I then remembered, Yahoo's webmail service allows their users to login to their mail accounts with a YahooID and password over HTTP. They DO have a feature where the user can switch to a secure mode and then enter his "login credential" and submit it over HTTPS. But how many folks really cick on the term "secure". If one types in https://mail.yahoo.com in their browsers address bar, they are immediately prompted with a WARNING that he certificate presented DOES NOT match the URL (because the cert is issues to login.yahoo.com instead of mail.yahoo.com.). WOW!!! So I did a little more digging around yahoo, and I found out that they are using this NEAT open source script by Paul Johnston which is a JavaScript implementation of the RSA Data Security, Inc. MD5 Message Digest Algorithm, as defined in RFC 1321. Thats a real cool one. I was impressed, (not with Yahoo, but Paul Johnstons script). NOW Thats a way in which passwords can be kept safe. So I went ahead and used that very same script (from yahoo/pajhome)on this site and modified it a little bit to concatenate 2 strings and here's what I came up with: A JavaScript version of obtaining a MD5 Hashed equivalent of you password thats unique for each site you use it on. Which obviously means that if your password is "hello" then the MD5 equivalent of that password on "sun.com" would be different from "yahoo.com".
Cheers !!! :: & I am really looking forward to your comments on this.do it. think it. blog it! ... a twisted world
Wednesday Jun 01, 2005
"Jot Down Your Passwords" : said Jesper Johansson the senior program manager for Security and Policy Services at Microsoft Speaking on the opening day of the AusCERT conference at Australia's Gold Coast Resort. He continued to say
Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems. How many have (a) password policy that says under penalty of death you shall not write down your password? I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.
He's got a point in what he's saying. Organizations enforce password policies on all their enterprise applications, sometimes strict and sometimes, weak. However the mininal feature that these password policies have is that they all expire in a pre determined period and sometimes we cannot use the same password as what had used before (or it just cannot be the same as the previous 6 password changes). This makes it extremely hard over a period of time to come up with really strong passwords and more importantly remember them. Well, I have forgotten quite a few myself, and then asking for a password reset with the support folks absolutely goes against the intent of the organizations establishing a "self service" portal for their employees.
Then on the other hand, writing down passwords on a piece of paperas suggested by Johansson is simply ridiculous. The probability of that very piece of paper getting into the hands of a unintended recipient is extremely high.
Posted by The Geekinator on June 02, 2005 at 11:06 AM EDT #
Posted by melanie on June 03, 2005 at 08:19 AM EDT #
Nice approach. I have written my own password manager using Password based encryption , sealing the object and serializing it to the disk --:).....
Posted by Ahmed Khan on February 02, 2008 at 02:34 AM EST #