I think this has already been done. If memory serves me correctly
Steve Gibson talked about it on Security Now.
On Jul 29, 2009, at 4:40 PM, Adrian Crenshaw wrote:
I'm sure by now the many of you here have heard of the asshatery
that is zero for 0wned (zf05.txt) and it's started me thinking about
password management across websites.
Remembering a unique password for each and every site is hard to
manage. Now, what I currently do is have one password for finance
stuff, another for website related stuff and yet another for forums
I've visited, sort of by level of how much I care if they get
compromised. Still, it's a pain to go around changing passwords when
you hear Binrev or Hak5 got hacked and your not sure if they got
your credintials.
I was wondering if this schem is workable from a security
standpoint, and if someone has already implemented it into a Firefox
plugin. Lets say you do this, take a password you use everywhere,
conatinate it with the domain name of the site you are making a
password for, then take the md5 hash and use it as your password.For
example, if my password was "mypassword" and I were using it on
Pauldotcom.com:
md5("mypasswordpauldotcom.com") = "4b7958e4302cae2836f1c05532f835f4"
This way, it's still easy to remeber, but even if an attacker gets
the plain text from what is store on the site
(4b7958e4302cae2836f1c05532f835f4 in this case), they can't use it
to compromise account on other sites since your password would be
different, for example:
md5("mypasswordirongeek.com") = "1c96d14e6e048924cabf3009b064958f"
Do you see any major weaknesses in this scheme? Anyone know how to
implement a Firefox plugin to simplify it?
Thanks,
Adrian
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
