Reading a chapter about all the work involved in keeping your identity secure can be a real downer. Firefox was created to make your life easier in every possible respect, and here I am giving you a laundry list of facts to keep in mind during everyday surfing. What a pain! You shouldn't have to worry about those details. With that in mind, I and a group of security experts at Stanford set out to create a browser extension called PwdHash, short for Password Hash. (See Chapter 20 for more information about Firefox extensions.) The goal of PwdHash is to afford users the convenience of remembering a single password with the security of using a different password on each Web site you visit. It does this by automatically and transparently generating a different version of your password for each Web site.
As convenient as it is, using a single password at every Web site you visit creates one huge problem: When someone gets your password from one Web site, all other sites you log in to are exposed.
Your password can fall into the wrong hands when
Someone hacks one of the Web sites you log in to
A phisher convinces you to enter your password at a replica site
PwdHash handles hacking scams and phishing scams slightly differently, but the good news is that it protects you from both. The following two sections tell you how.
If your password is the same at every other site in your network, one hack is no longer an isolated incident — it's a nightmare. It's also a hacker's dream because your security is only as strong as the weakest site you visit.
Suppose you visit two Web sites regularly. The first is a low-security, makeshift high school reunion page that an old classmate slapped together over the weekend. The second is Citibank, which houses your financial accounts. Both sites require a username and password. Citibank can implement the most expensive and cutting-edge password defenses in the world, but they'll be entirely useless if a hacker breaks into the reunion page and steals the password list. Do you think he wants to see how you and your classmates are celebrating your 25th? Of course not. He wants to take your password to the bank — literally.
Using different usernames at different Web sites makes it more difficult for a hacker to use the login information he obtains from hacking one Web site at another site you use because he still won't know your username at the other site. (This isn't always possible, though, because many sites ask for your e-mail address in lieu of a username.)
If you use PwdHash, you can continue to type the same password into both Citibank and the reunion site. The difference is that right before you submit the information to the sites, and without bothering you, PwdHash automatically generates a different version of your password for each site. (If you're using a computer without the PwdHash extension, you need to generate this version manually, as I discuss in "Using PwdHash from other computers" later in this chapter.) This process is called hashing, and in a non-technical sense, you can imagine the process works as follows. Say your password is 42family19. When you log in to Citibank, PwdHash adds the site's address — citibank.com — to the end of your password, yielding 42family19citibank.com. Then it scrambles up this new phrase in a random order. The same process is repeated at reunion.com with 42family19reunion.com. The scrambling technique is, of course, much more complicated, with the end result that it's impossible for a hacker to get from the scrambled version to the unscrambled version.
So how does this fix the problem? Well, even if a hacker does retrieve your reunion password, that password works only at the reunion site. It doesn't work at Citibank because Citibank is expecting the Citibank-specific "definition."
If you use only one password, the moment a phisher tricks you into entering your password at a fake replica site, all other Web sites you log in to are now exposed. This scenario is related to the Citibank/reunion conundrum I describe in the preceding section, and PwdHash remedies it in a similar fashion. Suppose the replica phishing page is located at http://www.ebay.org instead of http://www.ebay.com. As soon as you type in your password (for this example, 42family19), and before the hacker has a chance to see it, PwdHash takes 42family19ebay.org, scrambles it, and then sends it to the hacker. What the hacker receives is a completely useless password because it works only at his fake site. It doesn't work at the real eBay.
PwdHash was designed with Firefox principles in mind — that is, it tries to stay out of your hair. The extension is available from http://www.pwdhash.com, and the installation process is the same as for all other Firefox extensions. I describe this simple procedure in Chapter 20.
Using the extension is easy. All you have to do is tell PwdHash whenever you're about to type in a password. You do this by typing two at signs (@@) before typing your password (for example, if your password is family, you would type @@family) or by pressing F2 before typing your password. You can then rest assured that PwdHash is safeguarding the password you type in next.
Before you can log in to your existing Web sites, however, you have to complete a little bit of configuration. This configuration needs to be done only once, and unfortunately it isn't something PwdHash could do for you. Basically, because PwdHash will be generating new, scrambled versions of your password for each Web site you visit, you need to tell these Web sites what your new password is. Even though you yourself continue remembering the old one, PwdHash will be generating new ones for you on your behalf, and you need to notify the sites of the change so they allow you to log in.
Luckily, this configuration is quick and painless, and you can do it on an as-needed basis. The first time you log in to a site after installing PwdHash, simply go to the Web site's Change Password page. These pages usually have three password fields: The first asks you to enter your current password for security reasons, and the latter two ask you to enter your new password. In the current password field, enter your password as usual. For the latter two fields, you must tell PwdHash to scramble the passwords you input. In other words, you want to notify the Web site of your new, scrambled password. To do this, click in the field and type @@ or press F2, and then type your current password into the field. (Follow the steps for both of the new password fields.)
This is the only time you have to worry about which fields to scramble and which to leave alone. Whenever you visit this Web site in the future, you should always scramble your password by typing @@ or pressing F2 before beginning.
PwdHash works automatically and silently when it's installed on your computer, but what happens when you're on a computer that doesn't have PwdHash installed? How can you obtain the scrambled versions of your password for each of the sites you need to access? The best solution, of course, is to install the PwdHash extension on the new computer — but in some environments, such as Internet cafes, that isn't permitted. To remedy this situation, PwdHash offers a Web site accessible from anywhere that will generate your scrambled version for you. This Web site is located at http://www.pwdhash.com and is simple and intuitive to use: Just copy and paste the address of the Web site you need to log in to (such as http://www.ebay.com) and enter your password, and the PwdHash site automatically generates the scrambled version for you.
Be sure to note a couple important details here:
Your scrambled password will be visible as soon as you click the Generate button. If someone is looking over your shoulder, she can see it, too. You should immediately cut and paste it from the PwdHash Web site to the Web site you're trying to log in to.
Your unscrambled password (the one you remember) is not saved or transmitted anywhere when you enter it on http://www.pwdhash.com. A third party could never intercept it because it isn't sent over the Internet.