Secure Hashed Passwords Using Dwb and Pwdhash

April 25, 2012 at 8:44PM

Password hashing services like PwdHash and SuperGenPass allow you enter your password in the password field of any site and then by way of some Javascript your master password is replaced with its hashed counterpart. My problem with these services is that they are fundamentally insecure due to their implementation. Both PwdHash and SuperGenPass rely on replacement of your master password via Javascript after it has already been entered on the site.

Anyone who's spent any time with Javascript knows it would not hard be hard to retrieve that master password that you entered. Thus, PwdHash and SuperGenPass's hashing implementations only work if you trust the Javascript of every site you visit. How could this ever be classified as a solution to the common household hashing problem?

A Better Hashing Implementation: My solution involves using a browser that can offload the hashing task to another program. Using the browser, Dwb, you can very easily set it up so that an external script passes in the hashed password to the browser and thus the master password is never exposed.

hash (~/.config/userscripts/hash)

#!/usr/bin/ruby
require 'uri'
site = (URI).parse(ENV['DWB_URI']).host
password = `zenity --password`
hashedPassword = `node ~/bin/pwdhash.js #{site} #{password}`.chomp!
IO.binwrite(ENV['DWB_FIFO'], "open javascript:document.activeElement.value = '#{hashedPassword}")

This hash userscript, to be run from Dwb, essentially just uses zenity (Xdialog works here too) to prompt the user for their master password. Then their master password along with the user's current site is run through the commandline tool pwdhash.js. pwdhash.js is just a simple Node.js port I made of the PwdHash Browser Javascript Implementation. Once the hashed password is returned from pwdhash.js, Dwb is then told to run some Javascript to insert only the that hashed password back into the currently selected password field of the current site.

Use Case: In Dwb, once on a password field, in command mode you type the command ":hash" and a password entry dialog is spawned.

Pwdhash Password Entry Via Zenity

You type your password in the dialog (generated by zenity) and then once you hit enter your hashed password is inserted into the password field.

Pwdhash Hashed Password on Google.Com

And there you have it - a more secure hashing implementation using Dwb in combination with PwdHash's algorithm! No long are you exposing your master password to arbitrary Javascript.