Tuesday, January 23, 2007

Install PwdHash, now.

Right now. Cedric turned me on to it.

I assume most people use the same password for at least a couple web sites. I used to cringe every time I signed up for some random site and they echoed back my plain text password in an email. If someone happened across a password for one site, they could use it on another.

I used to mitigate the problem by using tiers of passwords. For example, I had one password which I changed often and used exclusively for work. On the other end of the spectrum, I had one password which I shared among all the random little sites and services which I didn't really care about securing. Coming up with and tracking a unique password for each site which I may never visit again was too much of a hassle.

PwdHash offers a much more elegant solution. I can always use the same password, but PwdHash hashes it with the site's domain before actually sending it. My real password never leaves my computer. Each site gets its own password, and there's no way they can figure out the password for a different site. To trigger PwdHash, all I have to do is press F2 before typing in my password.

I don't have to maintain a password repository across computers (that would be another security risk). If I'm on a computer where I can't install PwdHash, I can always go to their site and cut and paste the hashed password.

It's such a simple but effective idea. I hope other clients such as instant messengers pick up on it. In the mean time, I can always cut and paste.


Blogger Jesse Kuhnert said...


10:36 PM  
Blogger Bob said...

Any time. ;)

12:27 AM  
Anonymous Anonymous said...

Nice one Bob! Installed straight away.

4:09 AM  
Blogger Kevin Bourrillion said...


9:20 PM  
Blogger Eric J. Schwarzenbach said...

What happens when a site domain changes?

5:10 PM  
Blogger Bob said...

Well, first of all PwdHash goes off the main domain. In other words, it uses the same hash for mail.google.com and reader.google.com. If the main domain changes, you'll have to enter the old domain manually into the PwdHash web site.

5:15 PM  
Blogger Unknown said...

Installed PWDHash. When I go to a site, install my user name, I then go to password, hit F2 followed by my password. I see no reaction to the F2 key, and then the usual asterisks for my password.
How do I know PWDHash is working?

4:48 AM  
Blogger Bob said...

I usually see the length of the password change when I navigate away from the password field.

6:39 AM  
Blogger Unknown said...

Don't see any change in number of asterisks in password box.

If I type in @@ prior to password, I get "unsuccessful login"

2:06 AM  
Blogger Bob said...

I'm not sure. :(

Make sure the plugin is installed and enabled.

To debug, try cutting and pasting the password using pwdhash.com instead of the plugin.

7:59 AM  

Post a Comment

<< Home