Open ghost opened 7 years ago
quassy
commented
7 years ago There is quite a lot more of domains which should be added, according to the public suffix list initiated by Mozilla. Not sure all of the should be added but the existing list in domain extractor only covers a fraction of what's out there.
I have created a Gist based on the suffix list for easier parsing, separated into ICANN and private suffixes, maybe this can be used.
Sjord
commented
7 years ago I think it is a good idea to use the public suffix list, but this would break backward compatibility. Currently, a.github.io and b.github.io will use the same password. Using the public suffix list will solve that, but this would mean that users can no longer log in on both websites. Any ideas on how to handle this?
ghost
commented
7 years ago yeah backwards compatibility is tricky here, also such a long domain list could slow down pwdhash.
so i would focus on domains relating to countries and cities, and common used ones to reduce the domain list. then users should be notified after the new list is implemented, so they know where to change their passwords (with link to pwdhash.com for old domain list password generation)
Sjord
commented
7 years ago such a long domain list could slow down pwdhash
One improvement to performance may be to lazy-load most scripts. Only load a small script on every page, and then only load the rest (MD5 algorithm, suffix list) when the user has pressed F2 or entered "@@".
One advantage of using the public suffix list is that the administration and updating of domain suffixes is out of your hands. You can simply copy their list to pwdhash once in a while.
then users should be notified
I guess you could show a popup or a notice when the domain is different between the two suffix lists. But it would be hard to get the user interaction right without being annoying.
check if spanish domains like a.com.es, b.com.es should be treated like .co.uk ...
reported by: https://addons.mozilla.org/de/firefox/addon/pwdhash/reviews/791903/