master key is visible to the site you are on

ericwoodruff / passwordhasherplus

Password Hasher Plus

http://goo.gl/LyLk3

Other

12 stars 21 forks source link

master key is visible to the site you are on #27

Closed notEthan closed 10 years ago

notEthan commented 10 years ago

as you type your master key into the password field, before it is hashed, your master key is entirely accessible to the site you are typing it into (using javascript, getting the value of the field).

the firefox extension uses a dialog of the browser chrome rather than the page elements to input the master key and keep it separate from / inaccessible to the site. while this chrome extension's method of inputting the master key inline is a bit more natural and nicer, it seems to have this massive security vulnerability. the master key needs to be input in some way that is inaccessible to javascript on the site.

ericwoodruff commented 10 years ago

This is not a security vulnerability given that an attacker doesn't have the private seed, the master key is virtually useless. Furthermore, the hashed value actually is the password to the site you are logging into, so if there is an interception of that value (which needs to be filled into the form no matter what), then the site password is compromised.

This extension has never claimed that it can protect against malicious javascript injected into the browser stealing passwords post-hash, or key loggers installed in your OS; all of that is beyond the scope of what this intends to do and I have no intention of replacing the input with a dialog for security theater. Use SSL and only visit trusted sites and use trusted equipment.

notEthan commented 10 years ago

having migrated from the firefox extension (and also desiring greater portability to not require private data that is not in my head) I am using the compatibility mode.

obviously the post-hash password is available to the site - this is not about that. this is only about the master key which you type in, which should be private and not available to any site.

ericwoodruff commented 10 years ago

The master key should never actually be a password to anything. Also the likelihood of a targeted attack that knows about the hashing is too remote for me to be concerned about it. You're welcome to fork the extension or propose a pull request with a dialog option. On Sep 3, 2014 2:33 PM, "notEthan" notifications@github.com wrote:

having migrated from the firefox extension (and also desiring greater portability to not require private data that is not in my head) I am using the compatibility mode.

obviously the post-hash password is available to the site - this is not about that. this is only about the master key which you type in, which should be private and not available to any site.

— Reply to this email directly or view it on GitHub https://github.com/ericwoodruff/passwordhasherplus/issues/27#issuecomment-54371016 .

notEthan commented 10 years ago

the master key is effectively the password to everything generated by this hashing method. the latter argument is security-by-obscurity which is not sufficient. I am not so familiar with chrome extension development, but I may have a crack at it.