Strong passwords mean greater security, but creating a strong password that’s memorable enough to use is rather something of a royal pain in the patootie. One click on the Mac App Store reveals a dozen or so password utilities, and using any one of them is better than using your dog’s name. Here’s another to add to the list.
I like passwords I can remember, but that requirement also means the password won’t be quite so strong. After all, Abby Sciuto can guess a terrorist’s notebook password in about a minute; less if Gibbs is nearby.
The free app Locksmith lets you create a password that is tied to a specific website domain name. All the technology you don’t see is based upon the Stanford PwdHash project, so suffice it to say that it’s a tough nut to crack.
The solution that Locksmith brings to the table is elimination of duplicate passwords for different accounts. One password for each website. Locksmith works this way. Enter the URL of the website (domain name). Enter a password key (a string of letters only you know; but the string can be used on every website).
Locksmith builds the proper password.
Here’s the problem the Stanford PwdHash project solves:
Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.
Here’s how the method adds another layer of security to defeat the attacks.
PwdHash is an browser extension that transparently converts a user’s password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix (@@) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself. A break-in at a low security site exposes password hashes rather than an actual password.
Nice, right? But a bit complicated as you’d need the proper browser extension, but the level of security is substantial and the price is right.