|Full text||Click to download.|
|Citation||In Proceedings of the 2005 USENIX Security Symposium
John C. Mitchell
We describe a browser plug-in, called PwdHash, that improves web password security and helps defend against phishing attacks and some consequences of break-ins to low security web sites. Since the plug-in applies a cryptographic hash function to a combination of the user password, data associated with the web site, and (optionally) a private salt stored on the client machine, theft of the password received at one site will not yield a password that is useful at another site. While the scheme requires no changes on the server side, implementing PwdHash securely in a web browser turns out to be quite difficult. We describe the challenges we faced in implementing PwdHash and some techniques that may be useful to anyone facing similar security issues in a browser environment.
Back to publications
Back to previous page