As you might have noticed, many web sites have recently been attacked and many passwords leaked. As soon as that happened, many bad guys tried to use those passwords on other sites to gain access to user accounts. Though we all know, that we should have a separate password for each account, it is hard to impossible to achieve this in practice. Human brains have not evolved to remember randomly generated / meaningless strings.
Of course, there are existing technical solutions, like file or cloud based password stores. Those encrypt the passwords you use with a master key. However, you always have to have the file with you, or, in case of cloud based systems, have to trust another instance.
It is not recommended to use AnyHash for critical sites (e.g. banking, e-mail, webshops with saved bank accounts), as you could loose your master password due to malware running in your browser or on your operating system. For an attacker it is now possible to calculate all your other passwords. However, this can be mitigated by not using the real name of the site, but an easy to remember word or better sentence as site name / token.
AnyHash combines your master password with the site you need the password for. Based on the combination result, a new password is calculated.
All this is done locally in your browser. So there is no risk that your master password is sniffed from the network. The crypto is done by a quality third-party module (SJCL).
AnyHash, a password derivation tool.
© Christian Goehl 2012 <christian.goehl@gmx.net>
Licenses:
All registred trademarks are property of their respective owners.