Monthly Archives: July 2012

Could hashing protect your personal passwords at security breach?

This article is mainly targeted for Information Technology and Security professionals.

I was one of the victims at recent LinkedIn password hash leakage (found my password hash there without leading 0000). It made me wonder how my other passwords are protected. I know that there are services out there that do not even hash passwords but store them as plain text instead. (Update: Yahoo! Voice 450k passwords + email leaked – example of passwords stored as plain text.) This is a tricky situation, because we as human beings tend to either use same password to many services or use something similar. Leakage at any service could reveal at least some sort of hint to attackers about my passwords at other services. So I came up with this idea about using hashes instead of real password. So here we go:

Instead of entering plain password how about if you would create your passwords like this:

Service specific password + General password -> hash function -> Actual password to service

Service specific password should be fairly easy to remember and general password can be more complex.

Simplified example:

  • Service specific password (LinkedIn this time): LiNsalt
  • Your general password (same to every site): SF0HJxLs
  • Combined: LiNsaltSF0HJxLs
Calculate hash (sha-1 at this example):
UnixMachine:~ jani$ echo -n "LiNsaltSF0HJxLs" | shasum
2b7eccfe8022c631ff3c857412c53fdef29a56c0  -

And here we have strong and unique password for the service. This method prevents attacker to get any hint of actual password.

Obviously this method needs some fine-tuning but I hope that idea is presented clear enough. Basic hash functions are available to all platforms including leading smartphone platforms, so it would not be problem to generate these anywhere. Generally I like the idea that you don’t have to store passwords anywhere.

I did some googling and find out that this is not completely new idea, there is one readymade browser plug-in:

The page looks a bit outdated the developer team has identified some challenges, but the concept is good. I think that similar mobile application would solve major of these issues. This is free idea for mobile app developers! 🙂


It should be service provider’s responsibility to protect user passwords. However this is not the case at every service and there are things that users can do to protect their passwords even at services with poor security implementation. Hashing presented in this post is one of them. Let this post be a discussion starter about this idea.

Further reading


Remember that password?

Article complexity: This article is intended for normal internet user.

Password strength

Without going deep into mathematics basically password strengt is a combination of password length, character set (special characters, capital and lower-case letters, numbers etc.) and randomness. Strong passwords tend to be hard to remember and you should have different password to every service. In this post I will preset three methods that could help you remember strong passwords.

Warning: If you are not absolutely sure what you are doing be extra careful with the sites that provide “test your password strength” – services. Services like that might be created for phishing your password.

Three methods

Write them down! – (F-Secure/Annika method)

This method is fully explained in F-Secure Safe and Savvy blog. Basic idea is to have part of your service dependent password at paper and remembering a secret “PIN” that is added to this password. Thoughts behind this idea are good but there are couple of things to notice:

  • I recommend using much longer password and PIN than presented in that blog post
  • In case of password breach at one of the services you should change password to all services since PIN is exposed. This can be really frustrating.

Overall this method provides means for good passwords.

Password manager

Password managers like LastPass and 1Password can store strong passwords and you only have to remember one password to use all your passwords. Password managers are really good solution, but there are also some issues:

  • You are fully dependent on the password manager – cloud solutions bring some help but adds concerns related to all cloud services.
  • There is a single point of failure possibility – all your data is behind one password. Leakage of that password exposes all your passwords.


Passphrases are like passwords that consists of words instead of letters. Here is an example: ThoseThreePonysArePinkAndReallySmall! That is an actual phrase that can be remembered. However it does not offer good randomness, so better passphrase would be: ShirtSunWavesLivingSafeTreeAdsDoorPopularity? This is better since it has more randomness (not completely random words though) but not as easy to remember. If you want to add some complexity you could use several languages and special characters. Couple notes:

  • Not all the services accept really long passwords (unfortunately)
  • You should use totally different words for each services and this could lead to original problem (hard to remember)


As seen there is no silver bullet for the problem. I hope that this blog post brought some help for you when dealing with your passwords. I will continue the hunt for good solution and keep you updated!