Storage-free password hashing

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Storage-free password hashing

Postby wilbertnl » Mon Sep 22, 2008 12:51 pm

Recently I joined the Lastpass herd.
Multi platform plus multi browser support is for me by most the largest advantage of this solution.
Excellent job done!

For a long time I have been using a solution that creates one-way hashed passwords, based on master password plus URL.
(see http://crypto.stanford.edu/PwdHash/ and http://onepassword.com/)
Every time the same password is created when I open the same URL. As an effect this password does't have to be stored anywhere.
This is a feature that I would like to use for sensitive accounts, like financial websites.

What do you think?
wilbertnl
 
Posts: 3
Joined: Sat Sep 20, 2008 11:06 pm
Location: Tulsa, OK

Re: Storage-free password hashing

Postby JoeSiegrist » Mon Sep 22, 2008 6:44 pm

wilbertnl Wrote:Recently I joined the Lastpass herd.
Multi platform plus multi browser support is for me by most the largest advantage of this solution.
Excellent job done!

For a long time I have been using a solution that creates one-way hashed passwords, based on master password plus URL.
(see http://crypto.stanford.edu/PwdHash/ and http://onepassword.com/)
Every time the same password is created when I open the same URL. As an effect this password does't have to be stored anywhere.
This is a feature that I would like to use for sensitive accounts, like financial websites.

What do you think?

I like the idea but there's a big problem that I see with it: changing your master password becomes extremely difficult. Say you get 200 sites and decide it's time to make a new password -- with password hashing you have to visit all 200 sites and make that change, providing both old and new password -- not for the faint of heart! I guess the concept they have is that you keep all your existing passwords and just hash them, but then you don't have just 1 password which is no good either.

Given this I can't ever see this being the main mode of handling passwords, but I could see it as an optional, disabled by default option for the technically inclined... We want to make sure that you can keep good practices and storing AES-256 bit locally encrypted data with LastPass is safe.

Joe
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Storage-free password hashing

Postby wilbertnl » Tue Sep 23, 2008 3:07 pm

Thank you for your response, Joe.

I understand what you are saying.
For a while I have been using this one-way hashing solution for most of my accounts (There are only very few that don't accept the generated password).
So for these sites the fixed and stored password would work great.
Yes, changing the master password means processing all my accounts, but isn't that actually good advice? That way all accounts would get a new password, not just the password manager.

The issue with my current one-way hashing password manager is that it doesn't support all browsers. I wish it offered online one-way hashing, like https://www.pwdhash.com/. That way I would get the same passwords generated as the add-on that I installed.
http://www.amustsoft.com/1-login/ and http://www.amustsoft.com/1-login/online/ is another example of this approach, but they refuse to support Firefox.

Even with Google Chrome (tried this) and probably Opera (not tried yet) I can open my lastpass page and from there launch the saved accounts with one click.
My argument is that I would use storage-free password generation for my financial account, which aren't that many. And I should change these passwords on a regular basis anyway.
Concerning forums, I even debate with myself if I should use a different password for each of them.

To me it seems that your company is able to offer the best of both approaches by creating a hybrid of a stored and storage-free password manager.

Edit:
admin Wrote:I guess the concept they have is that you keep all your existing passwords and just hash them, but then you don't have just 1 password which is no good either.

Joe

I changed all my passwords to the ones that are hash generated based on masterpassword and URL. The concept is that each URL gets a unique password.


What do you think?
wilbertnl
 
Posts: 3
Joined: Sat Sep 20, 2008 11:06 pm
Location: Tulsa, OK

Re: Storage-free password hashing

Postby olfway » Sun Nov 02, 2008 12:06 pm

Btw, am i right that you will lost you password if site will be redisigned with changes in url/domain?
olfway
 
Posts: 4
Joined: Wed Oct 08, 2008 10:00 am

Re: Storage-free password hashing

Postby JoeSiegrist » Sun Nov 02, 2008 4:01 pm

olfway Wrote:Btw, am i right that you will lost you password if site will be redisigned with changes in url/domain?

If you remembered or stored the old domain you'd be able to recover it, but it is a usability concern...

Joe
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 19 guests