The Problem with PwdHash

I care about Passwords. I’ve been using PwdHash as my secure password solution since February of 2007. It’s been a good solution for me, but it has a flaw that has recently become more frequently exposed.

The way PwdHash works it creates a hash from two inputs:

  1. the domain of the website
  2. the password you type in

It then submits the hash to the website. Think of it as a black box that generates a relatively complicated password from the two plain text ingredients you give it.

If you needed to log in to and used dancing reindeer as your password, the hash that would be sent to the website would be: vFROhCfFQR+vYcs5IZ.

This provides a number of nice features:

  1. You only have to remember one password.
  2. Your passwords are different for every site you log in to.
  3. None of the secure passwords (hashes) are stored anywhere so there is no :scare: honeypot :/scare: of passwords that can be accessed.

Having a different password for each site is important because you don’t want to have your password exposed when a single site is compromised, sold, etc.

The flaw?

The hash used as your password is based on just those two inputs (domain and your typed-in password). When a single site is compromised and you need to change your password for that site, you find yourself in an unfortunate situation. You must change the password you type in for that site in order to change the hash, but now you are no longer remembering just one password to type in.

One option is to bite the bullet and wholesale change your password for all of your accounts every time this happens. Ugh. Another option is to start using a second password you type in for these sites that have been compromised. That starts to suck too – the whole point is to not have only one thing to remember so you never have to write it down.

In the moderately recent past I’ve had to change my password for a number of sites including, Evernote and Twitter. Sites seem to be coming under these types of attacks more and more frequently, and I expect I’ll be needing to change more within the next six months.

A solution like 1Password handles this situation better. I can change the password for just one site while maintaining a single “master” password to unlock all of my passwords. I still don’t like the honeypot aspects and reliance on proprietary software1 for something as important as identity, but I’m thinking hard about making the switch.

PwdHash actually has another flaw as well, it doesn’t have a mechanism to handle sites that have specific password requirements (must have a capital letter, a number, can’t have special characters, must be at least X characters long, etc.). For some reason, this hasn’t been much of an issue for me – you’d think it would have come up more.

  1. They are doing what they can to mitigate this concern

This post is part of the thread: Passwords – an ongoing story on this site. View the thread timeline for more context on this post.