Archive for the ‘Web’ Category

corned-beef-hash-bI have been using KeePass as my password manager for years and while it gets the job done, browser integration with Firefox is minimal to non-existent. Spending so much time in Firefox,  I started thinking it would be nice to be able to manage my passwords without leaving the browser.  Having Firefox remember my passwords was not an option.   I know I am late to the party, but about a week ago I came across Collin Jackson’s PwdHash Firefox extension. I was familiar with password hashing as a way to manage passwords, but until now I never had the urge to try it. Already comfortable with the concept of using a master password and not memorizing my randomly generated individual site passwords, PwdHash seemed to be exactly what I was looking for.  So I installed it and went to a web site to test it out only to realize that the only indication PwdHash is protecting your password is a very subtle, almost unnoticeable change in the obscured password length. With no obvious indication that PwdHash is active it is easy to imagine a scenario where  an unhashed master password could be sent to a website, negating the supposed security benefit of using a password manager.  I later found my concern had been confirmed in  ‘A Usability Study and Critique of Two Password Managers‘ by Chiasson, et al.

So I set out to modify the extension to provide a PwdHash activity indicator.   Looking at the code, I found that the author had included some provisions for just such an indicator but did not enable them.  In the comments he implied that having the indicators visible could be a security risk.  IMO many things in life are risk vs. benefit so I went ahead and added code to enable the indicators by default and provided an option to hide them if desired.  I emailed Collin and asked him to review my modifications for inclusion in a new version of the PwdHash extension but he has not yet responded. Since the add-on has not been updated since 2009 I am wondering if he has lost interest in the project.  At any rate I am really enjoying my upgraded version of PwdHash, especially compared with the complexity and cluttered user interfaces of similar extensions on the Firefox Add-ons site.

UPDATE:  Since I received no response from the author of the PwdHash extension I forked it and submitted my new version to for review.  I will post here if and when it is approved.