By simply adding "@@" to the beginning of a password when registering on a Web site, PwdHash combines the user's password with the site's domain name in an algorithm that customizes a password for the user.

If a password is stolen from a malicious site, it won't work on the authentic site "although you typed in the same password," explains professor John Mitchell, who also led the team.

Although the idea of adding a cryptographic hash function to a password isn't new, Mitchell and his team have advanced the technology by making it easy enough for end users to apply. But the project wasn't always their top priority.

Three years ago,Secret Service agents visited Stanford's engineering and computer science department to seek help in combating financial crimes. "I asked them, ‘If we were to solve one problem for you, what would it be?'" Their answer: Web spoofing, now known as phishing.

Mitchell's team chose to attack the problem from the end user's point of view rather than try to persuade financial institutions to redesign their Web servers. By the summer of 2003, they created SpoofGuard, software that detects fraudulent Web sites. In the process, developers hit on the idea of also modifying the passwords sent out from the user. And so PwdHash was born as a stand-alone piece.