In May 2006, nearly 12,000 malicious phishing Web sites were identified by the Anti-Phishing Working Group, a Los Altos, Calif.-based industry association focused on eliminating the scams. That’s up from 3,300 sites a year earlier. Phishing scams trick users into sending their passwords to an unintended Web site — often unlocking access to bank accounts or other financial data.

But some professors and students at Stanford University are taking a big bite out of this crime with Password Hash (PwdHash), a plug-in for popular Web browsers that prevents phishing sites from getting what they want. By simply adding “@@” to the beginning of a password when registering on a Web site, PwdHash combines the user’s password with the site’s domain name in an algorithm that customizes a password for the user.

If a password is stolen from a malicious site, it won’t work on the authentic site although you typed in the same password. Although the idea of adding a cryptographic hash function to a password isn’t new, PwdHash team have advanced the technology by making it easy enough for end users to apply.