Hash It!

The average Internet user typically needs to remember at least a dozen passwords for different web sites if he does not want to fall back to the bad habit of using the same password across multiple web sites. Unfortunately, the capacity of the human brain is quite limited when it comes to remembering secure passwords. Common workarounds such as writing down passwords are not really an option from a security point of view.

This is where Hash It! gets into the game. Based on a concept originally implemented by Steve Cooper with the Password Hasher extension for Mozilla Firefox it allows you to use a unique password per site while you have to remember only a single (or a few) secret master keys.

Concept

Hash It! uses a cryptographic (one-way) MAC function to derive a site-specific password from the web site's URL and a secret password in a deterministic and non-reversable fashion:

Hash It! Block Diagram
This way, each web site will use a distinct password, which cannot be reversed to the secret master key. So, should any web-site specific password be compromised, all other passwords generated from the same secret master key will be unaffected.

Installation

Hash It! is available on the Android Market. Install it by clicking here from within the Android Web Browser. Alternatively, just scan the QR Code below:

Screenshots

Hash It!'s main screen Launching Hash It! directly from the Web Browser

Usage

Hash It! interacts with other applications such as Android's Web Browser via the "Share page" feature. Whenever you come across a web site that needs a password either previously created via Password Hasher or Hash It!, select "Share page" from the browser menu and click the "Hash It!" entry. Hash It! will open with the Site Tag automatically set for your site. Depending on your security needs or web site constraints you may want to change the hashing parameters either for the current Site Tag (click on the "Parameters" tab) or globally (click on "Defaults" after pressing the menu button on your phone).
Enter your Master Key (which will be typially the same for all or - at least - most sites) and hit the "Hash Password" button. After that Hash It! will automatically copy the resulting Hash Word to the clipboard. Hit the back button on your phone and paste the calculated password into the browser's password entry field.

Note: Hash It! will keep track of the setting you used for a given Site Tag. Under no circumstances will it save your Master Key to persistent storage or send it across the network.

Compatibility

Hash It! is designed to be compatible with the hashing algorithm used by the Password Hasher Firefox extension and also supports the "Private Key" extension from Password Hasher Plus for Google Chrome.

Bug Reports / Feedback

Found a bug or would like to provide feedback? Feel free to drop an e-mail to android@ginkel.com.

Source Code

Hash It's source code is available under the GPLv3 on GitHub at: http://github.com/ginkel/hashit. Feel free to contribute enhancements or fixes to the code base.

Change Log

Version 1.3.2

  • BUG: Fixed Force Close (UnsupportedOperationException) on history addition
Version 1.3.1
  • BUG: Fixed tag/preferences issues introduced by "Private Key" feature
Version 1.3.0
  • FEATURE: Added support for Password Hasher Plus "Private Key" extension
  • FEATURE: Configurable Master Key caching (enable in settings)
  • FEATURE: Automatically return to browser after hashing (enable in settings)
  • BUG: Fixed duplicate hashing when using keyboard to trigger hash calculation
  • BUG: Improved HTC Sense keyboard compatibility
  • OPTIMIZATION: APK size optimizations
Version 1.2.1
  • BUG: Fixed Force Close (UnsupportedOperationException) when hashing password with site tag history enabled
  • BUG: Fixed Force Close (StackOverflowError) on Android 1.5 when switching tabs
Version 1.2.0
  • FEATURE: Enabled Apps2SD for Android 2.2 (FroYo)
  • FEATURE: Site Tag history (Android 1.6 and above) [can be disabled in Settings]
Version 1.1.0
  • FEATURE: Support for country code second-level domains (e.g., .co.uk)
Version 1.0.2
  • BUG: Fixed Force Close (StackOverflowError) on Android 1.5
  • BUG: Improved reliability of Site Tag propagation
Version 1.0.1
  • BUG: Fixed site tag restoration / input focus on tab switch
  • FEATURE: Calculate Hash Word on enter key press in the Master Key input control
Version 1.0.0
  • Initial Release