Wednesday, July 18, 2012

Cryptographic Hash Generators

So, I made a cryptographic hash generator:

Unnecessary Background:
There are plenty of hash generators on the internet, like this one that I stole all the code from.  My problem with this stuff is I never like the UI.  First, they force you to hit a button, instead of just making it generate as you type.  Second, despite the fact that he has all the code for several hashes, the page only displays either sha-1 or md5, and forces you to pick one at a time.

Extra Unnecessary Background:
If you don't know, there are a bunch of extensions that take a strong general password + simple per site password and use a hash to generate a very strong password that is actually inputted into the site.  As with above, while I like the concept I don't like the implementations.

How I would like this to work is this:  Take the general pass + domain name + per site password (any of which could be blank or not used), and generate the sha-512 hash of it.  Then have the user tell it what characters are allowed and how long it may be.  Then convert to a string that meets those constraints while maximizing entropy.

This would mean you could create a nice long pass phrase using all characters as the general password, and enter it once per session, or even store it locally.  Then for extra secure sites you could enter an additional password that would only add to security.  Using the domain name would mean that your passwords would be different for every site even without the extra per site password.  This would also mean you could enter your passwords with no length or character restrictions and convert them to conform with whatever horrible rules various sites had.

The extension I linked to above is pretty good, but only allows for up to 14 chars, and you can't pick only lower or upper case (only both or none).  While 14 chars is very strong for the type of result you're going to get from a hash, there are problems.  What if a site doesn't allow the full array of special characters the extension uses, and only allows lower case?  You'd be stuck with only digits, which would dramatically reduce entropy.  Instead, why not allow any length you want?  If someone is using something like this why not let them use the full allowed password size?  Also, let the user pick exactly what characters are allowed; some sites have some really bizarre password restrictions.

Anyway, since any extension based password generator needs a web based version for when you are away from your home computer, I decided to make the web version, while knowing full well that I will never make the extension.  I then decided to make it more general, and thus it's now just a generic hash generator.

No comments:

Post a Comment