I have been using KeePass as my password manager for years and while it gets the job done, browser integration with Firefox is minimal to non-existent. Spending so much time in Firefox, I started thinking it would be nice to be able to manage my passwords without leaving the browser. Having Firefox remember my passwords was not an option. I know I am late to the party, but about a week ago I came across Collin Jackson’s PwdHash Firefox extension. I was familiar with password hashing as a way to manage passwords, but until now I never had the urge to try it. Already comfortable with the concept of using a master password and not memorizing my randomly generated individual site passwords, PwdHash seemed to be exactly what I was looking for. So I installed it and went to a web site to test it out only to realize that the only indication PwdHash is protecting your password is a very subtle, almost unnoticeable change in the obscured password length. With no obvious indication that PwdHash is active it is easy to imagine a scenario where an unhashed master password could be sent to a website, negating the supposed security benefit of using a password manager. I later found my concern had been confirmed in ‘A Usability Study and Critique of Two Password Managers‘ by Chiasson, et al.
So I set out to modify the extension to provide a PwdHash activity indicator. Looking at the code, I found that the author had included some provisions for just such an indicator but did not enable them. In the comments he implied that having the indicators visible could be a security risk. IMO many things in life are risk vs. benefit so I went ahead and added code to enable the indicators by default and provided an option to hide them if desired. I emailed Collin and asked him to review my modifications for inclusion in a new version of the PwdHash extension but he has not yet responded. Since the add-on has not been updated since 2009 I am wondering if he has lost interest in the project. At any rate I am really enjoying my upgraded version of PwdHash, especially compared with the complexity and cluttered user interfaces of similar extensions on the Firefox Add-ons site.
UPDATE: Since I received no response from the author of the PwdHash extension I forked it and submitted my new version to https://addons.mozilla.org for review. I will post here if and when it is approved.