waldyrious / hash-my-pass

A bookmarklet to generate unique passwords per website, based on a single master password.
http://waldyrious.github.io/hash-my-pass/bookmarklet.min.html
Other
17 stars 4 forks source link

hash the master password into the bookmarklet #7

Closed waldyrious closed 10 years ago

waldyrious commented 10 years ago

So it's safe to store, and more convenient (one-click) to use. This means the final hash will have to be based on the hashed master password plus the domain; that will invalidate current passwords, so this is a breaking change. The good thing is HMP hasn't been released so hopefully nobody is using it yet :D

waldyrious commented 10 years ago

Well, actually the only reason to hash it it to prevent someone who gets access to the bookmarklet code from getting the master password, but since it's the hash that would be used to generate the site-specific passwords anyway, it would amount to the same security as before. The only advantage would be that the attacker couldn't get any potential info about the user from their choice of password. Thus, given that this would be a breaking change without any actual security advantage, I'll abandon the idea and close the issue for now.