Hash a Pass: No panacea

Hash a Pass was recently featured on Digg.com and is an interesting idea. Using a master password and a Javascript implementation of the SHA-1 hash algorithm, you can generate a secure and un-guessable password, and then simply re-generate it when you need it again.

A nifty trick, to be sure, but does this really make you safer?

Here’s an example of how it works: I set my master password to my super-secure 133t password of ‘p@22w04d’. Then I generate a password for, say, Apple.com. So I type in “apple” as the parameter and it generates the wonderful password of ‘EZbqNhEK’, which is really a pretty strong password.

When I then go back to Apple, I can go back to hashapass, and enter the same two keys, and get the same password. End result: Lots of cryptographically strong passwords which I don’t have to remember! All I need is my master password!

Here’s the question, what does this protect me against?

Anyone using the same algorithm can re-create any of my passwords by entering the two keys. The key for each site/password I want to maintain will necessarily have to be easy to remember (such as the site’s domain name or title). So, if they can guess my master password, it will be trivially easy to get at anything I’ve registered for.

What it does protect against is the possibility that one site’s passwords will be leaked/cracked/stolen, and that my password which I use there (and everywhere else) will be tried in a dozen sites, given the thieves access to everything.

It’s not a huge benefit over storing or memorizing passwords, as I still need to remember which sites I’ve used hashapass for, and remember what key I used for the site. (Again, the domain name becomes the most likely input.) This is roughly analagous to having all your passwords stored in an encrypted file/database with a single “master password” to unlock all of them.

Is it better than using the same password on every site? Undoubtedly yes. But it’s hardly 007-grade security. Indeed, it’s probably safer to use a product like Web Confidential to keep a variety of passwords and just look them up when you need them. Yes, someone gaining the file and the master key will have the keys to your kingdom. But with hashapass, they only need the master key; the “database” is right there online.

Written on June 26, 2006

Easy Business Idea: Professional Commuter

Via Digg.com

Who says all the good ideas for a start-up business have been taken?

At least one fellow clears a few hundred dollars a day by riding in other people’s cars so that they can use the commuter lanes.

This fellow will be made obsolete in many cities (including Denver, my local metropolis) that have instituted the option to pay a toll in order to drive in the commuter (or High Occupancy Vehicle) lanes.

Still, it’ll be a good business while it lasts.

Written on June 23, 2006

Visor: Terminal anywhere

Visor, the new application from Blacktree, creates a half-screen terminal window that pops up with the press of a hot key. This terminal is persistent, so when it’s in the background, it just keeps on going and going and going.

Very clever little hack, and extremely useful if you’re prone to bouncing between the terminal and your desktop.

The only problem I’ve had with it is that it’s only one window. So I invoke screen as soon as it starts up, and that pretty much takes care of it.

Thanks, Blacktree!

Written on June 20, 2006

Nik's Pick: Google Browser Sync for Firefox

Google has just released a terriffic plug-in for Firefox, Google Browser Sync.

In a nutshell, this extension lets you keep your bookmarks, history, cookies and passwords in sync across multiple copies of Firefox. It’s completely configurable (in case you don’t want to give Google access to some of that information, or you just don’t want Doubleclick to track you between multiple browsers), and provides encryption as well. (Unclear whether the encryption keeps Google from data mining my bookmarks.)

Ultimately, I can only give it 5 out of a possible 7 stars because it’s not quite as easy to use as it should be. It relies on a live connection to the server while you browse, so you will get notified if you have one computer connected and fire up Firefox in another. For people (like me) who have multiple computers on their desktop, this can get a bit irritating.

That aside, once you do connect the disconnected Firefox to the sync server, it seems to pick up changes during the interim.

I’ve also had some strange bugs with seriously old cookies replacing the latest versions on my computer. Those seem to have been a one-time problem after my initial sync on all three computers, though.

Written on June 9, 2006

Uploads work now

Thanks to a diligent reader, Luke, I found out that the Disk Node module I use to host downloads wasn’t working. As a result, only site administrators could download files. Don’t I feel stupid!

So, I ditched Disk Node and just added the files as attachments. I don’t get a download count anymore, but at least you can get the files.

Sorry about that!

Written on June 5, 2006

The Network is the Message

Robert Young graces us with a very interesting dissection of what the trend of social networking means to today’s communicators and web entrepreneurs.

As I watch Penton shift from a one-way publishing company (we are the experts!) to a social network/community (we bring experts and users together!), this seems especially apropos.

>To some extent, self-expression should be viewed as a new industry, one that will co-exist alongside other traditional media industries like movies, TV, radio, newspapers and magazines. But in this new industry, the raw materials for the “products” are the people… or as Marshall McLuhan might say, “the people are the message” when it comes to social networks. So for any player who seeks to enter this industry and become the next social networking phenom, the key is to look at self-expression and social networks as a new medium and to view the audience itself as a new generation of “cultural products”.

What Robert is discussing is the continued democratization of the means of production. From the printing press to desktop publishing to blogging, the means of sharing personal expression cheaply and effectively continue to grow. Individuals can become authorities based solely on the value of their ideas (or more likely by their penchant for self promotion).

As consumers of information, we have our own areas of expertise. So the job of the “publishers” is to draw this scattered expertise, sort it, organize it, and make it available for everyone.

And no, that doesn’t necessarily mean that Google has already cornered this market. Providing context is just as important as aggregating information.

Written on May 31, 2006

Lotus Notes: A Proud Member of the Interface Hall of Shame

I was pleased to see that Lotus Notes’ abhorrent interface has been not only recognized, but celebrated.

>We wish we found IBM’s Lotus Notes a long time ago. This single application could have formed the basis for the entire site. The interface is so problematic… [Lotus Notes] contains almost every example of inefficient design illustrated thoughout the entire Hall of Shame site.

The Hall of Shame and Hall of Fame on the same site, while out of date, are an entertaining read. (Especially if you’re an interface/design nerd.)

Written on May 18, 2006

Inquisitor X: Insta-search

Inquisitor X is a nifty little web app which provides nearly instant searches of major search engines while you type.

Think of it as Spotlight but for the web. No, better yet, don’t, because Spotlight is fairly annoying…

Anyhow, it’s a nifty bit of code. I just wish that clicked links opened in the main window as in a normal search engine rather than in a frame. As it is, if you type or delete a single character in the search field, you lose whatever page you were looking at! Oops!

Maybe I’d be happier using Inquisitor as a plug-in for Safari or Camino.

Written on May 17, 2006