About Passhash

[ chaoszone.org ]

Remembering lots of Passwords is a Pain

Once upon a time, people had at most maybe two or three passwords. One for their main system login, one for a developmental login somewhere, and maybe another one for emergency access to the hot new PDP-11 in the lab upstairs. Today, on the web, everybody+dog goes to sites that insist on asking for a password before they let you through. What people usually do is choose one (or two, or three) passwords, and use those for all their needs. I can remember over twenty five sites that I actively use a password for, for example. And remembering 25 different variants of ^&dskf2@pil7 is a pain.

Other Solutions

Oh, there are plenty of solutions. IE's autocomplete (ha! - try using that on a pre-XP family PC). Mozilla's Personal Security Manager. Gator (/me ducks). More seriously, if you mostly access the net from one computer, Bruce Schneier's pass safe is pretty effective. It's Win32 only, though.


Passhash was originally proposed by a poster on Slashdot (can't find the link now, would appreciate a pointer) who suggested using a message digest system based on a master passphrase. I thought about it and it made sense to implement it as a bookmarklet anyone could use over the web. In this implementation, all computation happens on the client (via Javascript) and no sensitive data is transmitted over the network. How passhash works, in a nutshell, is MD5(username + location + master passphrase). Everything else is window dressing.

Security Considerations

Plenty. I would recommend using Passhash only for `throwaway' passwords. The main problem is: since Passhash is essentially a MD5 hash, the search space is low: numbers 0-9 and letters a-f. (This is by default. You can add other characters later, after the hash generation process, though that somewhat defeats the purpose of using Passhash.) Again by default, the length is limited to 32 (leading to around 3.4e+38 combinations, which compares well with a 128 bit keyspace). Many sites, though, have (bad) password policies that restrict passwords to as few as 8 characters (the combinations shrink to about 4.3 billion here -- easily solved by brute force techniques).

I consider passhash a defence only against the casual snoop, nothing more. Use at your own risk!

How to Install on your Browser

Right click on the link alongside and add it to your Favorites (say yes to any confirmation dialogs): Passhash.

How to Use

Caveat: As of now, Passhash works on IE only (tested on IE6).

When you're on the web page requesting a password, click the Passhash favorites link. This will lead you to a dialog box-like web page.

Here, enter the username and master password, and press Generate. This will generate a hash and paste 10 characters to the clipboard. The username will be remembered by a cookie for future use unless you check "Do not store username", so in future you need to enter only the master password.

The location field should be automatically filled with the site you came from.

The Copy n characters dropdown has options to copy longer pieces from the hash.


What happens when the location of the server requesting the password changes? :-( Don't ask. You'll have to remember, or find out, the server location when you originally created the passphrase.

Future Ideas

It is possible to algorithmically increase the keyspace to include punctuation etc -- while using one-way transforms to avoid people guessing the password. Plan to add that soon.


 These pages created by Prasenjeet Dutta. Contact Me.