[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFR: package mozilla-pwdhash description

Jonathan Wiltshire wrote:
> + Description: per-site password generator for Iceweasel and Iceape
                                                           ^^^^^^^^^^
Iceape only exists in Etch.
 
> + PwdHash is a browser extension to transparently convert a user's
> + password into a site-specific password which is not tied to the
> + machine on which it was generated.
> + .
> + Hashing is triggered by prefixing the password with '@@' or by using
> + the shortcut key 'F2'. The password field in focus is replaced by the
> + hash value. Should the site be compromised, the attacker can now only
> + see the hash of the password, not the password itself.

I can't improve on this.

> + PwdHash does not encrypt passwords, but it makes brute-force attacks
> + much less likely to succeed. It is particular useful for protection
                                                ^ly
> + against phishing sites, because the attacker 
> + sees only a hash specific to the site hosting the
>   spoof page. This hash is useless at the site that the phisher intended to
>   spoof.

Maybe shrink it to:

   PwdHash does not encrypt passwords, but it makes brute-force attacks much
   less effective. It also means phishing sites can only steal a hash that's
   specific to the spoof page and useless on the site being imitated.

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package
Reply to: