Comments on: Password Hashing: A Neat Idea That Can Help to Protect Your Online Accounts

By: rugg

rugg — Wed, 26 Aug 2009 18:06:50 +0000

try this for java hashing
http://www.twmacinta.com/myjava/fast_md5.php

By: Mythprogrammer

Mythprogrammer — Thu, 11 Jun 2009 05:18:43 +0000

@bnsmith: I’ve had some progress on the website as far as storing user accounts and a login/registration interface. Feel free to email me at the email associated with this post.

By: Mythprogrammer

Mythprogrammer — Wed, 10 Jun 2009 15:32:26 +0000

@bnsmith: Working on it as we speak, I’ve even reserved http://www.PwdSafe.com for when its ready. Trying to learn a standard java method for password hashing as I work out the code for the site. Trying to meet the condition that you don’t have to trust it to store your passwords on it as well. Cheers and wish me luck.

By: Matthew

Matthew — Mon, 08 Jun 2009 23:58:34 +0000

I’ve been using a simplified version of this strategy for quite a while where I have a relatively long and complex password and I used specific letters from the domain name I am visiting in a section of that password. This way I am always able to a) remember the password without relying on my Keepass vault and b) Provides a relative amount of security against the attacks you are referring to. So, I (don’t but could) use the last two letters of the domain name somewhere in the password. For example paypal might be e34al78y&b and ebay might be e34ay78y&b and skype would be e34pe78y&b.

Of course, this is a manual system and I think is inconspicuous enough to prevent the majority of brute-force style attacks if your password is picked up from other places. The above program does look to be a worthy alternative and somewhat more secure, though there will be times you end up somewhere where you need your password and don’t have access to the software.

By: bnsmith

bnsmith — Mon, 08 Jun 2009 23:02:07 +0000

My preferred solution, Password Hasher, also has a web-only version. As for defense against keylogging, I suppose that copying and pasting the password might help to protect that particular web-site’s password, but your master password could be logged, which is even worse! I guess it wouldn’t be so bad if the thieves didn’t know what to do with it, but still. Even with copy-and-pasting, there’s not much security, since it would be easy to code up a software-based “copy-and-paste logger” program.

By: Dan

Dan — Mon, 08 Jun 2009 22:12:46 +0000

You write:

“Second, this system is a bit inconvenient for accessing your accounts when you are away from your main computer. If you go to an Internet cafe in some other country, perhaps you could bring your password vault on a USB thumb drive, but what if the cafe doesn’t allow users to plug in their own USB drives? Or perhaps the cafe’s computers run Mac OS X and you don’t have compatible decryption software on the thumb drive.”

…but your preferred solution involves Firefox extensions. What if the remote computer I’m using doesn’t have Firefox, or doesn’t allow me to install extensions?

I might try the web-only version of PwdHash the next time I’m traveling, though. I wonder if using that might help defend against keylogging, since you can just cut and paste the password.

By: Jeff

Jeff — Mon, 08 Jun 2009 19:42:18 +0000

Another one: http://jeffpalm.com/password/

This is a bookmarklet to allow you to have a unique password for every domain you frequent, while only remembering one. So, if someone steals (borrows) your password, you will only have lost it for that domain. First, this wasn’t my idea, it was Felix’s. Using this you can visit a site, enter the same password you normally use and then click this link creating a unique hash based on the domain.

By: bnsmith

bnsmith — Mon, 08 Jun 2009 16:45:15 +0000

@Mythprogrammer: Let me know when you get something up and running. If you do make this kind of password vault thing, it would be able to compete head-to-head with password hashing. That would make it much harder to decide which password-protection strategy I should use. Still, new ideas competing with each other benefits everyone.

By: Mythprogrammer

Mythprogrammer — Mon, 08 Jun 2009 16:24:42 +0000

Finally. Been looking for an idea for a web project. As soon as I figure out how to do password hashing with java, you sir will have a password vault up.

By: bnsmith

bnsmith — Tue, 05 May 2009 02:55:06 +0000

You’re right that there are some partially web-based services for storing passwords, but none of them is quite what I would want. The main thing about these services is the need to trust the companies that run them. If I were to design a partially web-based password-vault program, I would want it to work in a manner similar to the password-hashing programs listed above. That is, a Firefox plugin that accesses your vault to put passwords into sites when you’re on your main machine, and then a Javascript-only page that would be able to open your vault on a remote machine (without sending any decrypted data to a server). The Javascript page would assume that you downloaded your password vault from *somewhere* on to your local machine. The place that you had your vault stored online would hopefully have no capability to decrypt the vault itself. They would just be an untrusted file storage website… like Dropbox, for instance. That would be a password-vault system that would not involve placing much trust in any third parties.