PwdHash

栏目: IT技术 · 发布时间: 4年前

PwdHash

Web Password Hashing

Description

The Common Password Problem. Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective.

A Simple Solution. PwdHash is an browser extension that transparently converts a user's password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix ( @@ ) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself. A break-in at a low security site exposes password hashes rather than an actual password.We emphasize that the hash function we use is public and can be computed on any machine which enables users to login to their web accounts from any machine in the world. Hashing is done using a Pseudo Random Function (PRF).

Phishing protection. A major benefit of PwdHash is that it provides a defense against password phishing scams . In a phishing scam, users are directed to a spoof web site where they are asked to enter their username and password.SpoofGuard is a browser extension that alerts the user when a phishing page is encountered. PwdHash complements SpoofGuard in defending users from phishng scams: using PwdHash the phisher only sees a hash of the password specific to the domain hosting the spoof page. This hash is useless at the site that the phisher intended to spoof.

Publications

Download

Please note: These prototypes are intended for demonstration purposes only. We reserve the right to change the hashing algorithm in future versions, which may require you to reset your passwords if you want to upgrade.

  • Version 1.7 for Mozilla Firefox 3.5 and earlier : Installer (16KB),Source code (16KB)
  • Version 0.6 (beta) for Internet Explorer 7:Installer (537KB)Source code (144KB)
  • Version 0.5 (beta) for Internet Explorer 6:Installer (628KB)Source code (147KB)
  • Opera users may be interested in Haris Andrianakis's PwdHash for Opera , but read about the limitations of user scripts in our paper.
  • Send us feedback

Deployment Challenges

PwdHash preserves the benefits of password authentication such as mobility without any hardware requirements. Our primary design goals are not to change to the user experience and not to require server-side changes

. To do so, we had to overcome a number of challenges:

  • PwdHash must defend against JavaScript at a phishing site that may confuse users into typing their passwords in an insecure location (such as a text field that is made to look like a password field). PwdHash includes a number of clever mechanisms to defend against such attacks. 
  • After PwdHash is installed users can set up hashed passwords at the various sites they use by resetting their password. Typically, reset pages ask the user to type in the old password and then enter the new password twice. PwdHash must somehow recognize the old password field and avoid hashing it. PwdHash relies on the user to pick new passwords that start with @@ so that they can be distinguished from regular passwords. Alternatively, the user can press the password key (F2) before entering the password to indicate that the password should be hashed.
  • We found a small number of sites (i.e. one site) where the password reset page is hosted on a different domain than the password use page. As a result the wrong password hash is registered at the site after password reset. One solution is to create a list of such sites so that PwdHash can tell how to handle them. Other solutions involving server-side changes are also possible. 
  • Occasionally, users want to login to their web accounts on machines where they cannot install browser extensions (e.g. at Internet cafes). In this case users can connect to our web site

    https://www.pwdhash.com

    where they are presented with one of the following forms, depending on whether their browser supports clipboard operations via script:

    PwdHash
    Internet Explorer 6.0
    PwdHash
    Firefox 1.0

    Javascript computes the password hash on the local machine (so that the user's password is never communicated to Stanford). The resulting hashed password can be pasted into the user's web login form.

Project Staff:

Stanford Security Lab

以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

编程珠玑(续)(修订版)

编程珠玑(续)(修订版)

【美】Jon Bentley 乔恩•本特利 / 钱丽艳、刘田 / 人民邮电出版社 / 2015-2 / CNY 35.00

历史上最伟大的计算机科学著作之一 融深邃思想、实战技术与趣味轶事于一炉的奇书 带你真正领略计算机科学之美 多年以来,当程序员们推选出最心爱的计算机图书时,《编程珠玑》总是位于前列。正如自然界里珍珠出自细沙对牡蛎的磨砺,计算机科学大师Jon Bentley以其独有的洞察力和创造力,从磨砺程序员的实际问题中凝结出一篇篇不朽的编程“珠玑”,成为世界计算机界名刊《ACM通讯》历史上最受欢......一起来看看 《编程珠玑(续)(修订版)》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

在线进制转换器
在线进制转换器

各进制数互转换器