password BYOSalt

[whitebread]

I'm tired of websites not taking security seriously. You never know if a site is using proper techniques for securing your data (e.g. hashing passwords, using a salt, ...)

I made an app (for iPhone & iPod Touch) called "BYOSalt" (as in, "Bring Your Own Salt :p). If there is interest, I can port it to OS X, Windows, BlackBerry, etc. without much difficulty.

Basically, you enter the site's URL, your username, email address, and password. Then, you click "Generate Code." It calculates the hash (using bCrypt), and implements a salt. You end up with a long alphanumeric string, from which you can choose the length of your password.

In theory, say I (or someone) ported it to Windows/OS X/etc, you'd have no need to shorten the password at all. So while it omits symbols from the password, it does provide a password long enough that brute-forcing is unlikely.

The main advantage to this app is that, even if your password is stored in plaintext by the site, the underlying password is protected (so if you DO use the same master password across multiple sites, if one site is breached, you don't have to worry about the other sites as the URL is part of the plaintext before it is hashed -- it acts as part of the per-site salt... meaning your actual password is never exposed).

I just put it together today. If I'm on to something, or if there is interest, I'll improve it and add features. If it's a stupid idea, I'll just trash the project as I don't have much investment in it at this point.

Let me know what you all think :)

P.S. I'm not much of a UI designer... So, forgive the ugliness :blush:

[Rudy]

The point of the salt is to take a fairly simple password and make it fairly hard to crack. Might as well just input garbage in the password field and use a password software to remember that garbage (same end result)

[Matthew_Thepc]

great idea, and if I had an iOS device I'd use it.

But why would you even need to use a password in the first place? just put in some random numbers and it should work fine :)

If you could somehow integrate this with the mobile browser and then use it for all <input type="password"> fields that would make it amazing.