Jun 29 2012

Web Password Hash

Published by

I had a conversation with a co-worker the other day, and he pointed me to a project of his (link lost) to generate complex passwords for any site based on a pass phrase. The site URL is hashed using the pass phrase as salt, and (in his implementation) is used to look up dictionary words that it – itself – further peppered with punctuation and numerals to satisfy the password requirements of various sites. If the algorithm is deterministic, then all the user has to know is the URL of the site and the pass phrase to recover the password and cut-paste it into the form.

This requires, of course, for the user to visit the hash generator prior to the target site each time, but the added level of security is worth the additional effort. Further, a plug-in for various browsers can be developed to assist in generating the passwords using AJAX (or similar) without having to specifically visit the hash site.

I’m going to work on my own solution. Right now I have a holding page at http://hash.codefool.org.

This page is to track notes and development for the project.

The requirement must be that all the user must provide is the site URL (variable) and a pass phrase (most likely constant.) But some sites require that users change their passwords from time to time. To support this, the URL and the generation “count” for that URL be stored in a database, so that when the user has to change the password, they can increment the generation value, supply the same URL and pass phrase, and an alternate password is generated. Unfortunately, this also places a burden of employing user identifiers. Which suggests a recursion – doesn’t it? If I have passwords on the user accounts, then you can’t use the hash page to generate the password for the hash page! So, the user will have to know four things – their userid/password for the hash page, the URL of the site, and their pass phrase. Not too much baggage to carry around.

No responses yet

Trackback URI | Comments RSS

Leave a Reply