Welcome to Google+, +Eric Woodruff, author of Password Hasher Plus!


This is a great extension to Chrome and makes having secure passwords a breeze. If you're not doing something to manage all your Internet passwords, you should start.
I got a significant response to my post yesterday about choosing good passwords. To continue on that, I'll address web passwords. Everybody knows that you should:

- use only difficult-to-guess passwords
- never use the same password on multiple sites
- never write anything down

That's a practical impossibility for a human and writing them down in a file, even a securely encrypted file, is a pain in the butt. If only there was a way for your computer to create cryptographically secure password that is different for every web-site and yet doesn't have to be stored somewhere. Well, there is and it's called a "hashed password".

In essence, a hashed password is created by taking some private data, combining it with the domain name of the web-site, doing a secure hash (i.e. MD5, SHA-1, or similar) on it, and turning the resulting 100+ bit number into some sort of text string. When logging into a web-site, you simply type the same "master password" for each one and the program changes it to something practically un-crackable and yet unique for that site.

Both FireFox and Chrome have extensions that will do this for you; the link below is for a Chrome one. I've been using it for the better part of a year and it's been incredibly useful. It includes support for a "private key" in addition to the "master password" and this is important because it makes for incredibly secure passwords even if you want something relatively simple as the "master".

One thing that you need to be aware of is that you can only generate these hashed passwords on computers with the extension and any "private key". That means you won't be able to log in at some random Internet Cafe... But this is a good thing! You should never log in at a computer that you don't know and trust because it could hold key-loggers or similar malware. Many shared computers in Hotel lobbies are purposefully infected because business people like to do things like check their email, stocks, or even log in remotely to the office network.

Hashed passwords are an excellent security choice, but they still have to be used with care. To that end, note that:

1) Reversing the hash to obtain the master password is so impractical that it might as well be impossible. Knowing one generated password would not be enough since there are many (billions? trillions? billions of trillions?) potential master passwords that would generate the known password but only one would generate correct passwords for other sites. So not only is this computationally infeasible, there are surely a great many weaker passwords that an attacker will try first.

2) There is (now) a pure html/javascript version reachable from his “developer website”. I put a copy of it on the SD-card of my Android phone for access anywhere even though using it is dangerous (see below). There is also a "Hash It!" app in the Android market that can generate hashed passwords in the same way as both the FireFox and Chrome extensions.

3) Do not, under any circumstances, use either the extension or web-version on an untrusted computer! You have to type your master password (and private key, if used) and at that point a listener (keylogger, shoulder surfer, etc.) has all your passwords!

4) If you use a generated password from a trusted device (e.g. your phone) to access an account via an untrusted computer, “bump” (change) the password for that account using a trusted computer as soon as possible. At least you've only potentially compromised one account.

5) Set an easy to remember (but difficult to guess) “private key” so that you can operate the extension on multiple (trusted) devices. If you don’t set the "private key", then knowing the master password is sufficient to know all your passwords. Since you have to type your master password in the site’s password box and then click a “hash” button to convert it, you run the risk of forgetting to click the button and accidentally submitting your master password to that site. It’ll reject it, of course, but it’s always possible it was sniffed or recorded in the process. Also, a malicious website could send every character back to the server, thus acquiring your master password as you type it before hashing it. With the additional “private key”, knowing the master password is not sufficient. The private key is stored and remembered by the program, but even if someone were to get it, it is worthless without the master password, which should never be recorded or written down.

If you have any questions, please comment and I'll do my best to answer them.

Share this post if you think it's useful, but please direct people to comment on the original so everybody can benefit. I suggest disabling comments on the share.

Here's the Chrome Extension:
Jaettu julkisestiNäytä toiminta