PwdHash, from the Security Lab at Stanford University, is a browser extension - available for Internet Explorer, Firefox and Opera - that converts a user’s password into a domain-specific password. PwdHash reads any password fields in a web form and dynamically replaces them with unique strong passwords.

The unique password is auto-generated by combining the user-specified password with the domain name of the web site and then generating a one-way hash from it. As a result, the web site only sees a domain-specific hash of the password, as opposed to the password itself. This also eliminates the user’s worries to remember passwords for all their online accounts. You can always use the same password, and let PwdHash hash it before actually sending it.

In addition, a major benefit of using PwdHash is that it can help mitigate the result of phishing attacks. If you accidentally click on a link purporting to be a legitimate web site (for example, your bank) and enter your password, PwdHash will automatically replace your password with a hash of your password and the phisher’s domain. Unless the phisher managed to take control of the real domain (then nothing will help you…), the phisher will get the incorrect password.

Installing PwdHah is very simple: just download the extension for your browser, install it and restart the browser. PwdHas is selectively triggered for password fields by either prefixing the password with @@ or pressing the hot-key F2.

For users who spend most of their time working on remote computers, PwdHash offers a web-based implementation of the hashing algorithm. The hashing process is executed within the context of your browser and no information is being stored or transmitted.

Download PwdHash