Web Password Hashing

Reusing passwords is common and many paranoid-yet-lazy engineers have adopted the habit of appending or prepending their 'universal' passwords with domain names.  In reality, such practice is not very secure because the password can be easily deduced if any of the machines are broken into.

Dan Boneh's Stanford Applied Crypto Group, which created SpoofGuard and Identify Based Encryption (the technology behind Voltage), is using an automated variation of the scheme to let users reuse passwords at multiple sites with arguably acceptable level of risk.  The idea is to detect password fields using a browser plugin and replace passwords entered with site-specific passwords calculated like this:

    site-pwd = hash(domain-name + reused-pwd + universal-pwd)

universal-pwd is needed for protecting against dictionary attacks.

I like the general idea but there are many implementation and usability issues yet to be solved, some listed in their PowerPoint presentation and some not such as password length limitation and password field spoofing.  Still, I think the idea is useful when combined with other ideas and am looking forward to their demo.

BTW, SpoofGuard also uses password hashing using server-provided salt to protect password reuse, but I don't think server-provided salt alone provides much value.  Also, I think they gave up on per-user salt too easily.  Anyhow, I am impressed with the work Stanford ACG is doing because they are not afraid to roam outside the crypto realm to find creative solutions.

Update:

One important side-effect of above password hashing scheme, which I neglected to mention, is that passwords cannot be 'phished' without DNS poisoning because the domain name will be different.  Neat, eh?