Make your passwords stronger, without additional memorization effort.
With FortifyPassword, you can transform one of your passwords into a new one more robust against brute-force attacks, without the inconvenience of having to remember a longer, more complicated password.
Suppose you want to create an account on a website:
REMEMBER THE PASSWORD YOU PASSED INTO THE EXTENSION FORM (not the fortified password). Later, each time you want to log in to your newly created account, you'll need to retype your password in the extension form, regenerate the fortified password, then paste it into the site authentication form.
NO PASSWORD IS STORED ON YOUR MACHINE OR ELSEWHERE. MAKE SURE YOU REMEMBER THE PASSWORD YOU TYPED INTO THE EXTENSION FORM, AS IT'S NOT STORED ANYWHERE. THIS EXTENSION IS NOT A PASSWORD MANAGER.
THIS EXTENSION GIVES NO MINIMUM GUARANTEE OF SECURITY, AND IT'S UP TO YOU TO FULLY UNDERSTAND WHAT'S GOING ON BEHIND THE SCENES (READ A BRIEF EXPLANATION BELOW).
We use a "key stretching" method to create, from one password, a new password more robust against brute-force attacks. No password is stored on your machine or on a remote server. The same password will always generate the same fortified password (our algorithm is deterministic).
Let's take an example:
To brute force guess a 10-character password (containing only lower-case letters), an attacker would have to test around 26^10 combinations before hoping to obtain the correct password. Let's assume that the attacker can test 10^13 passwords per second (for the technically minded: this speed seems to match what a €1,500 hardware specializing in SHA-256 can provide as of June 2023). It will then take around 14 seconds to guess your 10-character password (26^10 / 10^13).
But if we can multiply by 1 million the time an attacker takes to test a single password, he won't take 14 seconds but 5 months to guess your password. That's all well and good, but how do you actually increase the time taken for each test? That's where "key stretching" comes in: simply put your password through a series of time-consuming transformations. Instead of testing "12345" directly, the attacker must first transform "12345" with our (lengthy) algorithm and then test the algorithm's result. For someone who actually knows the password (you), waiting 1 second instead of a microsecond is almost imperceptible. But for someone testing billions and billions of passwords (an attacker), this time difference is much more visible.
These calculations are examples only intended for understanding how it works: the additional difficulty (for the attacker) created by this password fortification will depend on a huge number of circumstances, changing from one website to another, making it impossible to calculate even an order of magnitude.