Client Side Password Hashing

In light of the recent LinkedIn password debacle, I thought I would share a password secret I've been using for a while now, client side password hashing. 

Password hashing takes a simple password, runs it through an algorithm and spits out a more complex password.  Stanford University researchers developed an algorithm for passwords that uses the domain of the site you're logging into and your simple password to create a unique and more complex password for every site you log into, even if you use the same password for each site.

You can find out more about the Stanford project here.

On the right side of the pwdhash.com page, you'll see a box (like the one above) with fields for Site Address, Site Password, and Hashed Password.  Enter the domain of the site you're logging into in the Site Address field (geeklawblog.com), enter the same silly password you use for every single site you log into in the Site Password field (for me, it's greglambert. Shhh!), press the Generate button and voila!, out pops your hashed password.  Ts7ZoXk8Nqj6d is my official password for 3 Geeks.

When I go to log into Facebook, I enter facebook.com, greglambert as my password, and my official password for Facebook becomes bmQHlmV4bWUEu.

This way I can continue to use 2 or 3 relatively simple passwords and still have complex and unique passwords for every site.

I know what you're thinking.  "I don't want to have to go to pwdhash.com every time I need to get my password!"  You don't have to.  Cynix.org has created bookmarklets that you can save to your browser favorites.  When you go to a site that needs a password, click on the bookmarklet, a java window pops up asking for your Master/simple password, it takes the current domain from the page you're on and runs the Stanford algorithm spitting out your unique password for that domain.  On some browsers it even enters the new password in the password field when you place your cursor there.  (Warning: I haven't had a lot of luck with the bookmarklets in versions of IE. Stick with Chrome, Firefox, or Safari.)

But what about on my iPhone or iPad?  The bookmarket works in mobile safari.

But what about signing into Apps on my iPhone or iPad?  There's an app for that too.  KeyGrinder uses the same algorithm to return the same password every time.  You enter the domain and password and then tap on the Create button, the hashed password is automatically saved to your clipboard.  Just go to the App, enter your username, tap in the password field and select paste.

The benefits of hashed passwords are many.
  • I can remember only my simple master passwords and still have unique complex passwords for every site.
  • If a website (like LinkedIn) is compromised, the attackers only have my password for that one site, not for every other site I go to.  
  • Since I'm never actually typing the hashed password in anywhere, keyloggers don't capture my passwords.
  • Since the typed master passwords and hashed passwords are hidden (******) in the bookmarklet, someone standing over my shoulder or viewing my screen still wouldn't get my password.
  • Since I'm only remembering my master passwords, I couldn't reveal my actual passwords even if I was being tortured.  
On second thought, that last one might be a bad thing.


UPDATE:  Added the words Client Side to the title to differentiate from the standard server side password hashing that LinkedIn is accused of doing poorly in the Computer World article linked at the top.

UPDATE 2: You can check here to see if your old LinkedIn password was confirmed as cracked.  Please change your password first!  Another benefit to client side password hashing, the server side hash is much harder to crack because it bears no relation to a dictionary word.  In case you're wondering, my original password is not currently on the list of cracked passwords.  Glad I changed it anyway.

Bookmark and Share



© 2014, All Rights Reserved.