undefined | Better HN

0 pointsdsp12349y ago0 comments

Shower Thought:

Why doesn't the browser hash the inputs for all password fields, then compare them when attempting to submit a form, and alert the user that they are doing something insecure?

0 comments

jayd169y ago

Besides issues like requiring javascript or something, its usually not a useful step. The hash of the password can be stolen just as easily as the password itself. You've just made a new password.

If you salt the password with the url, all you've done is made a unique password per website which is what you were supposed to be doing anyway.

dsp1234OP9y ago

The point was for the browser to warn the end user about password re-use.

The browser doesn't need javascript to see the contents of a password field, or to show an indicator in the browser's chrome. It's the browser.

If you salt the password with the url, all you've done is made a unique password per website which is what you were supposed to be doing anyway.

Note that browsers can already store password lists (ex: Chrome settings, search manage passwords). There would just be an extra step to compare those passwords together.

geofft9y ago

Because my passwords for google.com, gmail.com, youtube.com, and google.co.uk are exactly the same, and the browser has no way of knowing that that's okay.

(Google specifically has probably rerouted everything through google.com these days, but the general problem exists.)

nickik9y ago

Its a real problem, in the new anti-phishing protocols (U2F/UAF) have some ideas.

The Web Origin Concept - https://tools.ietf.org/html/rfc6454

The also require the server to provide a list of Origins that are valid for the protocol, if the domain your logging into is not in the list, the challenge of the server will not be signed. Its called AppID in the protocol.

See: https://fidoalliance.org/download/

austinsharp9y ago

I have this exact problem with LastPass. One of my few pain points with it.

tempestn9y ago

You can define equivalent domains in LastPass to solve that.

1 more reply

peeters9y ago

Wouldn't that essentially give an attacker a nice list of websites where the user uses the same credentials?

ufmace9y ago

Sounds kind of rube-goldberg-y compared to automatically generating and managing a unique password for every site.

flukus9y ago

Probably not a bad idea. But at that point you're fighting human nature.

j / k navigate · click thread line to collapse