Web Password Hashing

Thursday, Aug. 5 2004 | Author: DarkBlue

Whenever you access your bank account via the web, or login to eBay or any other web service that’s access controlled, you trust that service to protect your account details.

In most cases your username and password pair are submitted to the web service in an encrypted form via the SSL protocol. Whereupon they are further encrypted before being stored in the account database. This process offers a relatively high degree of security and is used by many of the web services we use every day.

In most cases then, your trust is justified. If, however, you’re one of the many millions of people who use the same username and password for different web services, then your security and privacy is at risk.

Hackers and scammers have a variety of tricks and tools that can, under the right conditions, obtain the usernames and passwords that you use online. The important thing to remember is that the bad boys only have to get lucky once… once your username and password (for one service) is acquired they can be tried at a variety of “secure” websites until another match is found. Such attacks are remarkably effective

The obvious way to protect yourself against this is to use a unique username and password for every website you visit. However, in the real world, this just isn’t practical (unless you’re Andi Bell), so most of us will continue to put our bank accounts, and even our identities, at risk with a “global” username and password.

It doesn’t have to be this way: Three cryptographers at Stanford University have devised a ridiculously simple solution to the problem.

PwdHash

Blake Ross, Dan Boneh and John C. Mitchell have produced an Internet Explorer plug-in, PwdHash that, in theory, allows you to use a common username and password at disparate websites with impunity.

Here’s how it works:

You create an account at example.com. Whilst doing so, you specify the username and password that you want to use to access your account;
When you click the “Submit” button, PwdHash steps in. It takes the password you have entered, adds it to the website’s domain name, and creates a one-way hash of the result;
That hash is then sent to the web-server where it is stored in a database (for the sake of brevity let’s imagine that the web-server stores the username and password in plain text).

The web service now has a password on record that is not the same as the one you entered but, and here’s the clever bit, the next time you login to that website, PwdHash will perform the same operations again - so the web-server will get the same (effectively garbled) password, match it against the one in its database and you will be able to access your account blissfully unaware of the entire process.

Now let’s imagine that a hacker manages to get access to the account database at example.com. He takes your username and hashed password and tries to login to various secure websites with the stolen credentials.

Unfortunately for our crook, it’s impossible for him login to your other online accounts because the credentials he’s acquired have “example.com” encrypted within them. Your account at eBay has “ebay.com” tied to it, your online bank account is locked to “bigbank.com” and your Hotmail account can only be accessed with your special “hotmail.com” password. Remember: You’ve used the same password for all these websites - PwdHash has performed all the trickery.

As a result, the only account that the hacker can access is the compromised account at example.com. Score 1 for the good guys!

No Fishing!

There’s a rather pleasing bonus to all this. Because the password you use is hashed along with the domain name it is registered to, you are also protected (to a degree) from “phishing” scams. Let’s look at how phishing works:

You receive an email purporting to be from your bank;
The email states that the bank is updating their records and urges you click a link through to your bank’s website to check/correct your account details. The link appears to point to your bank’s domain name so you click through, being the conscientious customer;
However, its a scam! The URL is cunningly disguised, it actually takes you to the scammer’s website which, remarkably, is an exact clone of your bank’s home-page;
You dutifully enter your username and password and click “Submit”;
At this point the credentials you entered are sent to the scammer, then his server redirects you to the real home-page of your bank (if the scammer’s really cunning you’ll see the bank’s “Login Failed” screen);
You think you miss-typed your username and password so you try again and you successfully login - unaware that you have just surrended access to your life savings to a clever fraudster.

Now run through that same scenario with PwdHash in the equation: The scammer gets a password that is hashed against his domain - not your bank’s! The credentials he has retrieved are absolutely useless to him. The good guys score again!

Deployment Challenges

There is a downside though: Users must reset their passwords for every website they have an account on (in order for the password/domain hash to be calculated and stored).

There is also a slight inconvenience when the user needs to login to a PwdHash-protected account from a computer where he can’t install the PwdHash plug-in (at work, in a cybercafé, etc). The Stanford team have at least recognised this problem and are working on a special “Remote Hashing” service to generate the correct password as required.

Summary

Password hashing, and the Stanford team’s PwdHash implementation, represents a significant step forward for online security and it’s reassuring to know that the common practise of using the same username and password for many online services need not be as risky as we know it to be.

I can only hope that PwdHash will soon be available for Mozilla/Firefox/Opera/Safari et al.

