hashapass |
...when ‘fluffy’ is not enough |
| Home · About · FAQ · Widget · Contact |
See something that is not covered here? Ask more!
The short answer: it depends. Like almost anything else, when used securely, it is secure :-)
Without making any guarantee that Hashapass is actually suitable for anything, it is recommended to avoid using Hashapass, as it stands now, for online banking, online trading, e-commerce, or for any application that would allow an attacker to steal your money.
Also, please do not use Hashapass to set the detonator password on nuclear warheads, thank you very much. Hashapass remains very suitable (in our opinion) for many other uses, such as creating a password for your 3rd Hotmail account, or for that nifty Web 2.0 app that allows you to share a bookmarklet-oriented Wiki with your online social circle.
The longer answer: there's a number of ways that your master password or that your dependent password could be compromised. Security is then a matter of risk/reward trade-off: given the effort necessary to mount an attack, and given the reward that await the successful attacker, would a rational-thinking attacker be interested? If the answer is "yes" or even just "maybe", then maybe Hashapass is not what you're looking for.
1- "The folks at hashapass.com could steal my password".— Of course, we'll never do such a thing. That's why we make sure that we never even see your password: all the computation is done in the (relative) safety of your browser, and your password is never transmitted to us either encrypted or in clear. By the way, this site is no LAMP-powered thingie: just plain-old HTML and JavaScript. You can take a look at the code, it's pretty self-explanatory.
Yes, we could silently change the form to some evil JavaScript that silently uploads your password to an unsuspecting message board, where we could then fetch it anonymously through untraceable zombie computers in China. So, yes, we could get your password.
One solution to this problem is to do a local copy of the page on your computer, review the source and only use your local copy. Longer-term, this threat is the main reason why we're working on browser extensions.
2- "What happens if the site is down?"— If the site is down, it's down. Hopefully this doesn't happen too often with our host. Another reason to get the extension when it is released.
3- "Somebody can hijack this site and pretend they're Hashapass"— Yes. If your Internet access is not secured, technically, people could pretend that they're us, and they could set up the page to look the same but behave differently, so that you would give them your password.
There's a couple of ways that evil people could do that (DNS cache poisoning , rogue access points... Those are certainly not the only vectors of attack though).
One way of countering this would be to get ourselves a certificate and implement SSL. The incremental cost of doing that, in time and expense, is not completely trivial--so it's not on the roadmap yet. Browser extensions will help.
4- "Is this password generation algorithm strong enough?"— SHA-1 is a very widely-used cryptographic hash function. Given its exposure, it is quite reasonable to assume that SHA-1 is a difficult function to invert. Therefore, knowledge of a generated password doesn't really help an attacker to know your master password.
Well-informed people know that an attack has been published on SHA-1. Even better informed people know what this attack does: it finds collisions in SHA-1, which is quite different from inverting SHA-1. In fact, this attack does not apply at all to the use of SHA-1 that is done in Hashapass.
However, dictionary attacks are easy to perform on a Hashapass-generated password, because the computation of SHA-1 is very fast. An attacker who knows a generated password could try successive dictionary words as master password and as parameter, and see if the result matches the known generated password.
When it does, wham, the attacker has just escalated from the generated password back to your master password. That is very practically feasible, and since your parameters are likely to be dictionary words or predictable (that's the whole point, in fact), you better make your master password hard enough to guess.
5- "The generated password appears in clear text"— Yeah, it's not very secure. But if you hit Ctrl-X fast enough (or Apple-X as the case may be), your password won't show long enough. Also consider that somebody who could see the generated password on screen could also likely see your fingers typing the master password on the keyboard.
This is an annoying situation.
We could deal with it by adding options to our generator. It's fairly easy to program a generator that ensures compliance with such constraints.
However, this would also require you to remember which set of options you used for which website. It may make the whole thing much more confusing. For now, the recommended solution (if you want to use Hashapass at all for these types of sites) is to take the generated password and add ".0" or something like that at the end (whatever makes'em happy). You'll have to remember to add that suffix, but is it much harder than remembering which options you checked for generating your password in the first place?
Hashapass is not very good at handling this. A suggestion (but not a true solution) is to add a suffix to the hashapass-generated password and to cycle through an easy-to-remember list of suffixes (e.g. 1, 2, 3, 5, 8, 11...).
Because the day your hard drive crashes, or the day you want to access your passwords remotely, you'll wish you had not.
Because you find passwords like 3eeRIuq6 hard to remember.
People have plenty of tricks to make up passwords that look complicated but are easy to remember: start with your favorite shakespearean verse, take the initial of each word, CaMeLcAsE it, replace o's by 0's and voilą. And by the way, that's a great thing to do in Hashapass to choose your master password.
But you can only remember so many of these strong passwords. Every now and then, you're bound to reuse the same. That's when problems begin: you might use your password to secure an online account, but the password database in which it is stored may not be very secure. If I obtain a copy of your password through a vulnerability on one site, chances are that the same username / password pair will match in other sites. Not so with Hashapass, and that's the idea.
We're working on it! Get updated when they arrive.
Thanks! Of course! However, there are conditions: notably, the source must be available for all to examine and look for vulnerabilities. If that's OK with you, shoot us an email and we'll add your version to this site.