Password Hasher Plus
Hands down this is the number one must have Chrome extension. Password Hasher Plus. Here is why:
Identity theft is a serious problem and it does not look like it is getting any better. People are starting to use strong passwords but they use the same one for all sites they visit. This is VERY risky. Suppose your twitter account information gets stolen. If you use the same username and password on all you sites the hacker now has access to ALL your sites (E-mail/Amazon/PayPal/Facebook …). This happened to a colleague of mine. His Facebook account was hacked and from there the hacker took control of several other accounts including his E-mail. In the age of on-line banking this also can mean unfettered access to your money.
There are published guides on how to minimize the chances of identity theft and minimize the impact if your accounts get hacked. One of the strategies is to use long and complex passwords that are unique per site. That means that your password should be something like 4rtR0!fp<kl for webmail and a different set of random mixed characters for amazon. The obvious problem is remembering all that gibberish. So how do you manage all those passwords?
One solution is to use a password manager that has all the passwords stored in an internal encrypted database. KeePass is a great product for doing that. But that means that you have to have your KeePass database where ever you go, which is not always practical.
The better approach is to use a password hash. This means you use a mathematical formula to combine two strings to generate a unique third string. In plain English this means you need to remember one master password and the site name and you still get a really strong password.
For example lets say my master password was ‘arisblog’, which is pretty easy to remember. if I use the hasher for the site Amazon I would get a password hash of ‘OQe7ppddC/pfwp1r’ every time. I never need to remember that mess. I just need to remember my master password. If I use the same master password for the google sites I would get a password of ‘bl78nulbR/Grgcxy’. Those are some pretty hard to guess or hack passwords.
Password Hasher Plus builds this functionality into Chrome. You can set the length and type of your hashed password. I recommend at least 16 characters of both Alphanumeric and Special characters.
This is a port of the firefox extension from the wijjo site written by Steve Cooper. The wijjo site also has an online password hasher that works in any browser. You can use the online version if you are away from home on a public computer to generate the password hash to login to your sites. This is really the simple way of keeping site secure.
What methods do you use to keep your passwords secure? Tell me in the comments.
Tags: Chrome, Firefox, Free, Google, Linux, OSX, Password, Password Hasher, Password Hasher Plus, Security, Wijjo, Windows
August 4th, 2010 at 11:04 am
Does it use a “standard” for generating the hashes? I’m concerned about the specific service going down or disappearing and then having no other way to generate the hash in the future.
August 4th, 2010 at 11:26 am
Password hasher is based on the Wijjo code. You can download the online page (http://wijjo.com/passhash/passhash.html) and generate the hashes locally so you are not dependent on on-line resources. I keep a copy of the passhash.html in my dropbox folder so I alwways have access to it when on-line.
October 11th, 2010 at 7:18 am
I don’t see where I put in my private key in this online/downloadable version… and the passwords its generating do not match my ones using the Chrome extension. What am I doing wrong?
October 11th, 2010 at 1:48 pm
Hi Ben,
In order to use the online hasher with the plug-in the plug-in must be set to compatibility mode. The author is working on a new web page that will allow for use of a private key. Until then I would recommend working in compatibility mode.
Hope this helps,
Ari
October 12th, 2010 at 7:37 am
Thanks Ari — yeah, I figured this out after playing with it for a bit.
Another question– is it possible for anyone to un-hash & figure out your ‘master’ password if they know the hashed password and the site tag/key?
October 12th, 2010 at 4:10 pm
Hi Ben,
In general I don’t like to say things are impossible. It is very very difficult to reverse the password if you have the password and the site tag but it is not impossible. If nothing else it could be discovered via a brute force attack. Brute force attacks are very hard on a long/complex password. In short You should always safeguard your master key. I am not concerned that if one password is compromised that others will be. It is a risk but I believe a very small one.
-Ari
October 14th, 2010 at 3:00 am
Thanks for the info, Ari! Just to be a little more cautious, I’m making each site key and my ‘important’ masters unique. This is still much easier! Before this I was using an algorithm I made up, but it was a huge PITA for me to use on sites that I had not memorized the password.
December 2nd, 2010 at 12:01 pm
I just started using this and can contribute a few things:
Reversing the hash to obtain the master password is so impractical that it might as well be impossible. Knowing one generated password would not be enough since there are many (billions? trillions? billions of trillions?) potential master passwords that would generate the known password but only one would generate correct passwords for other sites. So not only is this computationally infeasible, there are surely a great many weaker passwords that an attacker will try first.
There is (now) a pure html/javascript version reachable from his “developer website”. I put a copy of it on the SD-card of my Android phone for access anywhere (though not as convenient as having the extension installed), though using it is dangerous (see below).
DO NOT, UNDER ANY CIRCUMSTANCES, USE EITHER THE EXTENSION OR WEB-VERSION ON AN UNTRUSTED COMPUTER! You have to type your master password (and site-key, if used) and at that point a listener (keylogger, shoulder surfer, etc.) has all your passwords!
If you use a generated password from a trusted device (e.g. your phone) to access an account via an untrusted computer, “bump” (change) the password for that account using a trusted computer as soon as possible. At least you’ve only compromised one account.
Set an easy to remember “site key” so that you can operate on multiple (trusted) devices. If you don’t, then knowing the master password is sufficient to know all your passwords. Since you have to type your master password in the site’s password box and then click a “hash” button to convert it, you run the risk of forgetting to click the button and accidentally submitting your master password to that site. It’ll reject it, of course, but it’s always possible it was sniffed or recorded in the process. Also, a malicious website could send every character back to the server, thus acquiring your master password as you type it before hashing it. With an additional “site key”, knowing the master password is not sufficient.
– Brian
March 16th, 2011 at 8:19 pm
The javascript/html site does not work for me with internet explorer 8 or 9.
March 17th, 2011 at 12:09 pm
Hi Nolan,
You are right IE 8 and 9 do not work with the online hash generator.
I recommend using chrome which works well with the on-line hash generator.
-Ari