Closed waldyrious closed 10 years ago
Well, actually the only reason to hash it it to prevent someone who gets access to the bookmarklet code from getting the master password, but since it's the hash that would be used to generate the site-specific passwords anyway, it would amount to the same security as before. The only advantage would be that the attacker couldn't get any potential info about the user from their choice of password. Thus, given that this would be a breaking change without any actual security advantage, I'll abandon the idea and close the issue for now.
So it's safe to store, and more convenient (one-click) to use. This means the final hash will have to be based on the hashed master password plus the domain; that will invalidate current passwords, so this is a breaking change. The good thing is HMP hasn't been released so hopefully nobody is using it yet :D