Request for review of a new package's description
(Please CC me on your replies, thanks!)
I'd like your comments on the following package description for
Description: Per-site password generator for Iceweasel and Iceape
PwdHash is a browser extension which transparently converts a user's
password into a domain-specific password. The user can activate this hashing
by choosing passwords that start with a special prefix (@@) or by pressing a
special password key (F2). PwdHash automatically replaces the contents of
these password fields with a one-way hash of the pair (password, domain-name).
As a result, the site only sees a domain-specific hash of the password, as
opposed to the password itself. A break-in at a low security site exposes
password hashes rather than an actual password. The hash function that is used
is public and can be computed on any machine which enables users to login to
their web accounts from any machine in the world. Hashing is done using a
Pseudo Random Function (PRF).
A major benefit of PwdHash is that it provides a defense against password
phishing scams. In a phishing scam, users are directed to a spoof web site
where they are asked to enter their username and password. Using PwdHash the
phisher only sees a hash of the password specific to the domain hosting the
spoof page. This hash is useless at the site that the phisher intended to
This description is mostly taken from the upstream site and to be honest,
I'm not very satisfied with it as a package description, but I'm not too
sure what to cut or how to improve it.