from Hacker News

PwdHash (2009)

by boredgamer2 on 5/11/20, 2:52 PM with 49 comments

by tptacek on 5/11/20, 9:45 PM
This was one of the first "deterministic password managers", which has become a whole species of side-project password managers. The major practical win for deterministic password managers is that they're ostensibly stateless; you only need to synchronize some very basic configuration information to make them work consistently. In practice, not so much: passwords need to be changed, or revoked, or customized. You should just use "pass" (or 1Password if you want something professional).
An interesting thing about PwdHash is that they observed how you can use site-specific authentication behavior to break phishing, something that U2F/Webauthn tokens also accomplish.
by Spivak on 5/11/20, 10:33 PM
This should just be how websites work. I see no reason that a site should ever transmit the user's password over the wire.
When you create a password send the client a salt, hash their real password client side, and send the hash over the wire. Treat it as you would their actual password and salt/hash it again.
Then when the user wants to auth send the client the salt you have on file for them^ and repeat. Bam. A domain specific password for every site even for someone who who reuses passwords.
^ inb4 "this creates another 'step' when logging in." Users will type their username and pw before they get the salt and the client will handle the rest.
by sisk on 5/11/20, 10:12 PM
Used this extensively before password managers were abundant—even wrote my own bookmarklet for it ~10 years ago[0]. One thing to be mindful of: login URLs can and do change. When this happens, unless you can recall the hostname, you're completely out of luck.
[0]: https://gist.github.com/jasisk/fc0283e84814c696d3cd
by 627467 on 5/12/20, 3:20 AM
What a coincidence as I'm reading up on deterministic password generators:
- DPG: https://plevyak.com/dpg.html
- MasterPassword: https://masterpassword.app/
- LessPass: https://lesspass.com/
I like the idea of such mechanism for my passwords, but I feel like having to enter a masterpassword so often actually poses as a vunerability. The password managers I currently use, normally enables me to use fingerprint or leaves some minutes before timing out so that I don't need to enter my master password as often.
One idea I'm having is to combine the deterministic and stateless aspect of a simple js generator, with a simple db that user can maintain with a online spreadsheet:
1.this db would store states for the calculator that user would need to manually re-enter, and it's URL would be only known to user (say a Google sheets, json URL)
2. This URL would be stored for limited time on browser cache improving UX for short period of time.
3. The db itself won't store secrets, just "metadata"
by xwes on 5/12/20, 12:02 AM
SuperGenPass[1] is a refinement of this idea. The code itself has been dormant for years[2], but the bookmarklet and mobile web versions still work great. In fact, adding the mobile web page to my iPhone home screen with Safari makes this a pretty straightforward way to make passwords accessible on mobile without worrying about syncing.
1: https://chriszarate.github.io/supergenpass/ 2: Since 2016 :( https://github.com/chriszarate/supergenpass/commits/master
by blakeross on 5/12/20, 1:27 AM
This is definitely pre-2009, I built this at Stanford w/ the others and I was only at Stanford until around 2005. (But they may have continued updating it given the Firefox version number referenced.)
by gregmac on 5/11/20, 9:38 PM
I haven't yet decided how I feel about this vs a full password manager (with unique passwords per site), but do kind of like the idea there's no account/vault: literally the entire usage is via a single password.
I have a suggestion to greatly increase usability:
Right now, as the owner points out, this relies on using a password starting with @@ to trigger this mechanism (which is a usability issue), and relying on the user entering their passwords into the web page (which is a phishing danger).
Given this already requires a browser extension, move the password to a UI within the extension, and instruct the user not to ever enter their password anywhere else (on why page directly). Use a button in the browser extension to trigger filling in the site-specific password. This avoids phishing the main password, avoids the @@-prefix requirement, and the extension could now also cache the password for some amount of time so the user doesn't need to re-enter it.
Interesting idea/project nonetheless.
Edit: oops, just noticed this is from 2009. I noticed lack of Chrome but not the ancient browser versions! Did this go anywhere?
by freedomben on 5/11/20, 10:27 PM
This reminds me of PasswordMaker[1], a neat tool that you can easily self host (or run offline from your filesystem) and customize. The basic idea is that you don't have to store any passwords, but you can still easily have a different one for every account. You generate a hash based on the domain/hostname and the master password.
It worked really well for a long time, tho eventually I ran into enough corner cases that I had to switch to a traditional password manager anyway. I still use it for some stuff however.
[1]: https://passwordmaker.org/passwordmaker.html
by senderista on 5/11/20, 10:21 PM
This is equivalent to hashing passwords using a global public salt (the domain name). If it became popular enough, you could mount a trivial offline dictionary attack on popular passwords.
by sm4rk0 on 5/12/20, 6:16 AM
This creates longer password even with a short master pass: https://ss64.com/pass/
by potiuper on 5/11/20, 10:26 PM
https://en.wikipedia.org/wiki/Salt_(cryptography) (1970)
by correct_horse on 5/11/20, 10:16 PM
This would break if the site owner changed their domain name, or more likely, they have multiple domains that redirect to the same IP address. Is that a serious flaw?
by acqq on 5/11/20, 9:27 PM
Needs year in the title: (2009)