I finally decided to write a comment on your blog. I just wanted to say good job. I really enjoy reading your posts.
Jon Mueller
· 12 months ago
Adam, aren't you still storing all of your passwords (even if encrypted) on that service's website? What if that service goes out of business?
How 'bout a play on the strategy that leverages a password plus information that is only on your person. For example, say that you keep the first half of each of your passwords in a Google Doc Spreadsheet, one row for each system that you require a password for. (e.g. Column A: JoeSchmoeThePlummer.com Column B: amazur Column C:blah) Then you keep another spreadsheet in your PDA with the 2nd half of the passwords: (e.g. Column A: JoeSchmoeThePlummer.com Column B:yada) Your password is basically 'blahyada'.
Now don't store your Google Doc credentials anywhere... you'll have to remember those...
Then again, maybe Google will go belly up :)
AMasur
· 12 months ago
Jon, surprisingly, the answer is no. There is nothing stored on that service's website. In fact, there doesn't even need to be anything stored locally.
The hash algorithm actually recreates your password from scratch every time you need it. The most common implementation I've found is where the software grabs the domain name of the site you are currently visiting. Then, it prompts you for your "super secret" password. What happens next is that the algorithm combines (hashes) these two things together, in real time, to come up with your site-specific password, which you then copy/paste into the form on the site you are currently visiting.
The algorithm runs locally (nothing transmitted over the network). As long as the inputs (domain name, super secret password and hash algorithm, in this case) are the same every time, the software will generate the same, site-specific password every time.
All Comments
How 'bout a play on the strategy that leverages a password plus information that is only on your person. For example, say that you keep the first half of each of your passwords in a Google Doc Spreadsheet, one row for each system that you require a password for. (e.g. Column A: JoeSchmoeThePlummer.com Column B: amazur Column C:blah) Then you keep another spreadsheet in your PDA with the 2nd half of the passwords: (e.g. Column A: JoeSchmoeThePlummer.com Column B:yada) Your password is basically 'blahyada'.
Now don't store your Google Doc credentials anywhere... you'll have to remember those...
Then again, maybe Google will go belly up :)
The hash algorithm actually recreates your password from scratch every time you need it. The most common implementation I've found is where the software grabs the domain name of the site you are currently visiting. Then, it prompts you for your "super secret" password. What happens next is that the algorithm combines (hashes) these two things together, in real time, to come up with your site-specific password, which you then copy/paste into the form on the site you are currently visiting.
The algorithm runs locally (nothing transmitted over the network). As long as the inputs (domain name, super secret password and hash algorithm, in this case) are the same every time, the software will generate the same, site-specific password every time.
I hope that helps,
-Adam