Wednesday, September 19, 2007

I'm not into PwdHash

After reading Bob Lee's endorsement of PwdHash, I decided to give it a run. After a two-week trial period it I've decided to no longer use it.

I think it's got alot of potential, but I don't think it's for me, and the process seems to ahve some flaws. Here are my three main gripes about the supposedly improved support:
  1. I am supposed to trust that F2 translates my password. The only visual cue that my password is being translated is by watching the asterisks that represent characters in the password text box. See, the hashed password has (seems to have) more characters than the unencrypted password you supply. PwdHash replaces your password with the hashed one when you navigate out of the text box, and so, when you leave, you should see the number of asterisks grow. What if I failed to notice the asterisks change? It's possible that PwdHash could address this with a better user interface: one that displays a hovering window, perhaps.
  2. It lulls you into thinking you can use the same password on multiple sites. If I were to accidentally type my password unencrypted, it's easy to log in to my other services. This brings up my third beef:
  3. I would feel more comfortable if PwdHash let me contribute a third key to the algorithm that creates all passwords. Now, even if I accidentally forget to press F2 before entering my password, there's less of a chance that someone can get to other services. In that way, I can individualize the tool in such a way that it's mine. If someone else knows how PwdHash translates 'password' for www.gmail.com, they can find out how my password is similarly translated. I could get through this problem by making my common unencrypted password 'password_nnnnn', where nnnnn is this third key I talk about, but to do this I'm forced to make nnnnn something memorable.
Now I admit to be oversimplifying the problem to some degree, but the fact is, it just doesn't make me comfortable. I'd just prefer to eliminate the risk that a mistake on my part results in changing my password everywhere.

No comments: