Alert when the user has typed part of their password #20
Comments
adhintz
changed the title
|
👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
adhintz
changed the title
JavaScript keystroke logging can mean that even if the user never submits the form (after seeing the alert), the evil site gets the password anyway. This is presumably why the addon suggests users change their password even if the form hasn't been submitted.
This issue could be avoided, in some cases at least, for users whose passwords are sufficiently long and sufficiently random, by storing a hash of the first half of the password instead of the entire thing, and warning immediately after the first half is typed. That way, the attacker could get half the password using keylogging - but half of a random password isn't the whole thing, and it means that an immediate attack couldn't be mounted, as the attacker would have to bruteforce the other half. That gives the user time to change their password without worry.
This wouldn't need any extra UI; you could analyse the user's Google password for entropy and length to decide whether to enable this mode.
The text was updated successfully, but these errors were encountered: