Cracking PwdHash: A Bruteforce Attack on Client-side Password Hashing
Accepted version
Peer-reviewed
Repository URI
Repository DOI
Change log
Authors
Llewellyn-Jones, D
Rymer, G
Abstract
PwdHash is a widely-used tool for client-side password hashing. Originally released as a browser extension, it replaces the user’s password with a hash that combines both the password and the website’s domain. As a result, while the user only remembers a single secret, the passwords received are all unique for each site. We demonstrate how the hashcat password recovery tool can be extended to allow passwords generated using PwdHash to be identified and recovered, revealing the user’s master password. A leak from a single website can therefore compromise a user’s account on other sites where PwdHash was used. We describe the changes made to hashcat to support our approach, and explore the impact this has on speed of recovery.
Description
Keywords
passwords, password cracking, brute-force attacks, user authentication
Journal Title
Lecture Notes in Computer Science
Conference Name
Journal ISSN
Volume Title
Publisher
Springer
Publisher DOI
Publisher URL
Sponsorship
David Llewellyn-Jones thanks the European Research Council for funding this research through grant StG 307224 (Pico). Graham Rymer thanks the Cabinet Office/OCSIA for their financial support.