Skip to content

Prefix input to make hash lookup harder #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomlankhorst wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Prefix input to make hash lookup harder #7

tomlankhorst wants to merge 1 commit into from

Conversation

@tomlankhorst
Copy link

@tomlankhorst tomlankhorst commented Dec 9, 2021
edited
Loading

Right now, sha1(input) is exposed in the URL.
For short and well-known passwords, hashes can be looked up easily.
E.g. https://www.google.com/search?q=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
This URL exposes the password, and it's saved in browsing history.
By prefixing the password with a string, such lookups are harder.

This breaks existing passwords.

Far better would be a real salt, but that would require the salt state to be embedded in the page (https://en.wikipedia.org/wiki/Salt_(cryptography)).

@tomlankhorst
Prefix input to make hash lookup harder
ae45d14 
Right now, `sha1(input)` is exposed in the URL. 
For short and well-known passwords, hashes can be looked up easily. 
E.g. https://www.google.com/search?q=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
This URL exposes the password, and it's saved in browsing history. 
By prefixing the password with a string, such lookups are harder.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomlankhorst