- citibank.com - to the end of your password, yielding 42family19citibank.com. Then it scrambles up this new phrase in a random order. The same process is repeated at reunion.com with 42family19reunion.com. The scrambling technique is, of course, much more complicated, with the end result that it's impossible for a hacker to get from the scrambled version to the unscrambled version. So how does this fix the problem? Well, even if a hacker does retrieve your reunion password, that password works only at the reunion site. It doesn't work at Citibank because Citibank is expecting the Citibank-specific "definition." Giving the phishers a hook to swallow If you use only one password, the moment a phisher tricks you into entering your password at a fake replica site, all other Web sites you log in to are now exposed. This scenario is related to the Citibank/reunion conundrum I describe in the preceding section, and PwdHash remedies it in a similar fashion. Suppose the replica phishing page is located at http://www.ebay.org instead of http://www.ebay.com. As soon as you type in your password (for this example, 42family19), and before the hacker has a chance to see it, PwdHash takes 42family19ebay.org, scrambles it, and then sends it to the hacker. What the hacker receives is a completely useless password because it works only at his fake site. It doesn't work at the real eBay. Using PwdHash every day PwdHash was designed with Firefox principles in mind - that is, it tries to stay out of your hair. The extension is available from http://www.pwdhash.com, and the installation process is the same as for all other Firefox extensions. I describe this simple procedure in Chapter 20. Using the extension is easy. All you have to do is tell PwdHash whenever you're about to type in a password. You do this by typing two at signs (@@) before typing your password (for example, if your password is family, you would type @@family) or by pressing F2 before typing your password. You can then rest assured that PwdHash is safeguarding the password you type in next. Configuring PwdHash Before you can log in to your existing Web sites, however, you have to complete a little bit of configuration. This configuration needs to be done only once, and unfortunately it isn't something PwdHash could do for you. Basically, because PwdHash will be generating new, scrambled versions of your password for each Web site you visit, you need to tell these Web sites what your new password is. Even though you yourself continue remembering the old one, PwdHash will be generating new ones for you on your behalf, and you need to notify the sites of the change so they allow you to log in. Luckily, this configuration is quick and painless, and you can do it on an as-needed basis. The first time you log in to a site after installing PwdHash, simply go to the Web site's Change Password page. These pages usually have three password fields: The first asks you to enter your current password for security reasons, and the latter two ask you to enter your new password. In the current password field, enter your password as usual. For the latter two fields, you must tell PwdHash to scramble the passwords you input. In other words, you want to notify the Web site of your new, scrambled password. To do this, click in the field and type @@ or press F2, and then type your current password into the field. (Follow the steps for both of the new password fields.) This is the only time you have to worry about which fields to scramble and which to leave alone. Whenever you visit this Web site in the future, you should always scramble your password by typing @@ or pressing F2 before beginning. Using PwdHash from other computers PwdHash works automatically and silently when it's installed on your computer, but what happens when you're on a computer that doesn't have PwdHash installed? How can you obtain the scrambled versions of your password for each of the sites you need to access? The best solution, of course, is to install the PwdHash extension on the new computer - but in some environments, such as Internet