Category: Uncategorized

11 Responses for "Web Password Hashing"

Jeroen Coumans

August 6th, 2004 at 2:24 am
1

Is this the same Blake Ross from Mozilla marketing fame? See . If so, I guess we can expect that this will be incorporated into Firefox 2.0: .
Bob Owen

August 6th, 2004 at 8:31 am
2

Hmmm, I would guess a similar effect which would be more portable, but possibly less useful would be to have a bookmarlet to handle the hashing. I’ll have to look into this.
Fyodor Isakov

August 7th, 2004 at 6:52 am
3

Sorry, I don’t get the point. The hashing algorithm is known, right? The hash is calculated from pwd and target domain name, right? So, having acquired the hash from example.com’s users DB, what prevents the cracker to run a dictionary/brute force attack and recover the password?

To have a global username/pwd is actually a really bad idea.
Jonathan Hollin

August 8th, 2004 at 5:42 pm
4

“what prevents the cracker to run a dictionary/brute force attack and recover the password?”

Over the web? He’d have to have an awful lot of patience.

Please, explain where you think the vulnerability is - it would be interesting to see how the authors of the paper respond.
Fyodor Isakov

August 9th, 2004 at 7:48 am
5

In a nutshell: the example.com stores the hash, which is calculated as a function of password and the domain name:

hash (pwd, domain-name)

Now, suppose the bad guy broke through to the example.com and has access to all hashes. All he needs to do now is to apply this function to the domain name (example.com) and the unknown password, and compare the results with stolen hashes. If match is found — the password is recovered. Needless to say that passwords are substituted from a dictionary or chosen at random from predefined alphabet. And yes, he can use all the computing power at his command, since the hash algorithm is open.

Apparently, the paper authors do recognize this problem and provide some sort of solution to it, see it on slide 11 of ppt file. I was too lazy to look it up earlier, so my apologies. However, the proposed solution (global pwd to strenthen all hashes) only adds another unknown variable to the hash method:

hash (global-pwd, pwd, domain-name)

Therefore, a very patient bad guy still has a chance to break this.

All I had to say is: no smart technology can protect you if you use weak passwords and/or use same password on different sites. Even worse, an unsavvy user might be tempted by the false sense of security provided by such technology and may become too relaxed. And so he falls an easy victim of bad guys.
Jonathan Hollin

August 9th, 2004 at 4:40 pm
6

Great explanation Fyodor. Thank you.
JC

August 9th, 2004 at 6:59 pm
7

Not a perfect solution, certainly, but it’s a heck of a lot better than a yellow post-it note.
With a global password, (really just a seed for the hash) that very patient bad guy might have to work years to break a single person’s data, if the encryption was good enough. Or rather than a global password, a half dozen bits of data… SSN, DOB, father’s middle name, childhood street name, etc, which you put in one time when installing the app, and then it can build the hash from that… but you’ll still know those components when you move to a new machine. Hmm. Can it print out all the passwords it’s created in case you need to use one from a machine it’s not installed on? hmm.

I wonder how it handles variable password lengths… does it create a 300+ key password hash and only use the maximum number of characters the site allows, or?
Perhaps I should RTFA, huh? :-)
ŒõËÙ»ú

October 25th, 2005 at 9:42 pm
8

ÎÒÃÇÎªÄúÌá¹©ŒõËÙ»úÏµÁÐ²úÆ·¡£
passwords for

November 12th, 2005 at 5:23 pm
9

Nice post, where can I email you to ask something in private?
way three

November 14th, 2005 at 7:59 am
10

Während die glazial geprägten Landschaften
GoogleÍÆ¹ã

November 22nd, 2005 at 12:01 pm
11

google×ó²àÍÆ¹ã×šÀž|googleÍÆ¹ãÍÆŒö·þÎñÉÌ_£¬ÎÒÃÇµÄ·þÎñ£º Äã¿ÉÒÔžùŸÝ×ÔŒºµÄÐèÒªÏòÎÒÃÇÌá¹©Ò»žö»ò¶àžö¹ØŒüŽÊ£¬žùŸÝÄãµÄÒªÇó°Ñ¹ó¹«ËŸ ÅÅÃûÔÚGoogleÍÆ¹ãµÄÇ°10 Î»¡£ ¿Í»§ÎªÊ²ÃŽÑ¡ÔñGoogle×ó²àÍÆ¹ã?