Comments on: PwdHash from Stanford – Generate Passwords by Hashing the URL http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/ Ethical Hacking, Penetration Testing & Computer Security Sat, 21 Nov 2009 06:04:59 +0000 http://wordpress.org/?v=2.8.6 hourly 1 By: Stefans Home http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56412 Stefans Home Thu, 15 Mar 2007 08:44:57 +0000 http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56412 <strong>Mittel gegen die Passwort-Inflation...</strong> Für jedes Forum, jeden Onlineshop, ... muß man sich einen Account anlegen, bevor man loslegen kann. Was aber tun mit den dutzenden Passwörtern, die benötigt werden? Auf der einen Seite sollte man Paßwörter nicht aufschreiben (jemand könnte den Z... Mittel gegen die Passwort-Inflation…

Für jedes Forum, jeden Onlineshop, … muß man sich einen Account anlegen, bevor man loslegen kann. Was aber tun mit den dutzenden Passwörtern, die benötigt werden? Auf der einen Seite sollte man Paßwörter nicht aufschreiben (jemand könnte den Z…

]]> By: Darknet http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56403 Darknet Wed, 14 Mar 2007 18:19:45 +0000 http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56403 Thanks for the info and update Stefan, we appreciate that. I'll post something about Password Hasher as well so people have the option to choose which is better for them. Thanks for the info and update Stefan, we appreciate that.

I’ll post something about Password Hasher as well so people have the option to choose which is better for them.

]]> By: Stefan http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56392 Stefan Wed, 14 Mar 2007 13:08:45 +0000 http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56392 Ok, an update - I wondered why the PwdHash tried to submit data to the server... my fault, or better to say: <a href="http://noscript.net/" rel="nofollow">NoScript</a>'s fault ;) So both extensions offer the same functionality, they merely differ in the user interface. PwdHash uses MD5, Password Hasher SHA1 as hash function for the keyed hash. The extensions differ in the user interface; the passwords generated by PwdHash have a length depending on the length of the master secret, while Password Hasher allows to select a fixed length (beside some options for special chars, etc.). The PwdHash team published a paper, discussing several attack vectors. Ok, an update – I wondered why the PwdHash tried to submit data to the server… my fault, or better to say: NoScript’s fault ;) So both extensions offer the same functionality, they merely differ in the user interface. PwdHash uses MD5, Password Hasher SHA1 as hash function for the keyed hash.
The extensions differ in the user interface; the passwords generated by PwdHash have a length depending on the length of the master secret, while Password Hasher allows to select a fixed length (beside some options for special chars, etc.). The PwdHash team published a paper, discussing several attack vectors.

]]> By: Stefan http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56388 Stefan Wed, 14 Mar 2007 08:42:19 +0000 http://www.darknet.org.uk/2007/03/pwdhash-from-stanford-generate-passwords-by-hashing-the-url/#comment-56388 I've only had a quick glance at the project, but this sounds pretty similar to the <a href="http://wijjo.com/passhash/" rel="nofollow">password hasher Firefox extension</a>. I didn't dig into the cryptographic details (yet), so I can't say which extensions is more secure (if there is any difference at all); what I like about "password hasher" is the possibility to create the site-specific hash via JavaScript only: PwdHash seems to submit the data entered to the PwdHash server for computation. Password Hasher offers a page (which you can put a a trusted copy on your homepage, for example) which does the hashing solely in JavaScript - so you don't have to trust some web service. I’ve only had a quick glance at the project, but this sounds pretty similar to the password hasher Firefox extension. I didn’t dig into the cryptographic details (yet), so I can’t say which extensions is more secure (if there is any difference at all); what I like about “password hasher” is the possibility to create the site-specific hash via JavaScript only: PwdHash seems to submit the data entered to the PwdHash server for computation. Password Hasher offers a page (which you can put a a trusted copy on your homepage, for example) which does the hashing solely in JavaScript – so you don’t have to trust some web service.

]]>