[dundee] Awesome Password Tricks

Gavin Carr gavin at openfusion.com.au
Fri Feb 26 12:03:38 UTC 2010 

Hi Rick,

On Fri, Feb 26, 2010 at 11:00:01AM +0000, Rick Moynihan wrote:
> Ok, I was asked last night to post to the list about how I manage my
> passwords...
> 
> This is a solution to the password security problem, where we want a
> different password for every website because if any one site gets
> compromised (and they're storing passwords as plaintext) then we've
> lost the security on all our accounts!
> 
> The big problem doing this is that you have to remember which username
> and password you have on each site which can be hard.
> 
> So I have adopted a lightweight easy solution to this problem....
> Essentially you have a single master password that you remember, but
> you assign each account a password which is the SHA1/MD5 sum of the
> websites domain name + your master-password.  E.g. assuming the
> terrible master-password of 'foobarbaz' and the site www.google.com we
> take the MD5 SUM of the string:
> 
> foobarbaz:www.google.com
> 
> Yielding an MD5 of:
> 
> d6194ec9e6037da48c2e4276a01325c1
> 
> Unfortunately most sites wont let you have such long passwords, so we
> take the first 8 characters of this producing a password of:
> 
> d6194ec9

Really nice scheme - thanks for the post. I do something similar but not 
as sophisticated. Might have to try something like this out.

One criticism though: the crypto here is weak. See this post for lots of 
gory details:

  http://benlog.com/articles/2008/06/19/dont-hash-secrets/

But the short version is that generic hashing functions like MD5 have nasty 
concatenation properties for uses like this. Specifically, if you give me a
hash for 'foobarbaz:12345' I can generate a valid hash for 
'foobarbaz:12345:plusotherstuff' without having to know your master password.

In practice, you're probably mostly safe with domain names, which is why I
guess no one's complained too much before. But attacks are still feasible. 
If I can get hold of a prefix version of some important domain, for instance,
and can get you to login in to it, then I can generate your passwords for 
the important domain. I could compromise your important.net.uk account, for 
instance, if I could get you to register at my important.net site. Or 
attacking www.anz.com.au (an Aussie bank) via anz.com, etc.

So bottom line is you/they should really be using an HMAC version of MD5 for 
this, not the generic hash function. Like hmac-md5 in ruby.

My 2p.

Cheers,
Gavin

More information about the dundee mailing list