The most difficult part was making PwdHash look easy. Some of the trickiest fake Web pages simply show an image or picture to indicate where to type a password instead of having "enter your password" written in text. "How would our software inside the browser know that the Web page is asking for their password? We had to know which data to apply this cryptographic hash to and which data to leave alone," Mitchell recalls.

That's when doctoral student Collin Jackson came up with the idea of adding the "@@" prefix to every password to tell the software which things are passwords and which aren't.

Today, the software is available for free, with versions for the Internet Explorer and Firefox browsers. Mitchell is trying to persuade major browser vendors to include PwdHash in upcoming releases.

"This type of technology definitely has legs," says David Jevans, chairman of the Anti-Phishing Working Group.

"In the U.S., a lot of [Internet security work] is happening on the back end. But that's not going to be enough. The bad guys are always evolving."