April 30, 2009

Password Hashing: A Neat Idea That Can Help to Protect Your Online Accounts

Filed under: Security — bnsmith @ 8:41 pm

I’ve been re-evaluating my information security precautions lately, and while doing so, I discovered something interesting that I’d like to share. These days, most people have accounts at several different websites. For convenience, most people use the same password for some or all of their accounts, which opens up a potential security vulnerability. If a computer criminal manages to steal a list of usernames and passwords from a poorly-secured website, then they could try using each of these username/password pairs to log in to Paypal, for example. As you can imagine, compromising a few thousand Paypal accounts could be quite profitable.

There are other, less-obvious ways that your passwords could be compromised as well. As I learned from reading the EFF’s Surveillance Self Defence guide, the New York Times website doesn’t encrypt the username and password that you send them to access their articles. If you log into the website from the open WiFi provided at an airport, for example, then your username and password would be transmitted completely in the clear and could be stolen by anyone in range of the radio signal.

The recommended solution is to use a different password for each website that you use, so that the theft of one password will only give the computer criminal access to one online account and not all of them. If you commit every one of your passwords to memory, then this strategy is very secure; unfortunately, it also requires tremendous effort and discipline to memorize random strings of letters, numbers and punctuation.

One Option: Password Vaults

It is possible to store your passwords in an encrypted file on your hard drive, and then choose one “master password” that will allow you to fetch the password for a specific website out of the vault. The master password is the only one that you need to remember. Using this system, it will seem as though you’re using the same password for each website. Behind the scenes, however, each website will receive its own unique password.

This is a reasonable option, but it has some disadvantages. First, you must have a good backup strategy in place, because losing your vault file would mean losing access to all of your accounts. If you follow the advice of some security experts and set your password recovery questions to gibberish, the loss of your vault would be that much more difficult to recover from. Second, this system is a bit inconvenient for accessing your accounts when you are away from your main computer. If you go to an Internet cafe in some other country, perhaps you could bring your password vault on a USB thumb drive, but what if the cafe doesn’t allow users to plug in their own USB drives? Or perhaps the cafe’s computers run Mac OS X and you don’t have compatible decryption software on the thumb drive. I believe that it should be possible to develop a partially web-based password vault program that overcomes these problems, but no such program currently exists, as far as I know.

The Solution: Password Hashing

The basic idea behind password hashing is to take a master password of your choice and combine it with a value specific to the website that you wish to access. This combined value is then run through a “hash function” that creates a random-looking string of letters, numbers and punctuation. This random-looking string will be the password for that specific website. It’s pretty simple once you get the idea; perhaps an example would help. Suppose that you choose “123456” to be your master password, and you wish to access your Facebook account. The password hashing software will combine “123456” with a value representing the website; in this case, that would likely be “facebook”. The resulting password is “9bMxDooTmtwh7AX$”.
Nothing is stored on your hard-drive, so there’s nothing to backup. When you’re away from your main computer, it is possible to browse to a web-based version of the password hashing software. This online version shouldn’t need to transmit anything over the Internet in order to generate the password for any of your websites.

If an attacker manages to acquire one, or even all of your site-specific passwords, they will still be no closer to figuring out what your master password is, thanks to the special properties of the hash functions used for this purpose.

This system has one more great security benefit: protection against phishing attacks. Suppose that an attacker tricks you into visiting a fraudulent copy of eBay with the address “”. The website would look legitimate, but have a slightly different address than the real thing. If you then try to log in to this fraudulent web-site, the password hashing software would combine “123456” with “eboy” to create the hashed password “2dsOpJdTv$q9Aook”. This is completely different than your real eBay password, “c+qw5XtUrJyLF2wM”, created by combining “123456” with “ebay”. The password stolen by the computer criminals is useless!

