Bug#531958: ITP: mozilla-pwdhash -- Per-site password generator for Iceweasel and Iceape

[Francois Marier <francois@debian.org>]

Package: wnpp
Severity: wishlist
Owner: Francois Marier <francois@debian.org>

* Package name    : mozilla-pwdhash
  Version         : 1.6
  Upstream Author : Collin Jackson <collinj@cs.stanford.edu>
* URL             : http://crypto.stanford.edu/PwdHash/
* License         : BSD
  Programming Lang: Javascript
  Description     : Per-site password generator for Iceweasel and Iceape

PwdHash is an browser extension that transparently converts a user's password
into a domain-specific password. The user can activate this hashing by choosing
passwords that start with a special prefix (@@) or by pressing a special password
key (F2). PwdHash automatically replaces the contents of these password fields
with a one-way hash of the pair (password, domain-name). As a result, the site
only sees a domain-specific hash of the password, as opposed to the password
itself. A break-in at a low security site exposes password hashes rather than an
actual password. We emphasize that the hash function we use is public and can be
computed on any machine which enables users to login to their web accounts from
any machine in the world. Hashing is done using a Pseudo Random Function (PRF).

A major benefit of PwdHash is that it provides a defense against password
phishing scams. In a phishing scam, users are directed to a spoof web site where
they are asked to enter their username and password.  SpoofGuard is a browser
extension that alerts the user when a phishing page is encountered. PwdHash
complements SpoofGuard in defending users from phishng scams: using PwdHash the
phisher only sees a hash of the password specific to the domain hosting the
spoof page. This hash is useless at the site that the phisher intended to spoof.