Pwd Hash

50 %
50 %
Information about Pwd Hash

Published on June 20, 2007

Author: Aric85


Stronger Password Authentication Using Browser Extensions:  Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University Password Phishing Problem:  Password Phishing Problem Bank A Fake Site User cannot reliably identify fake sites Captured password can be used at target site pwdA pwdA Common Password Problem:  Common Password Problem Bank A high security site pwdA Phishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support Site B Our Solution: PwdHash:  Our Solution: PwdHash Lightweight browser extension Impedes password theft Invisible to server Invisible to user  Pwd Prefix  Pwd Hashing Password Hashing:  Password Hashing Bank A hash(pwdB, SiteB) hash(pwdA, BankA) Site B Generate a unique password per site HMACfido:123(  Q7a+0ekEXb HMACfido:123(  OzX2+ICiqc Password Hashing: past attempts:  Password Hashing: past attempts Hash pwd with realm provided by remote site: HTTP 1.1 Digest Authentication Kerberos 5 Does not prevent phishing, common pwd Hash pwd with network service name: Abadi, Bharat, Marais [PTO ’97] Standalone. Gabber, Gibbons, Mattias, Mayer [FC ’97]. Proxy. Relies on intercepting traffic  can’t handle https Password Hashing: a popular idea:  Password Hashing: a popular idea Recent password hashing projects: Similar hashing algorithms Only PwdHash defends against spoofing and is invisible to the user Site Password Password Maker Genpass Passwdlet Password Composer Magic Password Generator PwdHash Password Generator Extension The Spoofing Problem:  The Spoofing Problem JavaScript can display password fields or dialogs: Unhashed password sent to attacker in clear Password Prefix:  Password Prefix Original pwd should never be visible to web page OzX2+ICiqc Site B @@fido:123 @@fido:123 @@abcdefgh Password Prefix: How it works:  Password Prefix: How it works Normal operation: Prefix in password field Abnormal operation: Prefix in non-password field Can just ignore the prefix and not hash Remind user not to enter password @@fido:123  @@abcdefgh  ********** abcdefgh  fido:123 HMACfido:123(  Q7a+0ekEXb Why use Password Prefix?:  Why use Password Prefix? Protection mechanism 'built in' to password Does not rely on user to make a decision Same prefix works for everyone Distinguishes secure passwords from normal passwords social security numbers PINs Only use it when you want to Other Trusted Pwd Interfaces:  Other Trusted Pwd Interfaces Password prefix Secure attention sequence Trusted image or phrase: Passmark DSS Starts with @@ Other Challenges:  Other Challenges Password Reset Internet Cafes Dictionary Attacks Spyware, DNS poisoning (no protection) Other issues (described in the paper) Choosing salt for hash Encoding hashed password Additional attacks and defenses Password Reset:  After install, PwdHash can’t protect existing pwds Only passwords starting with @@ are secure User can choose where to use PwdHash User must enter old password unhashed into password reset page Pwd Prefix makes it easy Old passwords won’t be accidentally hashed New, secure passwords are automatically hashed Password Reset Starts with @@ Internet Cafes:  Internet Cafes Users cannot install software at Internet Cafes. Would not be a problem if PwdHash were universally available Interim solution: A secure web site for remote hashing, e.g. Hash is computed using JavaScript Server never sees password Resulting hash is copied into clipboard Can also be used as a standalone password generator Internet Explorer Firefox Dictionary attacks:  Dictionary attacks After phishing attack or break-in to low security site, attacker can repeatedly guess password and check hash. Succeeds on 15% of passwords (unlike 100% today) Less effective on longer, stronger passwords Solution: better authentication protocol (SPEKE, SRP, etc.) Requires server-side changes Defense: user specifies a global pwd to strengthen all pwd hashes Creates a new pwd management problem for shared machines Defense: slow hash function (Halderman, Waters, Felten ‘05) Increases time of dictionary attack aardvark, aback, abacus, abandon… PwdHash: Try it out:  PwdHash: Try it out Prototype for Internet Explorer and Mozilla Firefox Defends against spoofing Invisible to user Invisible to server Complementary to other anti-phishing solutions Only use it when you want to

Add a comment

Related presentations

Related pages


PwdHash generates theft-resistant passwords. The PwdHash browser extension invisibly generates these passwords when it is installed in your browser.
Read more

PwdHash - Stanford University

The Common Password Problem. Users tend to use a single password at many different web sites. By now there are several reported cases where attackers ...
Read more

pwd Hash vergeigt › Sicherheit › Forum ›

Ich hab mir vorhin dieses supertolle Passwortprogramm für den Firefox installiert und sogleich mein GMX-Passwort geändert. Leider bin ich ein ziemlicher ...
Read more

How to Hash Passwords -

How to Hash Passwords Commerce Server 2007 For the latest version of Commerce Server 2007 Help, see the Microsoft Web site. Hashing ...
Read more

PHP: password_verify - Manual

If you get incorrect false responses from password_verify when manually including the hash variable (eg. for testing) and you know it should be correct ...
Read more

Cwd -

Cwd. NAME; SYNOPSIS; DESCRIPTION. getcwd and friends; abs_path and friends $ENV{PWD} NOTES; AUTHOR; COPYRIGHT; SEE ALSO. NAME. Cwd - get pathname of ...
Read more

Secure Salted Password Hashing - How to do it Properly

Salted Password Hashing ... If a bad guy got a user's hash they could use it to authenticate to the server, without knowing the user's password!
Read more

encryption - How to create SHA512 password hashes on ...

In Linux I can create a SHA1 password hash using sha1pass ... How to create SHA512 password hashes on command ... getpass, pwd; print crypt ...
Read more

pwd - npm

Hash and compare passwords with pbkdf2 ... Private packages for the whole team. It’s never been easier to manage developer teams with varying permissions ...
Read more

PHP: password_hash - Manual

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password ...
Read more