Friday afternoon soon after I arrived at FOO Camp I opened up my powerbook and logged onto
bloglines.com. I quickly realized that I'd forgotten to set my browser to proxy through a
ssh tunnel like I usually (always) do on public wifi networks, meaning my password just got sent in the clear. I set up the secure tunnel immediately and hoped for the best. On Saturday afternoon I went again to check bloglines and found out all of my feeds were missing. On one hand I figured I got what I deserved for being a dumbass, on the other hand I thought deleting all my feeds was a pretty shitty way to teach me a lesson. If -I- had been sniffing passwords and wanted to teach someone a lesson I think the most I could have brought myself to doing would be to add a feed to a dodgeit.com address with a message explaining the virtues of ssh tunnelling, or something like that.
Still, it could have been worse. I immediately set about looking at all of the other websites where I use the same password, and I didn't find any other damage. I started changing all of the sites to a new password, but of course I was still using the same password on each site. Who can remember a different password for all the damn websites they use? It actually felt good to be changing my password all over the place because I'd been meaning to change it for -years-. I'm going to remove all doubt of my dumbass-ness right now with this revealing fact: I'd been using the same usual password for over 10 years. I first used it on a MUD back in the 80's.
Saturday night someone mentioned the
Password Generator Bookmarklet and I realized that this was exactly what I needed, a solution so devastatingly obvious and simple that it took 10 years of web existence for someone to think of it.
The creator of this clever morsel of ingenuity,
Nic, had the same problem we all do. He didn't want to use the same password for every web site, and he didn't want to have to remember dozens of different ones. Says Nic:
So, I wrote a bookmarklet to make up passwords for me. It asks for my master password, which is all I have to remember, and uses it to make a unique password for each site. It even types the password into any password fields on the current page for me, whether I'm registering for a new account or logging in on a subsequent visit.
How does it work? It gets the hostname from the page's URL and mixes it together with your personal master password using a little cryptographic magic we call MD5. It will always get the same result if given that hostname and master password, but will never get that result if either changes. (Well, once in a few billion times it might.)
So now I use a bookmarklet to create and enter my password for all my different web accounts. Each one is different but I only have to remember one master password which never gets stored on any remote server. This doesn't -solve- web security, but it's leaps and bounds better than what most of us have been doing. It's a breeze to install and use assuming you're not using Internet Explorer (but if you are you've got bigger problems to address anyhow).
Highly recommnded:
Password Generator Bookmarklet
Oh, and on Sunday when I checked bloglines again, suddenly all my feeds were back. I hadn't taken the time yet to start rebuilding them, so I guess bloglines just had temporary problems! I'm glad the password issue was forced to resolution though, so no regrets.