Reply to post: Re: We need a browser extension...

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Bill Gray

Re: We need a browser extension...

@Charles9 : If hackers can attack the browser, they can log keystrokes. The solution I propose is not a panacea; the only things it really addresses are removing site-specific limits on passwords and ensuring that sites never see an unhashed password. As a result, they cannot lose an unhashed password, something they currently do routinely. If the hash is salted -- you'd hope this would be a no-brainer -- then anything you lose can only be used on that one site, so it provides some security against password re-use.

Another solution to this, less browser-specific, is for sites to provide pages with a bit of Javascript to hash the password before it's sent. (This has actually been implemented; examples are available on Stack Overflow.) It provides almost exactly the same protection, and it doesn't lash you to a single browser, but does require the site in question to implement it.

This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019