

Sentence Based Password Program - 16s

http://16s.us/sha1_pass/<p>I posted this last week. I did not get much feedback then. I wanted to post it to HN one last time. I call it SHA1_Pass. I have compiled Mac, Linux and Windows versions (working on a few BSD builds too). It would be neat if an Android/iOS dev would implement versions for those devices as well.<p>I won't rehash all the details in this post (read them at the URL if you like). It's not a web 2.0 app, so it's not snazzy and new, but I think it's a good idea. I've used it myself for many years now, and wanted to share it more broadly after the Gawker incident.
======
Mithrandir
I do like the idea, but there's one problem (though maybe not a big problem.)
The user still has to be smart about making passwords. For example, if Alice
puts in "password" and clicks SHA-1 (same with another algo), she would get
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8". If Mallory is smart enough to
think she'd choose "password" as her password, and sees
"353e8061f2befecb6818ba0c034c632fb0bcae1b" (hash of the hash), he can easily
figure it out. Basically, he just hashes all words in a dictionary before
attacking via brute-force.

Of course, if Alice chooses "HeLlOWoRlD13485443&$%3" or similar, then it's
harder for Mallory and even harder if she hashes it.

~~~
16s
I would hope users would use sentences rather than just one dictionary word.
Don't use 'password' for your password. But you have a point, humans will be
human. I could do checking for whitespace and length to mitigate that
possibility a bit. Thanks for the feedback.

------
16s
Whoops... I did not realize the URL was not clickable when doing a text
submission. <http://16s.us/sha1_pass/>

