Plug-in Protects Passwords

By Kimberly Patch, Technology Research News

One big problem with computers in the age of the Internet is remembering passwords for different sites. Password remembering solutions that work well vis-a-vis human memory, like reusing passwords or using similar passwords, tend to decrease security.

Researchers from Stanford University have rehashed an established encryption technique to come up with a browser plug-in that produces a different password for each site without requiring the user to remember more than a single password. The method also makes it more difficult for hackers to use spoof pages.

The researchers' plug-in, dubbed PwdHash, changes a user's main password based on data associated with a Web site to produce a unique password for each site. "We wanted to give people a tool that would offer the convenience of remembering a single password with the security of using a different password for each site," said Blake Ross, a researcher at Stanford University and a founder of the Mozilla Firefox project.

It's not uncommon for a person to have a dozen different online accounts and to use the same password across all of them, said Ross. In these cases, if security is compromised at one site, all the accounts are at risk.

For instance, a person may have accounts at a high school reunion page and a national bank. The bank site can be highly secure, but if a hacker cracks the low-security reunion site and the person has used the same password as the bank site, the bank account is also compromised, said Ross.

PwdHash acts as an intermediary between the user and the Web sites she visits. "The user can continue to use a single password for all of her sites, but before the password is submitted to the Web site for authentication PwdHash intercedes and produces a... hash of the password using the domain name of the Web site as the salt," said Ross.

Hashing something like a password involves changing it by putting it and another piece of information -- the salt -- through an algorithm to produce the password. It is mathematically difficult to retrieve the original password from the new one. The researchers used the SHA-1 hash algorithm.

Password hashing has been used for years. The researchers' advance was integrating the technique transparently into Web browsers. "The user actually has a different password for each page she visits, but need not concern herself with this detail," said Ross. "If any hackers were to compromise the high school reunion website, the password they would obtain there would be useless on all other sites frequented by the user," he said.

When the plug-in is in use, the Web site a user is logging into never actually sees the original, unhashed password, said Ross. This protects the user against spoof pages designed to look like legitimate Web sites in order to trick people into entering their passwords so the spoofers can collect the passwords, he said.

"For example, an eBay spoof page can't use JavaScript to capture your password as you enter it, nor can it capture your password when you submit it," said Ross. It is not possible to collect passwords entered when users are tricked this way because, using the plug-in, the password is hashed against whatever domain the page is on. In the case of spoof pages, the password would be hashed against the hackers domain rather than the original, making for a different -- and therefore useless -- password.

During user studies, the researchers found that people only notice the PwdHash plug-in when the password changed in length as the focus left the password field, an effect the researchers said they plan to eliminate.

The researchers have tested the plug-in with the Internet Explorer and Firefox browsers. Their next steps are making plug-ins for other browsers, browsers embedded in software like the AOL client, email programs that support HTML, and browsers built into devices like cell phones, said Ross.

The existing PwdHash plug-in can be used today, and the technology does not require changes to Web sites or the Web architecture, said Ross.

The software does not protect against spyware located on the user's computer, however, and there are certain uncommon remote attacks that can defeat the plug-in, according to Ross.

The plug-in solution is relatively simple and pragmatic compared to other proposed security devices, Ross added. Some approaches propose fundamental changes to the Web that cannot be adopted without major corporate backing and years of evangelism; others require hardware like keyboards with biometric support, he said. "I think PwdHash serves as a solid reminder that there's plenty we can do today, in 2005, to improve the state of password security without requiring people to change their habits," said Ross.

Ross's research colleagues were Collin Jackson, Nick Miyake, Dan Boneh, and John C Mitchell. The researchers' presented the work at the 14th Usenix Security Symposium in Baltimore, July 31 to August 5, 2005. The research was funded by the National Science Foundation (NSF).

Timeline:   Now
Funding:   Government
TRN Categories:   Security; Internet
Story Type:   News
Related Elements:  Technical paper, "Stronger Password Authentication Using Browser Extensions," presented at the 14th Usenix Security Symposium, Baltimore, July 31-August 5, 2005, and posted at


August 10/17, 2005

Page One

System carries PC soul
Letter: a short history of TRN
Plug-in protects passwords
Ice transforms chipmaking
Pixels speed quantum crypto

Textures ID paper and plastic
DNA process stamps patterns
Templates yield nano branches
Chemistry moves micro machines


Research News Roundup
Research Watch blog

View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link


Ad links: Clear History

Buy an ad link

Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN

© Copyright Technology Research News, LLC 2000-2006. All rights reserved.