walkerasindave

Yes that's correct. It uses sha1 to start with, then based on the output and the selected options* it produces the final password. *Options such as length, inclusion of special characters, etc. (I can't believe there are still websites out there that restrict characters and length?!?!) Yes, this is an issue. I have made it in javascript so I have embedded it into a simple HTML file a copy of which resides on my phone so I have complete mobile use as required. (The HTML file is I realise a week point as it shows the algorithm, but the master password would also be required. Anyway, I have put some security on accessing the file, e.g. to access it itself is password protected... Also the code is obfuscated, not that that would deter the most persistant hackers.) If they somehow did, which they would have to be damn persistant to (brute force the password then reverse engineer it into the masster password) They would also need the algorithm, as it is not a plain sha1. I was also thinking of differing the master password based on a character/characters of the domain as well, just as an additional layer.

Hence the reason for on-the-fly generating. The hasing will generate a different password for each site and you don't even have to type them in. With some clever browswer integration the code used to generate the hash can fill in the password field for you. Best of all worlds.

True, maybe even add a couple of random letters into the master key as in Canoas method, so even the master key is obscured. I'm quite wary of using password storage solutions as the encryption by definition is reversible and the very fact that the password is stored somewhere. With on demand hashing the generated passwords are never stored. True but for could you remember 30+ different random character passwords and which site they are for? Exactly why I have gone with hashing, so every password is different and still secure.

Hey everyone, I've been watching the Linus videos for a year or so now and love them, keep up the great work guys. Have also been lucking in the forums for months and have finally got around to creating an account after the Password discussion on the WAN Show. I thought I'd write a quick post as they were suggesting on the WAN that passphrases are the best thing to use as passwords. The problem I've had with passwords for a long time, no matter what format (standard passwords, strong random passwords, passphrases), is remembering what password I have used for what website/service. I am most definitely an advocate of using a completely different password for every single different website. On the low chance that one gets hacked everything else is still secure. The problem with this, even with the more secure passphrases, is remember what passphrase you used on what site. Using the same passphrase on multiple sites is just as bad as using a simple password. I have just started using a clever technique to generate unique, strong, completely random 20+ character passwords that are unique for every site but memorable. But how can WL0Y'QREj7fJzQ8AgJID be memorable? This is where hashing comes in. Hashing can take one or more bits of information and repeatedly hash it into the same string of characters. So the basis of the system I use uses the domain name of the particular website and a secret master key to hash a repeatble password. (The above is a hash of "test.com" as the domain and "test" as the master key). The hash will always be the same for the same domain and master key. This means you don't even have to use any "Remember My Password" services built into browsers these days, instead just use the same master key while the domain changes for each website you need a password. Suposedly these hashes are irreversible so even if one of the generated passwords is found by someone they won't be able to reverse engineer them to your master key. I wrote a quick hashing app that does it for me but there are lots of browser addons that can do this built into your browser, for example the Firefox Password Hasher. For me this is the most secure solution I've found. What do people think of using hashed passwords? How secure are they? Are they actually irreversible?