This article is mainly targeted for Information Technology and Security professionals.
I was one of the victims at recent LinkedIn password hash leakage (found my password hash there without leading 0000). It made me wonder how my other passwords are protected. I know that there are services out there that do not even hash passwords but store them as plain text instead. (Update: Yahoo! Voice 450k passwords + email leaked – example of passwords stored as plain text.) This is a tricky situation, because we as human beings tend to either use same password to many services or use something similar. Leakage at any service could reveal at least some sort of hint to attackers about my passwords at other services. So I came up with this idea about using hashes instead of real password. So here we go:
Instead of entering plain password how about if you would create your passwords like this:
Service specific password + General password -> hash function -> Actual password to service
Service specific password should be fairly easy to remember and general password can be more complex.
- Service specific password (LinkedIn this time): LiNsalt
- Your general password (same to every site): SF0HJxLs
- Combined: LiNsaltSF0HJxLs
Calculate hash (sha-1 at this example):
UnixMachine:~ jani$ echo -n "LiNsaltSF0HJxLs" | shasum
And here we have strong and unique password for the service. This method prevents attacker to get any hint of actual password.
Obviously this method needs some fine-tuning but I hope that idea is presented clear enough. Basic hash functions are available to all platforms including leading smartphone platforms, so it would not be problem to generate these anywhere. Generally I like the idea that you don’t have to store passwords anywhere.
I did some googling and find out that this is not completely new idea, there is one readymade browser plug-in:
The page looks a bit outdated the developer team has identified some challenges, but the concept is good. I think that similar mobile application would solve major of these issues. This is free idea for mobile app developers! 🙂
It should be service provider’s responsibility to protect user passwords. However this is not the case at every service and there are things that users can do to protect their passwords even at services with poor security implementation. Hashing presented in this post is one of them. Let this post be a discussion starter about this idea.