Password Hashing Software

One of the most popular password hashing programs is Stanford PwdHash, and with good reason. It is simple, elegant and it just works. When you visit a website that you wish to log in to, you simply type “@@” followed by your master password into the website’s password field. PwdHash automatically substitutes the hashed password before transmitting the login information. Anyone watching over your shoulder wouldn’t even know you were doing anything special.

It is definitely my favorite password hashing program, and it pains me that I can’t use it. Sometimes a program can be too simple. PwdHash has no options or customizability of any kind. Any hashed password that is generated by PwdHash is always exactly two characters longer than the master password. As I was half-way through converting all of my accounts to PwdHash, I discovered that some of the websites that I use had restrictions on the length and composition of the passwords that they would accept. Specifically, it always seemed to be the websites for banks and financial institutions that would only accept weak passwords.

I know this isn’t really relevant here, but I have to ask: what is wrong with the banks? They make billions of dollars in profits but can’t spare enough hard drive space to store more than 8 characters for a password? Or maybe they just decided that 8 characters is good enough security for what they’re protecting, because of course my life savings is so much less valuable than my list of favorite movies on Facebook.

Ahem. Sorry about that. Anyway, when it comes to password hashing in the real world, the best option that I’ve found is the unimaginatively named “Password Hasher“. It’s basically the same as PwdHash, except that you can specify the length and characteristics of the passwords that are generated. There are a few small usability problems that prevent me from endorsing it wholeheartedly. Here’s how the program works. First, you visit the website, enter your username and tab down to the password field.


Then you activate the plugin through a keyboard shortcut, and a pop-up window appears into which you type your master password.


When you press “Enter”, the pop-up closes and the password field on the web page is populated with the generated password.


All well and good, but you must then press “Enter” again to actually submit the username and password and enter the website. Pressing “Enter” twice to log in is a bit annoying, but you get used to it.

Another problem is the bizarre default keyboard shortcut for activating the pop-up: CTRL-F6. I recommend immediately changing it to something a little more convenient. I use CTRL-semicolon (see the FAQ for directions on changing the shortcut).

Overall, despite these niggling issues, the program performs admirably. If you’re seriously thinking about implementing this security strategy, I recommend making a list of all of your online accounts (not an easy task, I assure you) and then figuring out which websites, if any, have annoying password restrictions that rule out the use of PwdHash. In all honesty, if you’re a serious Internet user, Password Hasher is probably your best option. Since you’ve read this far, I can assume that you’re pretty serious about securing your information, so why not give it a try? If you have any other questions, leave a comment and I’ll do my best to help.



  1. “I believe that it should be possible to develop a partially web-based password vault program that overcomes these problems, but no such program currently exists, as far as I know.”

    I don’t know if any of these are exactly what you’re looking for, but here are some web-based password vaults (in no particular order):

    Also of interest is Mozilla Weave ( ) which is very experimental right now, but aims to sync your whole Firefox experience (settings, logins, etc.) across multiple computers.

    I was excited about an offering from the people who wrote 1password which was in the alpha stage, but it seems they have abandoned the idea due to scalability issues. I hope they’ll rethink it and go the cloud computing route.

    Comment by Chris Hansen — May 4, 2009 @ 2:04 am

  2. You’re right that there are some partially web-based services for storing passwords, but none of them is quite what I would want. The main thing about these services is the need to trust the companies that run them. If I were to design a partially web-based password-vault program, I would want it to work in a manner similar to the password-hashing programs listed above. That is, a Firefox plugin that accesses your vault to put passwords into sites when you’re on your main machine, and then a Javascript-only page that would be able to open your vault on a remote machine (without sending any decrypted data to a server). The Javascript page would assume that you downloaded your password vault from *somewhere* on to your local machine. The place that you had your vault stored online would hopefully have no capability to decrypt the vault itself. They would just be an untrusted file storage website… like Dropbox, for instance. That would be a password-vault system that would not involve placing much trust in any third parties.

