A Browser Plug-in Solution to the Unique Password Problem

Full textClick to download.
CitationIn Proceedings of the 2005 USENIX Security Symposium
AuthorsBlake Ross
Collin Jackson
Nicholas Miyake
Dan Boneh
John C. Mitchell


We describe a browser plug-in, called PwdHash, that improves web password security and helps defend against phishing attacks and some consequences of break-ins to low security web sites. Since the plug-in applies a cryptographic hash function to a combination of the user password, data associated with the web site, and (optionally) a private salt stored on the client machine, theft of the password received at one site will not yield a password that is useful at another site. While the scheme requires no changes on the server side, implementing PwdHash securely in a web browser turns out to be quite difficult. We describe the challenges we faced in implementing PwdHash and some techniques that may be useful to anyone facing similar security issues in a browser environment.

Back to publications
Back to previous page