Skip to content

dannysu/hash0

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

138 Commits
app
app
 
 
build
build
 
 
icons
icons
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 
index.html
index.html
 
 
manifest.json
manifest.json
 
 
package.json
package.json
 
 

Repository files navigation

NOTE: No longer maintained

Motivation

I'm interested in using password generators such as hashapass, pwdhash, and passwordmaker.org. However there are just enough annoyances I have with those options so I investigated creating a better one.

Security

The other hash password generators tend to use insecure hashing methods and none of them use slow hash functions (e.g. PBKDF2) to protect against brute force attacks.

  • hashapass uses 1 round of HMAC-SHA1.
  • pwdhash uses 1 round of HMAC-MD5.
  • passwordmaker.org allows you to pick various algorithms. But runs only 1 iteration.

The current version of hash0 is v2, which has fixes for issues found in a security audit by Defuse Security of v1 of hash0.

Ease of Use

All of these other hash password generation sites use the domain + master password to generate your password. The typical solution to when you want to change a password is to append a number to the domain (e.g. "linkedin.com2").

Unfortunately there is just no way I could possibly remember what number to append for which website. Combined with the increasing breaches of major websites like LinkedIn or when Heartbleed was discovered, there is just no way someone using these other solutions can remember large amounts of numbers to append.

Details

Hash0 uses SJCL's PBKDF2 implementation with 100,000 iterations to derive password from a master password. On top of using PBKDF2, Hash0 uses an unique salt per site. Hash0 attempts to use the closest possible thing in a browser to a CSPRNG by utilizing SJCL's code. In modern browsers, this basically means obtaining data from window.crypto.getRandomValues().

Hash0 also borrows some functions from PasswordMaker.org when converting generated result to the desired charset.

Finally, the salt and different site configurations are encrypted using SJCL's encrypt() function, which uses AES-CCM with 256-bit key size and 128-bit authentication tag size. The encrypted data is then stored at a place of user's choosing. Storing these settings remotely in encrypted form allows Hash0 to be used across different devices.

Pros:

  • Salted password different per site
  • Uses PBKDF2-HMAC-SHA256
  • Salt stored separately from website's password storage
  • Synchronization of settings so I don't have to remember them (salt, password length, character set, etc)
  • Still 1 password for multiple sites

Cons:

  • Need storage elsewhere for encrypted setting (E.g. Google App Engine). You can deploy gae_storage to your own App Engine account and use it.

Usage

NOTE: These are no longer maintained

Google Chrome:

Firefox:

About

Synchronizable PBKDF2 based password generator

Resources

Readme
Activity

Stars

14 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages