Web Password Hashing

Contents

Introduction

Most commercial web sites rely on a relatively weak form of password authentication: the browser simply sends a user's plaintext password to a remote web server. This form of password authentication is vulnerable to phishing scams.

In phishing scams, users are typically directed to spoof web sites where they are asked to enter their usernames and passwords. By masquerading as a legitimate site, a phishing site obtains the user's plaintext password for the legitimate site.

Password Hashing provides a simple yet very effective way of defending against phishing scams. Rather than send the user's plaintext password to a web site, a browser that supports password hashing, such as Deepnet Explorer 1.4, sends the hash of the user's password combined with the domain name of the web site. The hash data is not only cryptographic, it is also specific to the web site itself. In other words, the password hash received at the phishing site is not useful at any other site.

Deepnet Explorer takes the initiative by introducing a new attribute to the INPUT element in HTML form. The new attribute is named "PROTECT", and it can be applied to the password input as well as any other input that requires protection, such as the credit card number, social security number, etc. The result is that any type of input data, not only the password, can be protected. Another important feature of this new attribute is that it is compatible to all browsers regardless whether or not they currently support password hashing. For browsers that do not support password hashing, the PROTECT attribute is simply ignored.

Implementation

Deepnet Explorer 1.4 supports two hashing algorithms, MD5 and SHA1. To add hashing protection simply add "Protect=[hash algorithm]" to the input element:

<input name="password" protect="md5">

or,

<input name="password" protect="sha1">

Deepnet Explorer uses the following functions to calculate the hash:

Hash=MD5(input_data@domain_name)

or,

Hash=SHA1(input_data@domain_name)

The hash data sent to the web site is encoded in hex decimal and prefixed with "protect:md5:" or "protect:sha1:", e.g.

protect:md5:f96b697d7cb7938d525a2f31aaf161d0

protect:sha1:90d925d853c3d35cd54070bb75280fefad9de9e7

The hash data is not case sensitive.


Demo & Source Code

Click here to see the demo
Click here to download the source code

How It Works!

How to retrieve domain name.

The domain name of the web site is part of the HTTP request header, the field is called HTTP_HOST.

In ASP, to retrieve the domain name, you simply call:

Request.ServerVariables("HTTP_HOST")

How to calculate hash

Copy MD5.js and SHA1.js to the directory where the HTML file resides.

In ASP, insert the following code:

<script runat="server" language="javascript" src="md5.js"></script>
<%
data=Request("password") & "@" & Request.ServerVariables("http_host")
hash=hex_md5(data)
%>