06 August 2007

PwdHash - One password to rule them all

So little time - so many sites which need a password when you (have to) register yourself.

Admit it, you use the same password for different sites - don't you ?!, and if possible the same (set of) user-id's

Well, same password on different sites are not a good idea, each time you register yourself there's an increasing possibility the security on one of the sites will be comprised and a hacker obtain access to your password and user-id ......... and with those leaked there's free access to try them out everywhere else.

PwdHash - a password encryption plugin from Standford security lab solves this problem

PwdHash takes your password combines it with url for the website and generates a unique hashed password for each website from the same master password.

With PwdHash you can use the same initial password for different sites and let pwdHash generate the final unique password

Illustration of how PwdHash enhances the security by generating a unique password for each website from the same user-password

"PwdHash is an browser extension that transparently converts a user's password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix (@@) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself. A break-in at a low security site exposes password hashes rather than an actual password. We emphasize that the hash function we use is public and can be computed on any machine which enables users to login to their web accounts from any machine in the world. Hashing is done using a Pseudo Random Function (PRF)."

It's not a solve all solution - your master password must not be given out, otherwise it would be possible for another person to use the PwdHash algoritm and compute the hashed password

I guess a simple solution and improvement to PwdHash would be to add a user configuration for PwdHash, with the option to provide a unique randomizing factor to the algoritm, e.g. a string (sentence) entered by the user at installation time.

Final advice; Don't use only one master password - use a minimum of 2 or 3
  1. One password + PwdHash for newsletter and website registration
  2. Another password + PwdHash for website that have your creditcard on detail (e.g. amazon, phonecompany etc.)
  3. A third password + PwdHash for the most critical places (e.g bank account, paypal etc.)
Idea is to differentiate between websites without financial info (class 1) and those with financial info (class 2 and 3).
For websites belonging to class 2 and 3 you do not use auto-login or remember password features and even more carefully about the master password.

Hey, that's only 2 or 3 password to remember !

Get PwdHash - the password encryption plugin from Standford security lab

Review verdict: 4 keyholes out of 5

It works !, though missing the ability to add an individual hashing factor to the algoritm

May your password(s) be with you !

Liked this post ?! - check out other post about extensions


Eugene said...

Do you know of any way to configure PwdHash to meet certain password requirements (e.g., "seven to eight alphanumeric characters with at least one numeric in interior of password...")?

I'd be most grateful for any assistance.


Kim Hjortholm said...

pwdhash can be downloaded, thus it's possible to modify the code for your personal need

Anonymous said...

this got a problem if im using "@@" in between d password..

Kim Hjortholm said...

well, don't use @@ ! as part of password :-)