Tuesday, June 12, 2012

Password hashing with bookmarklet

This entry is to explain the concept of password hashing, and empower you with such a tool to have strong and unique passwords per site without having to remember them.

Many users tend to maintain few passwords which they repeatedly use for multiple websites. Even if the password is strong, this has a problem. With so many logins maintained by different website managers, it is inevitable that some of them will get compromised eventually. And the chances are also high enough that the passwords of the hacked sites will get stored as a cleartext.

What that will amount to is that if one of your passwords get stolen, you cannot be sure that the hacker won't get access to other sites which you use.

This is where comes tools like Password Hashing.

A password hasher takes a (possible weak) password, and creates a strong password depending on your password and the domain of the site you are going to log in to.

So for example, if you want to log into Linkedin, and type 'ABC' as password, you click the hasher - and viola - the password get's transformed into something like 'Q%JhLHTJ@4'. Next you want to login to login to Facebook, and type in 'ABC' again, click, and now you get '=ygDD-R46G' - because the generated password also depends on domain.

You need to remember only one password - 'ABC' in this case - which got transformed into something much stronger, and unique per domain - alleviating a lot of security issues. If Linkedin passwords get stolen, you are sure that there's no way the hacker will get access to your Facebook account even though you remembered effectively one password. Also, depending on the number of characters you choose, the generated password can be very strong. For example both the generated passwords above will take roughly 78 thousand years to crack, even assuming a speed of 1 million guesses per second - which is a very high rate of attack for an online server to cope with.

What if someone else also uses the same weak password 'ABC' for Linkedin? He will get a different encrypted password, provided you have customized your password hasher with a strong master password.

You can get your customized password hasher bookmarklet from here - Superpass Password Hasher.