Domain: hashapass.com
Stories and comments across the archive that link to hashapass.com.
Comments · 13
-
Re:gpg
http://hashapass.com/ have a bookmarklet. Not completely auto, you still need to write in a keyword for the site, but still.. Does a good job.
-
Re:Bad passwords are not always the user's fault.
You could try looking at a solution like http://www.hashapass.com/
The relevant JS code:
function update()
{
var res = document.getElementById('resultId');
var seed = document.getElementById('seedId');
var param = document.getElementById('parameterId');
var hashapass =
b64_hmac_sha1
(seed.value,
param.value) .substr(0,8);
res.value = hashapass;
seed.value = '';
res.select();
}As long as you're allowed to make an ascii text document and have access to a web browser, that's available.
-
Re:I've lost track of my passwords...
Or Hashapass for a more portable solution.
It's pure javascript, so you can for example store the page on your cell phone and use it offline.
-
Re:Password authentication is dumb
Two solutions:
1. OpenID - it provides one central login, and I've seen providers that support SMS'ing your phone when a new browser logs in, and SSL certificates. You can also set up your own OpenID server if you don't trust a 3rd party. (yes, that also means that openid is not an antispam solution)
2. Something like Hashapass - It takes a master pw + id and generates a hash. It runs entirely in javascript, you have a bookmarklet for it, and you can save a copy of the page on any device with a webbrowser (like, your phone for example). If you're on a different machine, you can just visit the page and generate your pass (or use some trusted device).
So yeah, there are solutions to the problem, but one is not widely supported, and another require a trusted device.
-
Re:Use Password Hasher
I prefer http://www.hashapass.com/ - even have a pretty well working bookmarklet, and it's 100% javascript. Which means that you can save the page to a local file
:) -
Hashapass
Generates reasonably strong passwords that I don't have to worry about forgetting or storing. Works well for me. http://www.hashapass.com/
-
Re:Don't use them
Windows Vista / 7 has a gadget available called HashPass
It appears that they also do Apple widgets and a Firefox Bookmarklet for the same purpose; Hashing password based on context and a keyword. -
hashapass.com
I use this to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.
-
or hashapass
I used to use a password-storage tool, but these days for trivial website passwords, I use hashapass, which does a one-way hash (surprise!) of a seed password with a salt like the website domain name.
That way, if I'm on a different computer or can't pull up my password storage for some reason, I can still generate my password for a website. But intercepting that individual password won't help anyone figure out any of my other passwords.
It's still weak in that the master password, not only unlocks but also determines the rest. Still, for stuff like non-financial website logins, it's a godsend.
-
[Slightly OT] Phishing -- a partial solution
- Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.co
m /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys? - A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.
There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash, developed by Dan Boneh and others at Stanford. It's available as a Firefox extension. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not, new, but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper (or see the Powerpoint presentation if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross.) - Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.co
-
Re:Use a different password on every site!
until http://www.hashapass.com/ starts logging requests.
-
Use a different password on every site!
Nobody should be using the same password on ANY two sites. You have no control over what the remote side is doing with your password.
Use something like http://www.hashapass.com/ to generate your passwords instead, and you only have to remember one thing, but your password is different on every site. -
Hashapass!
I've started using what I think is a great was to create what appear to be rather secure passwords that are easy to remember and recoverable (that's a highly qualified statement as I am in no way a security expert). Go to:
http://www.hashapass.com/
and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from wherever you are, without having to write it down. It's all local JavaScript on the browser, so there's no network exposure...
t.