Cracking PwdHash: A Bruteforce Attack on Client-Side Password Hashing
Author(s): David Llewellyn-Jones, Graham Rymer

Date: December 7 2016
Publication: 11th International Conference on Passwords (Passwords16 Bochum)
Source 1: http://www.flypig.co.uk/papers/dlj-gr-passwords16.pdf

Abstract or Summary:
PwdHash is a widely-used tool for client-side password hashing. Originally released as a browser extension, it replaces the user's password with a hash that combines both the password and the website's domain. As a result, while the user only remembers a single secret, the passwords received are all unique for each site. We demonstrate how the hashcat password recovery tool can be extended to allow passwords generated using PwdHash to be identified and reversed, revealing the user's master password. A leak from a single website can therefore compromise a user's account on other sites where PwdHash was used. We describe the changes made to hashcat to support our approach, and explore the impact this has on speed of recovery.

PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=KKdHj4ur3Qo Project page: https://github.com/llewelld/pwdhash-poc


Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com