    Comment by bnsmith — May 4, 2009 @ 9:55 pm

  3. Finally. Been looking for an idea for a web project. As soon as I figure out how to do password hashing with java, you sir will have a password vault up.

    Comment by Mythprogrammer — June 8, 2009 @ 11:24 am

  4. @Mythprogrammer: Let me know when you get something up and running. If you do make this kind of password vault thing, it would be able to compete head-to-head with password hashing. That would make it much harder to decide which password-protection strategy I should use. Still, new ideas competing with each other benefits everyone.

    Comment by bnsmith — June 8, 2009 @ 11:45 am

  5. Another one:

    This is a bookmarklet to allow you to have a unique password for every domain you frequent, while only remembering one. So, if someone steals (borrows) your password, you will only have lost it for that domain. First, this wasn’t my idea, it was Felix’s. Using this you can visit a site, enter the same password you normally use and then click this link creating a unique hash based on the domain.

    Comment by Jeff — June 8, 2009 @ 2:42 pm

  6. You write:

    “Second, this system is a bit inconvenient for accessing your accounts when you are away from your main computer. If you go to an Internet cafe in some other country, perhaps you could bring your password vault on a USB thumb drive, but what if the cafe doesn’t allow users to plug in their own USB drives? Or perhaps the cafe’s computers run Mac OS X and you don’t have compatible decryption software on the thumb drive.”

    …but your preferred solution involves Firefox extensions. What if the remote computer I’m using doesn’t have Firefox, or doesn’t allow me to install extensions?

    I might try the web-only version of PwdHash the next time I’m traveling, though. I wonder if using that might help defend against keylogging, since you can just cut and paste the password.

    Comment by Dan — June 8, 2009 @ 5:12 pm

    • My preferred solution, Password Hasher, also has a web-only version. As for defense against keylogging, I suppose that copying and pasting the password might help to protect that particular web-site’s password, but your master password could be logged, which is even worse! I guess it wouldn’t be so bad if the thieves didn’t know what to do with it, but still. Even with copy-and-pasting, there’s not much security, since it would be easy to code up a software-based “copy-and-paste logger” program.

      Comment by bnsmith — June 8, 2009 @ 6:02 pm

  7. I’ve been using a simplified version of this strategy for quite a while where I have a relatively long and complex password and I used specific letters from the domain name I am visiting in a section of that password. This way I am always able to a) remember the password without relying on my Keepass vault and b) Provides a relative amount of security against the attacks you are referring to. So, I (don’t but could) use the last two letters of the domain name somewhere in the password. For example paypal might be e34al78y&b and ebay might be e34ay78y&b and skype would be e34pe78y&b.

    Of course, this is a manual system and I think is inconspicuous enough to prevent the majority of brute-force style attacks if your password is picked up from other places. The above program does look to be a worthy alternative and somewhat more secure, though there will be times you end up somewhere where you need your password and don’t have access to the software.

    Comment by Matthew — June 8, 2009 @ 6:58 pm

  8. @bnsmith: Working on it as we speak, I’ve even reserved for when its ready. Trying to learn a standard java method for password hashing as I work out the code for the site. Trying to meet the condition that you don’t have to trust it to store your passwords on it as well. Cheers and wish me luck.

    Comment by Mythprogrammer — June 10, 2009 @ 10:32 am

  9. @bnsmith: I’ve had some progress on the website as far as storing user accounts and a login/registration interface. Feel free to email me at the email associated with this post.

    Comment by Mythprogrammer — June 11, 2009 @ 12:18 am

  10. try this for java hashing

    Comment by rugg — August 26, 2009 @ 1:06 pm

  11. is the vault you want. It can be used directly from your browser as an extension or bookmarklet, and directly from the web. It uses SHA256 on the client *before* uploading it for storage. When you retrieve your information, it is downloaded in encrypted form and decrypted on the client.

    Comment by JimmyDaGeek — April 10, 2010 @ 7:51 pm

RSS feed for comments on this post.

Blog at

%d bloggers like this: