Could hashing protect your personal passwords at security breach?

This article is mainly targeted for Information Technology and Security professionals.

I was one of the victims at recent LinkedIn password hash leakage (found my password hash there without leading 0000). It made me wonder how my other passwords are protected. I know that there are services out there that do not even hash passwords but store them as plain text instead. (Update: Yahoo! Voice 450k passwords + email leaked – example of passwords stored as plain text.) This is a tricky situation, because we as human beings tend to either use same password to many services or use something similar. Leakage at any service could reveal at least some sort of hint to attackers about my passwords at other services. So I came up with this idea about using hashes instead of real password. So here we go:

Instead of entering plain password how about if you would create your passwords like this:

Service specific password + General password -> hash function -> Actual password to service

Service specific password should be fairly easy to remember and general password can be more complex.

Simplified example:

  • Service specific password (LinkedIn this time): LiNsalt
  • Your general password (same to every site): SF0HJxLs
  • Combined: LiNsaltSF0HJxLs
Calculate hash (sha-1 at this example):
UnixMachine:~ jani$ echo -n "LiNsaltSF0HJxLs" | shasum
2b7eccfe8022c631ff3c857412c53fdef29a56c0  -

And here we have strong and unique password for the service. This method prevents attacker to get any hint of actual password.

Obviously this method needs some fine-tuning but I hope that idea is presented clear enough. Basic hash functions are available to all platforms including leading smartphone platforms, so it would not be problem to generate these anywhere. Generally I like the idea that you don’t have to store passwords anywhere.

I did some googling and find out that this is not completely new idea, there is one readymade browser plug-in:

http://crypto.stanford.edu/PwdHash/

The page looks a bit outdated the developer team has identified some challenges, but the concept is good. I think that similar mobile application would solve major of these issues. This is free idea for mobile app developers! 🙂

Summary

It should be service provider’s responsibility to protect user passwords. However this is not the case at every service and there are things that users can do to protect their passwords even at services with poor security implementation. Hashing presented in this post is one of them. Let this post be a discussion starter about this idea.

Further reading


			

Posted on July 12, 2012, in Technical Info Sec and tagged , , . Bookmark the permalink. 1 Comment.

  1. I just found out about Yahoo! Voice password breach: http://mashable.com/2012/07/12/yahoo-voice-hacked-usernames-and-passwords-posted-online/
    Emails and passwords of 450 000 users posted online.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: