Web Password Hashing

Whenever you access your bank account via the web, or login to eBay or any other web service that’s access controlled, you trust that service to protect your account details.

In most cases your username and password pair are submitted to the web service in an encrypted form via the SSL protocol. Whereupon they are further encrypted before being stored in the account database. This process offers a relatively high degree of security and is used by many of the web services we use every day.

In most cases then, your trust is justified. If, however, you’re one of the many millions of people who use the same username and password for different web services, then your security and privacy is at risk.

Hackers and scammers have a variety of tricks and tools that can, under the right conditions, obtain the usernames and passwords that you use online. The important thing to remember is that the bad boys only have to get lucky once… once your username and password (for one service) is acquired they can be tried at a variety of “secure” websites until another match is found. Such attacks are remarkably effective

The obvious way to protect yourself against this is to use a unique username and password for every website you visit. However, in the real world, this just isn’t practical (unless you’re Andi Bell), so most of us will continue to put our bank accounts, and even our identities, at risk with a “global” username and password.

Assassin's Creed: The Ezio Collection | Switch Launch Trailer

It doesn’t have to be this way: Three cryptographers at Stanford University have devised a ridiculously simple solution to the problem.

PwdHash

Blake Ross, Dan Boneh and John C. Mitchell have produced an Internet Explorer plug-in, PwdHash that, in theory, allows you to use a common username and password at disparate websites with impunity.

Here’s how it works:

  1. You create an account at example.com. Whilst doing so, you specify the username and password that you want to use to access your account;
  2. When you click the “Submit” button, PwdHash steps in. It takes the password you have entered, adds it to the website’s domain name, and creates a one-way hash of the result;
  3. That hash is then sent to the web-server where it is stored in a database (for the sake of brevity let’s imagine that the web-server stores the username and password in plain text).

The web service now has a password on record that is not the same as the one you entered but, and here’s the clever bit, the next time you login to that website, PwdHash will perform the same operations again – so the web-server will get the same (effectively garbled) password, match it against the one in its database and you will be able to access your account blissfully unaware of the entire process.

Now let’s imagine that a hacker manages to get access to the account database at example.com. He takes your username and hashed password and tries to login to various secure websites with the stolen credentials.

Unfortunately for our crook, it’s impossible for him login to your other online accounts because the credentials he’s acquired have “example.com” encrypted within them. Your account at eBay has “ebay.com” tied to it, your online bank account is locked to “bigbank.com” and your Hotmail account can only be accessed with your special “hotmail.com” password. Remember: You’ve used the same password for all these websites – PwdHash has performed all the trickery.

As a result, the only account that the hacker can access is the compromised account at example.com. Score 1 for the good guys!

No Fishing!

There’s a rather pleasing bonus to all this. Because the password you use is hashed along with the domain name it is registered to, you are also protected (to a degree) from “phishing” scams. Let’s look at how phishing works:

  1. You receive an email purporting to be from your bank;
  2. The email states that the bank is updating their records and urges you click a link through to your bank’s website to check/correct your account details. The link appears to point to your bank’s domain name so you click through, being the conscientious customer;
  3. However, its a scam! The URL is cunningly disguised, it actually takes you to the scammer’s website which, remarkably, is an exact clone of your bank’s home-page;
  4. You dutifully enter your username and password and click “Submit”;
  5. At this point the credentials you entered are sent to the scammer, then his server redirects you to the real home-page of your bank (if the scammer’s really cunning you’ll see the bank’s “Login Failed” screen);
  6. You think you miss-typed your username and password so you try again and you successfully login – unaware that you have just surrended access to your life savings to a clever fraudster.

Now run through that same scenario with PwdHash in the equation: The scammer gets a password that is hashed against his domain – not your bank’s! The credentials he has retrieved are absolutely useless to him. The good guys score again!

Deployment Challenges

There is a downside though: Users must reset their passwords for every website they have an account on (in order for the password/domain hash to be calculated and stored).

There is also a slight inconvenience when the user needs to login to a PwdHash-protected account from a computer where he can’t install the PwdHash plug-in (at work, in a cybercafé, etc). The Stanford team have at least recognised this problem and are working on a special “Remote Hashing” service to generate the correct password as required.

Summary

Password hashing, and the Stanford team’s PwdHash implementation, represents a significant step forward for online security and it’s reassuring to know that the common practise of using the same username and password for many online services need not be as risky as we know it to be.

I can only hope that PwdHash will soon be available for Mozilla/Firefox/Opera/Safari et al.

Have something to tell us about this article?
Let us know

or Comment Below

LOGIN to Comment
LOGIN to Comment

Got a tip?

Let us know