Nik's Blog

Geekery, witty insights, software (of dubious quality) and more!

Hash a Pass: No panacea

General Geekery

Hash a Pass was recently featured on Digg.com and is an interesting idea. Using a master password and a Javascript implementation of the SHA-1 hash algorithm, you can generate a secure and un-guessable password, and then simply re-generate it when you need it again.

A nifty trick, to be sure, but does this really make you safer?

Here’s an example of how it works: I set my master password to my super-secure 133t password of ‘p@22w04d’. Then I generate a password for, say, Apple.com. So I type in “apple” as the parameter and it generates the wonderful password of ‘EZbqNhEK’, which is really a pretty strong password.

When I then go back to Apple, I can go back to hashapass, and enter the same two keys, and get the same password. End result: Lots of cryptographically strong passwords which I don’t have to remember! All I need is my master password!

Here’s the question, what does this protect me against?

Anyone using the same algorithm can re-create any of my passwords by entering the two keys. The key for each site/password I want to maintain will necessarily have to be easy to remember (such as the site’s domain name or title). So, if they can guess my master password, it will be trivially easy to get at anything I’ve registered for.

What it does protect against is the possibility that one site’s passwords will be leaked/cracked/stolen, and that my password which I use there (and everywhere else) will be tried in a dozen sites, given the thieves access to everything.

It’s not a huge benefit over storing or memorizing passwords, as I still need to remember which sites I’ve used hashapass for, and remember what key I used for the site. (Again, the domain name becomes the most likely input.) This is roughly analagous to having all your passwords stored in an encrypted file/database with a single “master password” to unlock all of them.

Is it better than using the same password on every site? Undoubtedly yes. But it’s hardly 007-grade security. Indeed, it’s probably safer to use a product like Web Confidential to keep a variety of passwords and just look them up when you need them. Yes, someone gaining the file and the master key will have the keys to your kingdom. But with hashapass, they only need the master key; the “database” is right there online.

@inik

inik: RT @mikememoli: "The NFL: We're working on that whole brain injury thing." >
inik: I am a sucker for dog ads. Add Ponda Baba and it's like bliss. >
inik: Live stream only available to Verizon customers. Wonder how much that cost them. Anyone know? #superbowl >
inik: #superbowl >
inik: Attention friends: The next few hours will be shameless whoring as I explore every Superbowl-related social networking crapfest I can find. >

more

Google+

I love Seth's quote at the top. I think that's my new motto.. ; )

Powered by Plu.sr >
Griping about OS X Lion? Here's two nifty tools that replace a variety of poorly supported third party tools: Command-line and Automator access to video and audio conversion. Super easy to use, and very flexible and supports any format that Quicktime can encode/decode. (So Perian is a must-install if you want to handle DivX/3viX, etc.)

Yes, ffmpeg, Handbrake and... >
Fix Google Reader's horrible new interface with this user script! Now it fits nicely on my MacBook's small screen. >
Happy 11/11/11 11:11:11! >
What makes this ad awesome is not the true-to-life irony, because the idea is hardly innovative, but rather the excellent execution. Reminds me a bit of that excellent Nutri-Grain spec commercial. Quick delivery, good actors, hit all the high notes. Love it. >

more