Hey everyone,
I've been watching the Linus videos for a year or so now and love them, keep up the great work guys. Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show.
I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords.
The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service. I am most definitely an advocate of using a completely different password for every single different website. On the low chance that one gets hacked everything else is still secure. The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site. Using the same passphrase on multiple sites is just as bad as using a simple password.
I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable.
But how can WL0Y'QREj7fJzQ8AgJID be memorable?
This is where hashing comes in. Hashing can take one or more bits of information and repeatedly hash it into the same string of characters. So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password. (The above is a hash of "test.com" as the domain and "test" as the master key). The hash will always be the same for the same domain and master key. This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password.
Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key.
I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher.
For me this is the most secure solution I've found. What do people think of using hashed passwords? How secure are they? Are they actually irreversible?