2006 Horizon Awards Winner: Stanford University's Password Hash

Stacy Collett   Today’s Top Stories   or  Other Security Stories  

Lower the Cost and Complexity of a Mobile Workforce through Automation Managing Mobility: Improve Data Security, Compliance and Manageability Managing Secure File Transfer to Save Time, Money and IT Resources Share our Strength Top 10 Things to Know about Data Protection Top 10 Actions a CIO Can Take to Prepare for a Hurricane 8 Questions To Ask About Your Intrusion-Security Solution 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefings IT Service Management Sign up to receive Security Resource Alerts

August 21, 2006 (Computerworld) --

In May 2006, nearly 12,000 malicious phishing Web sites were identified by the Anti-Phishing Working Group, a Los Altos, Calif.-based industry association focused on eliminating the scams. That's up from 3,300 sites a year earlier.

Phishing scams trick users into sending their passwords to an unintended Web site -- often unlocking access to bank accounts or other financial data.

But some professors and students at Stanford University are taking a big bite out of this crime with Password Hash (PwdHash), a plug-in for popular Web browsers that prevents phishing sites from getting what they want.

"Internet users often use the same password at many Web sites," says Dan Boneh, an associate professor of computer science and electrical engineering at Stanford. "A phishing attack on one site will expose their passwords at many other sites."

By simply adding "@@" to the beginning of a password when registering on a Web site, PwdHash combines the user's password with the site's domain name in an algorithm that customizes a password for the user.

If a password is stolen from a malicious site, it won't work on the authentic site "although you typed in the same password," explains professor John Mitchell, who also led the team.

Although the idea of adding a cryptographic hash function to a password isn't new, Mitchell and his team have advanced the technology by making it easy enough for end users to apply. But the project wasn't always their top priority.

Three years ago, Secret Service agents visited Stanford's engineering and computer science department to seek help in combating financial crimes. "I asked them, 'If we were to solve one problem for you, what would it be?'" Their answer: Web spoofing, now known as phishing.

Stanford University professors Dan Boneh (left) and John Mitchell, developers of Password Hash.
Image Credit: Andy Freeberg

By the summer of 2003, they created SpoofGuard, software that detects fraudulent Web sites. In the process, developers hit on the idea of also modifying the passwords sent out from the user. And so PwdHash was born as a stand-alone piece.

The most difficult part was making PwdHash look easy. Some of the trickiest fake Web pages simply show an image or picture to indicate where to type a password instead of having "enter your password" written in text. "How would our software inside the browser know that the Web page is asking for their password? We had to know which data to apply this cryptographic hash to and which data to leave alone," Mitchell recalls.

That's when doctoral student Collin Jackson came up with the idea of adding the "@@" prefix to every password to tell the software which things are passwords and which aren't.

Today, the software is available for free, with versions for the Internet Explorer and Firefox browsers. Mitchell is trying to persuade major browser vendors to include PwdHash in upcoming releases.

"This type of technology definitely has legs," says David Jevans, chairman of the Anti-Phishing Working Group. "In the U.S., a lot of [Internet security work] is happening on the back end. But that's not going to be enough. The bad guys are always evolving."

See the complete Computerworld Horizon Awards special report.

Collett is a Computerworld contributing writer. Contact her at stcollett@aol.com.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Google's Chrome OS hits BitTorrent New attack fells Internet Explorer iPhone owners demand to see Apple source code More top stories...

Free Web apps to help organize your holidays Global warming research exposed after hack Some Nook e-readers won't make it for the holidays

See your link here

Editors' Picks Windows 7 tricks: 20 top tips and tweaks Getting to know Windows 7? Don't stop now: From speeding up taskbar thumbnails to reining in UAC, here are 20 ways to make Windows 7 act the way you want. Review: Taking the Droid on the road Is Motorola's new Droid good enough to vanquish iPhone envy? To find out, we took it on a 3-day trip. Opinion: Linux desktop turns 10; world yawns Sure, you could always use Linux as a desktop OS, but Corel Linux 1.0 was the first distro designed for ordinary users. It's been a long, strange trip since then. Review: 3 Windows 7 touch-screen laptops New touch-screen laptops from Fujitsu, HP and Lenovo take advantage of Microsoft Windows 7's touch-friendly infrastructure. » See more hot topics hot topics Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system. Apple Microsoft Google iPhone Mac A to Z » See more hot topics special report topics View the top-rated IT workplaces. General Mills, Genentech, San Diego Gas & Electric, University of Pennsylvania and Monsanto top the list. More Special Reports 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2009 Premier 100 IT Leaders 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top Green-IT 2009 Top Green-IT 2008 The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones The SAS Zone Software Resource Center Mobile Security Disaster Recovery & Cost Savings Strategic Content Management Business Analytics Zone

• Google's Chrome OS hits BitTorrent
• Free Web apps to help organize your holidays
• New attack fells Internet Explorer
• More top stories