT security professionals should try to practice what they preach, but it can be unrealistic to expect the average corporate or home user to follow such practices, especially since nearly everything seems to require user registration these days. Unfortunately, this makes the issue much more problematic, because if the user is using the same password for multiple online accounts, discovery of that password can jeopardize all of them.
One tool that helps to improve this situation is PwdHash (http://crypto.stanford.edu/PwdHash/), from the Security Lab at Stanford University. PwdHash is an extension (available for Internet Explorer, Firefox, and Opera) that enables a user to easily use strong passwords that are unique to each web site with which they register.
PwdHash does this by reading any password fields in a web form and dynamically replacing them with a unique strong password. It generates the password by combining the user-specified password with the domain name of the web site and then generating a one-way hash from it. This also alleviates the users’ worries about the security of their browsers’ password stores: they no longer need to have their browsers remember their passwords, because in their minds, they each only have one password.
In addition, using PwdHash can help mitigate the result of phishing attacks [Hack #40]. If a user clicks on a link purporting to be a legitimate web site and ignorantly enters his password, PwdHash will replace it with its generated hash. Unless the phishers actually managed to take control of the legitimate site’s domain, the phisher’s domain used to compute the hash will be different, so the hash will be too.
Installing PwdHash is easy: just go to the site and click on the installer corresponding to the browser with which you want to use it. Depending on your browser’s security systems, you might need to allow crypto.stanford.edu to install extensions. Once you’ve installed the extension, restart your browser. PwdHash is selectively triggered for password fields by either prefixing the password you enter with @@ or pressing the F2 key.
One problem that implementing
PwdHash locally presents is what to do when you’re away from your computer. Remote PwdHash (http://crypto.stanford.edu/PwdHash/RemotePwdHash/), shown in Figure 3-10, solves this problem.
Remote PwdHash is a web-based implementation of PwdHash’s hashing algorithm. It’s done in JavaScript and executed only within your browser, so you can rest assured that the password you enter won’t be transmitted or stored anywhere. Enter the domain of the web site you want to access, along with the password, and it will generate the proper hash for you.
Though PwdHash and its remote cousin are incredibly simple, they’re extremely powerful tools. PwdHash exhibits one of the main hallmarks of good security: usability. If the security policies you make aren’t followed in spirit (as many password policies aren’t), they’re no good. This tool goes a long way toward keeping both administrators and end users happy.