Delving into Hashes: Functions, Algorithms and Applications
What is a derivative password manager?
In today's digital world, password security is more important than ever. Because cybercriminals are constantly looking for new ways to access our accounts and steal our data, one of the best ways to protect yourself is to use strong, unique passwords for each account.
However, remembering strong and unique passwords for all of our accounts can be difficult. That is why the use of password managers is an increasingly popular solution. In general, the authentication data in a traditional password manager incorporates both the user and password into a single data set that is encrypted with a master password. Knowledge of the master password reveals the entirety of the authentication data protected by the traditional manager and therefore, an attack aimed at determining a single critical piece of data can result in a catastrophic security breach.
LISTHASH implements a new form of password management that incorporates multiple checkpoints and allows for absolute privacy of user authentication data. By employing hash functions it provides the necessary mechanisms to create strong and secure passwords derived from user-supplied data in the password generation process. We thus call LISTHASH a derivative password manager, since from a base data it derives in a chaotic but deterministic way new data that are complex enough to be used as passwords.
What is password derivation from a master seed?
Password derivation from a master seed is a method for generating secure and unique passwords from a secret piece of data, known as a master seed. The master seed can be a phrase, a piece of text, or a series of data whose only condition is to be long and complex enough to be difficult for an attacker to guess, but which can be remembered by a user with extensive knowledge of digital security.
Once you have a master seed, you can use a hash function to generate unique passwords for each account. As we have already discussed, a hash function is a mathematical function that takes an input (in this case, the master seed) and converts it to an output (in this case, the password). The output of the hash function is always the same for the same input, but it is impossible to invert the function to get the input from the output.
How do hashes work to create passwords?
Using hashes to create passwords is a simple, yet effective way to protect authentication data. By combining a memorable but statistically complex phrase, key or dataset with a secure hash function, you can create unique, hard-to-guess passwords that will keep your data safe from cybercriminals. The basic process to follow is as follows:
1. Choose a phrase, key or piece of data that represents a complex and secure, but easily remembered piece of information that is not easy to bind to the user, this will be the seed. For example, a fragment of a book, a specific image, a piece of data visible to the naked eye but indeterminate for an attacker.
2. Use a hash function such as SHA-256 to convert the seed into a unique hash value and a fundamental and intermediate piece for authentication data retrieval.
3. Adding salt, or “salting”, to increase security. The salting in this case is a secret value, for example a master password, which is combined with the seed before the hash function is applied a second time, making it even more difficult for an attacker to crack the finally retrieved password.
4. Map the result of applying the final hash function to a string of alphanumeric characters from the seed that can be used as a password.
Are there any risks in using password derivation from a master seed?
The main risk of using password derivation from a master seed is that if you lose your master seed or do not remember it, or forget the data used to salt the seed, it will be impossible to access your accounts. Therefore, it is important to choose a master seed that can be remembered only by the user but impossible for an attacker to determine.
LISTHASH Checkpoints
To achieve absolute privacy and the generation of strong and secure passwords, LISTHASH establishes three control points in its derivation process:
1. Seed: Initially, a seed is used which not only provides a unique and secure data, but also the set of characters that will be used by the manager for password generation. LISTHASH requires that the seed contains at least 62 different characters to be admitted in the application.
2. List of accounts: Each account registered in LISTHASH has a unique identifier and is represented with the service data, user and the length of the password to be generated, these data are encrypted by default to be able to export them out of the device that stores them.
3. Secret codes: 3. Secret codes: Finally, for the generation, the user provides secret codes that only he can remember. These codes have the role of adding “salt” to the final password generation, increasing the uncertainty of the result of the hash functions.
Important: Not having the specific information at any of the above checkpoints implies the impossibility of accessing the correct authentication data. Therefore, only comprehensive knowledge of the specific data at each checkpoint will allow a password to be recovered. This process ensures that a breach of up to two checkpoints is useless for an attacker in his attempt to obtain the user's authentication data.
In addition, conventional password managers provide a clear signal to an attacker when they succeed in compromising the master password, since only decryption generates a readable result that allows access to the authentication data. In contrast, LISTHASH checkpoint data always produces readable but invalid authentication values, since only accurate and correct data at each checkpoint will match a valid authentication data. A brute force attack under these conditions is even more inefficient, as it requires testing every possible combination directly on the service bound to an account, and this type of attack can be quickly mitigated by exceeding the errors admissible by a service.
With LISTHASH, the user of the manager is not forced to give up his privacy or to entrust the security of his data to a hackable cloud service.