lomont.org

(Also lomonster.com and clomont.com)

Chris Lomont's Online Password Hasher

August 2006 - Version 0.3

 

THIS IS BETA - DO NOT USE FOR REAL PASSWORDS!!!! I do not plan to midify this unless I find security errors, but if oyu plan to use it you should make a local copy in case I change the algorithm.

 

BY USING THIS PAGE AND SERVICE YOU ABSOLVE ME OF ALL LIABILITY FROM ITS USE.

 

Do NOT use this without reading all text below. If this site is ever removed, I am not responsible for any passwords you cannot reconstruct. Actually, your password data is NEVER received at my end (as you would want it), so I cannot help you retrieve anything! If you want to use this service make yourself a copy, and place it on your own webserver. If you do so, please give me credit.

 

If the next two lines are not identical, do not use this password hasher! Your browser and this script do not work together. Currently this uses Whirlpool as the hashing function.

 

If you do not see the form here then your Javascript implementation does not work with my code.

 

 

Introduction

This tool makes using multiple online sites more secure then the way most people use them. Since it is hard to remember sufficiently long, secure passwords or passphrases for numerous online accounts, many people use variations on the same master password, or the same master password with a changed prefix or suffix, or only the exact same password for all acocunts. This is very weak; if the password is lost from one account through employee theft, accidental loss, or other mischief, all of a users accounts are now weakened.

 

For example, suppose you have financial accounts at OnlineBank and SuperTrustBank, and your password for OnlineBank is "idiotPhrase1" and then you use "idiotPhrase4" for your SuperTrustBank account. If someone working at OnlineBank steals or loses your password (quite common these days), then the thief might easily guess your SuperTrustBank password also, thereby gaining access to multiple accounts.

 

To solve the multiple dilemma of wanting multiple accounts and something simpler to memorize, this tool makes a secure password for each online account, based on the destination and a single master password. It is more secure than using the same password or similar passwords on online accounts, but not as secure as having long, completely unrelated passphrases for each account you need.

 

Examples of places you can use this tool are google accounts, bank accounts, hotmail, email, facebook, online forums, etc.

 

Instructions

Construct a master password or passphease, something preferably long (over 8 characters), and using uppercase and numeric values. For example, "potato" is a pad password, "PotaT03" is better, and best is "My Donk3y SElls PotAT0 N1bleTs" is very good. Memorize this for all time.

 

When you need a new, secure password for a new website, enter your password/phrase above, and then the url of the site. Press compute, and copy the generated password to the site.

 

YOU MUST ENTER THE EXACT SAME INFO EACH TIME YOU WANT THE PASSWORD BACK. So, don't enter "mypassword:www.google.com" one time, and "mypassword:google.com" another time, or you will not get the same password. So choose the same method, and use it every time for password generation.

 

For example, using a password length of 15, the password "mast3rpa5S" with url "google" (without quotes) generates "ZuWiUH5oR5BFaiN" while "mast3rpa5S" with "citibank" generates "kUlQsaLktOk3ZkI", which are very different and not easily guessed by an adversary.

 

A good idea is to use the same ordering for each site, subdomain, and function.
Examples: google.adsense, cnn.forums, mysite.blog, mysite.wiki.private, etc. (without the periods).

 

The entire computation is done at your end. My end never sees anything you type in. You can right click on the page, select "View Source..." and wade through the source (which is in JavaScript) to check for yourself. Or, if you don't trust me (which you shouldn't) , copy this page elsewhere and set up your own version.

 

If you want to use this, make yourself a local copy in case my webpage is ever removed. Select "File" from your browser menu, and select "Save Page As ....", and save this as a complete webpage somewhere on your system. MAKE SURE YOUR LOCAL COPY RUNS AS INTENDED!

 

Theory of operation

One afternoon Gene Foulk and I (Chris Lomont) were discussing ways to make it easier and more secure to use multiple online accounts. I had recently been creating a lot of sites, forums, and accounts, and was making more and more secure passwords. Since I could not remember them all safely, I stored them in PasswordSafe (which is a great password tool). Unfortunately this has the drawback that I cannot access them while out and about, or at work, or elsewhere, unless I want to carry a dongle with the database on it. As a result of thinking about a solution we decided an online password hasher would be neat, and probably more secure than using a master password across numerous sites.

 

Of course, I could implement a PasswordSafe plugin for Firefox :) But that might take longer than a few hours, and would be harder to use in various situations (like IE only places?!).

 

The password hasher runs client-side, so I cannot see what people enter. It is written in JavaScript, so you need JavaScript enabled to use it. The algorithm takes the input text, computes a Whirlpool hash. This binary hash is converted to text by converting the hash to base-62, and using these values mapped to A-Z, a-z, and 0-9, resulting in 62 possible characters per location.

 

Only alphanumeric characters are used (62 choices) on output to make this widely usuable. A stronger version would use more character choices per position, but might not be usuable for some logins.

 

The security of the created password should be the security of your master password/phrase. The strength is roughly a constant (26 if you only use uppercase or lowercase, 52 if you use both, and 62 if you use both and digits) raised to the length of your password. Thus a password of "FungAl1tis" would require 62^10= 839299365868340224 (approximately 2^59) combinations to find using brute force. For good security you want this number to be over 2^512, but this requires an 86 character password/phrase, which is not fun to type in.

 

Pros:

Cons:

 

Since I thought of doing this and coded it all in a few hours, I probably made some glaring or subtle error in implementation, or overlooked some attack. The only goal is to make using multiple accounts more secure than having one or similar passwords on each. If you notice something I screwed up, please email me.

 

TODO - disclaimers, better options, fold the hash over and over before base 62 conversion to get desired length.

 

License

Free for online individual use, contact me for commercial or offline use of the code.