|
WhyChooseOplop
Why should I use Oplop instead of ... ?
One password for all of my accounts?Imagine someone getting a hold of your single password by cracking into an account you have online. They now have access to everything! After that they would just need to know where you have accounts and your username to gain access to other accounts. Oplop avoids this entire issue by creating a unique password per account thanks to the use of nicknames. Oplop never saves your master password, so unless you write it down or tell it to someone the worst some cracker will get from some compromised account is the unique account password Oplop created for you just for that one account. A piece of paper listing unique passwords for each account?A piece of paper can be lost, although you can easily keep a backup copy somewhere in your home. In that instance it becomes a matter of physical security over electronic security. It also requires making sure you keep the piece of paper with you if you ever need access to your passwords when you are away from home. There is also a convenience factor. When you are sitting at your computer you do not necessarily have your password list easily available as it might be in another room (this is especially true when you use a laptop). And if you do leave your password list at your computer you risk a guest on your computer easily accessing your accounts by discovering the piece of paper. But it must be admitted that if you do not use Oplop, writing down your passwords on a piece of paper is the best solution. But do make sure that each and every password is unique and strong. If you are worried about whether this is a secure way to do things, security expert Bruce Schneier uses this approach (along with electronically storing his passwords). Having my browser store the passwords?Having your browser store your passwords limits you to requiring access to the web browser you use and being able to log into the browser. This can at best be cumbersome, e.g., trying to log into your bank account on a friend's computer. At worst, it can be a non-starter, e.g., wanting access to a password for an account not web-related such as on a video game console. Luckily modern browsers such as Firefox and Chrome do provide synchronization services for your passwords. They also protect the file with encryption so that if your laptop is lost then the thief has to at least put some effort into accessing your passwords. It is perfectly acceptable to use Oplop with a browser's password-saving capabilities, just not in replace of Oplop. Using other password hash algorithms?Examples:
PwdHash is probably the best known password hash generator. It is a web site and Firefox add-on password generator much like Oplop; it generates passwords using MD5 and requires a digit. Probably pwdhash's biggest drawback compared to Oplop is it doesn't limit the length of the generated password; it is a function of the length of your master password. If you have a long master password it can lead to an even longer generated password (e.g. a 12 character master password leads to an account password that is 14 characters long). Long passwords can be a problem on web sites that don't allow more than 8 or 10 characters. And trying to count the first 8 or 10 characters from a password so you can use the password pwdhash created can be error-prone. There is also the problem that pwdhash uses the same nickname for everyone using the same site (it uses the domain name). This cuts down on the potential randomness of the generated password between users of pwdhash who have accounts for the same site. It also poses an issue if the web site choose the domain it uses for its login page. Storing your passwords electronically?Examples: The problem with storing your passwords in a program specifically design for that sort of thing is the lock-in issue to your machine (see the discussion about your browser storing your passwords for a similar argument). If you store your passwords in a specific program you must have access to that program to use your passwords, else you are out of luck. Now high-quality products like 1Password provide support for mobile phones like the iPhone so you can always reach your passwords as long as you have your phone and have either synchronized your password file or have an Internet connection on your phone. You can also store your password file in a service such as Dropbox which will make the file available anywhere you have Internet. But that does not resolve the issue of trust in applications that are not open source. Even if you are willing to restrict access to your passwords to where your password storing application is available, you do have to trust them to store it securely. If the program is not open source software you leave the security of your passwords to some black magic that you or some knowledgeable third-party could examine. And even if the application is open source, you still have the issue of these applications doing nothing more than a piece of paper could do while still imposing access to the program in order to decrypt your password file. While it does provide copy-and-paste functionality, there is still potential portability issues if you e.g., switch to a mobile phone platform that your password storage provider does not support (obviously if they provide online access that helps mediate the issue). Because of this we would still recommend the piece of paper over this solution if you choose to not use Oplop. Web sites that store your passwords?Examples: Web sites storing your password suffer from the same trust issues as using a program to store your passwords. The availability limitation is alleviated by requiring only a web browser and an Internet connection, you still must trust the web site to store the password securely and not to be nefarious. |
► Sign in to add a comment