[sliken]

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

[brennebeck]

Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

[npongratz]

I completely agree. Maybe this was the mental model:

    far from unclear           unclear      clear   far from unclear
          ^                                               ^
          |                                               |
          -------------------------------------------------

[sliken]

Heh, sure, "far from clear" is what I meant to say.

It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.

So the risk is high, especially for something you are putting trusted passwords into.