Technology Research News
big problem with computers in the age of the Internet is remembering passwords
for different sites. Password remembering solutions that work well vis-a-vis
human memory, like reusing passwords or using similar passwords, tend to
Researchers from Stanford University have rehashed an established
encryption technique to come up with a browser plug-in that produces a different
password for each site without requiring the user to remember more than
a single password. The method also makes it more difficult for hackers to
use spoof pages.
The researchers' plug-in, dubbed PwdHash, changes a user's main
password based on data associated with a Web site to produce a unique password
for each site. "We wanted to give people a tool that would offer the convenience
of remembering a single password with the security of using a different
password for each site," said Blake Ross, a researcher at Stanford University
and a founder of the Mozilla Firefox project.
It's not uncommon for a person to have a dozen different online
accounts and to use the same password across all of them, said Ross. In
these cases, if security is compromised at one site, all the accounts are
For instance, a person may have accounts at a high school reunion
page and a national bank. The bank site can be highly secure, but if a hacker
cracks the low-security reunion site and the person has used the same password
as the bank site, the bank account is also compromised, said Ross.
PwdHash acts as an intermediary between the user and the Web sites
she visits. "The user can continue to use a single password for all of her
sites, but before the password is submitted to the Web site for authentication
PwdHash intercedes and produces a... hash of the password using the domain
name of the Web site as the salt," said Ross.
Hashing something like a password involves changing it by putting
it and another piece of information -- the salt -- through an algorithm
to produce the password. It is mathematically difficult to retrieve the
original password from the new one. The researchers used the SHA-1 hash
Password hashing has been used for years. The researchers' advance
was integrating the technique transparently into Web browsers. "The user
actually has a different password for each page she visits, but need not
concern herself with this detail," said Ross. "If any hackers were to compromise
the high school reunion website, the password they would obtain there would
be useless on all other sites frequented by the user," he said.
When the plug-in is in use, the Web site a user is logging into
never actually sees the original, unhashed password, said Ross. This protects
the user against spoof pages designed to look like legitimate Web sites
in order to trick people into entering their passwords so the spoofers can
collect the passwords, he said.
your password as you enter it, nor can it capture your password when you
submit it," said Ross. It is not possible to collect passwords entered when
users are tricked this way because, using the plug-in, the password is hashed
against whatever domain the page is on. In the case of spoof pages, the
password would be hashed against the hackers domain rather than the original,
making for a different -- and therefore useless -- password.
During user studies, the researchers found that people only notice
the PwdHash plug-in when the password changed in length as the focus left
the password field, an effect the researchers said they plan to eliminate.
The researchers have tested the plug-in with the Internet Explorer
and Firefox browsers. Their next steps are making plug-ins for other browsers,
browsers embedded in software like the AOL client, email programs that support
HTML, and browsers built into devices like cell phones, said Ross.
The existing PwdHash plug-in can be used today, and the technology
does not require changes to Web sites or the Web architecture, said Ross.
The software does not protect against spyware located on the user's
computer, however, and there are certain uncommon remote attacks that can
defeat the plug-in, according to Ross.
The plug-in solution is relatively simple and pragmatic compared
to other proposed security devices, Ross added. Some approaches propose
fundamental changes to the Web that cannot be adopted without major corporate
backing and years of evangelism; others require hardware like keyboards
with biometric support, he said. "I think PwdHash serves as a solid reminder
that there's plenty we can do today, in 2005, to improve the state of password
security without requiring people to change their habits," said Ross.
Ross's research colleagues were Collin Jackson, Nick Miyake, Dan
Boneh, and John C Mitchell. The researchers' presented the work at the 14th
Usenix Security Symposium in Baltimore, July 31 to August 5, 2005. The research
was funded by the National Science Foundation (NSF).
TRN Categories: Security; Internet
Story Type: News
Related Elements: Technical paper, "Stronger Password Authentication
Using Browser Extensions," presented at the 14th Usenix Security Symposium,
Baltimore, July 31-August 5, 2005, and posted at crypto.stanford.edu/PwdHash.
carries PC soul
Letter: a short history of TRN
speed quantum crypto
ID paper and plastic
process stamps patterns
yield nano branches
moves micro machines
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link