Secure Passwords Through Enhanced Hashing

Passwords play a critical role in online authentication. Unfortunately, passwords suffer from two seemingly intractable problems: password cracking and password theft. In this paper, we propose PasswordAgent, a new password hashing mechanism that utilizes both a salt repository and a browser plug-in to secure web logins with strong passwords. Password hashing is a technique that allows users to remember simple low-entropy passwords and have them hashed to create high-entropy secure passwords. PasswordAgent generates strong passwords by enhancing the hash function with a large random salt. With the support of a salt repository, it gains a much stronger security guarantee than existing mechanisms. PasswordAgent is not vulnerable to offline attacks, and it provides stronger protection against password theft. Moreover, PasswordAgent offers usability advantages over existing hash-based mechanisms, while maintaining users’ familiar password entry paradigm. We build a prototype of PasswordAgent and conduct usability experiments.