Hash a Pass: No panacea

Hash a Pass was recently featured on Digg.com and is an interesting idea. Using a master password and a Javascript implementation of the SHA-1 hash algorithm, you can generate a secure and un-guessable password, and then simply re-generate it when you need it again.

A nifty trick, to be sure, but does this really make you safer?

Here’s an example of how it works: I set my master password to my super-secure 133t password of ‘p@22w04d’. Then I generate a password for, say, Apple.com. So I type in “apple” as the parameter and it generates the wonderful password of ‘EZbqNhEK’, which is really a pretty strong password.

When I then go back to Apple, I can go back to hashapass, and enter the same two keys, and get the same password. End result: Lots of cryptographically strong passwords which I don’t have to remember! All I need is my master password!

Here’s the question, what does this protect me against?

Anyone using the same algorithm can re-create any of my passwords by entering the two keys. The key for each site/password I want to maintain will necessarily have to be easy to remember (such as the site’s domain name or title). So, if they can guess my master password, it will be trivially easy to get at anything I’ve registered for.

What it does protect against is the possibility that one site’s passwords will be leaked/cracked/stolen, and that my password which I use there (and everywhere else) will be tried in a dozen sites, given the thieves access to everything.

It’s not a huge benefit over storing or memorizing passwords, as I still need to remember which sites I’ve used hashapass for, and remember what key I used for the site. (Again, the domain name becomes the most likely input.) This is roughly analagous to having all your passwords stored in an encrypted file/database with a single “master password” to unlock all of them.

Is it better than using the same password on every site? Undoubtedly yes. But it’s hardly 007-grade security. Indeed, it’s probably safer to use a product like Web Confidential to keep a variety of passwords and just look them up when you need them. Yes, someone gaining the file and the master key will have the keys to your kingdom. But with hashapass, they only need the master key; the “database” is right there online.

Twitter, Facebook

Written on June 26, 2006