Re: RFR: package mozilla-pwdhash description
Jonathan Wiltshire wrote:
> + Description: per-site password generator for Iceweasel and Iceape
Iceape only exists in Etch.
> + PwdHash is a browser extension to transparently convert a user's
> + password into a site-specific password which is not tied to the
> + machine on which it was generated.
> + .
> + Hashing is triggered by prefixing the password with '@@' or by using
> + the shortcut key 'F2'. The password field in focus is replaced by the
> + hash value. Should the site be compromised, the attacker can now only
> + see the hash of the password, not the password itself.
I can't improve on this.
> + PwdHash does not encrypt passwords, but it makes brute-force attacks
> + much less likely to succeed. It is particular useful for protection
> + against phishing sites, because the attacker
> + sees only a hash specific to the site hosting the
> spoof page. This hash is useless at the site that the phisher intended to
Maybe shrink it to:
PwdHash does not encrypt passwords, but it makes brute-force attacks much
less effective. It also means phishing sites can only steal a hash that's
specific to the spoof page and useless on the site being imitated.
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package