PwdHash

Posted Oct 12, 2011 9:41 UTC (Wed) by bjartur (guest, #67801)
In reply to: PwdHash by tialaramex
Parent article: WineHQ database compromised

But note that this can't be done by default, as it would break the killer-feature of HTTP and cookie authentication: allowing you to walk to any public terminal and start reading lwn. Terribly insecure, considering how easy it is to log keypresses on public terminals, but convenient. There was a discussion on the WHATWG ML about allowing sites to request client-side hashing of passwords with a standardized on hashing algorithm, or in other words, to allow sites to tell your friend's user agent how to hash your password. Maybe you'd lake to participate in the discussion?

Disclaimer: I unsubscribed from the list minutes ago.

PwdHash

Posted Oct 12, 2011 12:13 UTC (Wed) by epa (subscriber, #39769) [Link] (1 responses)

But note that this can't be done by default, as it would break the killer-feature of HTTP and cookie authentication: allowing you to walk to any public terminal and start reading lwn.

Why not? The hash is based on the password entered and the domain name of the site - no information specific to the local machine is used. So it would give the same hash no matter what computer you sat down at.

PwdHash

Posted Oct 12, 2011 12:46 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Indeed. I have actually done this, using pwdhash.com to generate the necessary input since I lacked the browser extension that does it for me at home. You can also get software to run on your smart phone that spits out the hashed password, and it doesn't need to very smart, mobile Java that can do mOTP or currency conversion is enough CPU power and UI capability for this problem.

There are lots of ways this stuff could be smarter or better, but PwdHash does seem like a pretty good stop gap for the foreseeable future.