Re: RFR: package mozilla-pwdhash description
Thank you Jonathan and Justin. Your comments are much appreciated!
On 2009-06-05 at 13:04:00, Jonathan Wiltshire wrote:
> PwdHash doesn't covert the password autonomously, it's a tool for a user
> to leverage. (yes?)
That's right, it only kicks in if you prefix F2 or prefix your password with
@@.
> I would avoid putting the prefix or shortcut key values in if you can,
> in case they ever change or can be customised. It's one less thing to
> check after a new upstream release.
It's a very good point, however in this case, the shortcuts are not
configurable and I'd be _very_ surprised if a new upstream version changed
them.
On 2009-06-05 at 14:33:32, Justin B Rye wrote:
> Iceape only exists in Etch.
Oh I hadn't noticed it was gone, good catch!
On 2009-06-05 at 14:39:33, Jonathan Wiltshire wrote:
> In fact now I think about it, either the package name should be
> iceweasel-pwdhash (or similar) or this should say 'for Mozilla browsers'.
Yes, I've changed to Mozilla-browsers. I'm hesitant to call it
iceweasel-pwdhash because that might lead to extra work for the Ubuntu
maintainers.
Here is the final version:
Description: per-site password generator for Mozilla browsers
PwdHash is an browser extension to transparently convert a user's
password into a site-specific password which is not tied to the machine on
which it was generated.
.
Hashing is triggered by prefixing the password with '@@' or by using
the shortcut key 'F2'. The password field in focus is replaced by the
hash value. Should the site be compromised, the attacker can now only
see the hash of the password, not the password itself.
.
PwdHash does not encrypt passwords, but it makes brute-force attacks much
less effective. It also means phishing sites can only steal a hash that's
specific to the spoof page and useless on the site being imitated.
.
This extension is compatible with Iceweasel, Firefox and Seamonkey.
If you have any final comments, please CC me on your replies.
Cheers,
Francois
Reply to: