I recently attended a 1.5 day conference put on by the ASSERT Center at the University of Alaska Fairbanks. Yes, this is the school that exposed my personal information to hackers, and conference host is the department that received the award by Homeland Security. Aargh.

But I digress. One of the few interesting sessions at the conference was by Mario Garcia of Texas A&M University in Corpus Christi. He talked about PwdHash, an interesting tool developed by a few folks at Stanford University.

The idea is that when you go to a site that requires a password, you enter a special character sequence—by default, “@@”—in the password field, followed by the password. PwdHash takes the password, adds the domain of the Web page to it, and hashes it. That becomes the password sent to the site. Obviously, you’d need to create a new password using PwdHash, or update an existing password.

The protection from phishing comes from having the domain added to the password before hashing. If you enter your PayPal password on a phishing site, the wrong domain is used and so the hash doesn’t match the actual PayPal password. That makes the password unusable on PayPal. Strictly speaking, it also protects against weak passwords, since a hash of anything is almost always going to be a relatively strong password.

There may be ways to attack this. For example, I need to check into the security of the key used for hashing. But it sounds like a big step up in security and worth looking at. They have extensions for IE and FireFox.