Researchers at Stanford University have developed a browser extension that:
transparently converts a user’s password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix (@@) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself.
Web Password Hashing
This is aimed at those of us — most of us, perhaps — who use one password for all sorts of sites. A break-in into one site gives the hacker passwords that are extremely valuable. It’s ready for downloading by Firefox users, but IE folks won’t yet have a stable version. I can’t say I understand yet exactly how it’s done but the clearest explanation is in the PowerPoint presentation. Nor can I say how useful this would be for law firms or other institutions that have highly developed security practices (or should have them). But it might well be helpful for those firms or individuals that can’t afford expensive security features, and for those times when you have to log into a sensitive site from somewhere else than your office or Black Berry. Worth a look, certainly.
If anyone tries it out, let us know how it performs.