|
|
|
|
|
|
by Lagged2Death
5642 days ago
|
|
|
There's a thread on StackOverflow about the safety of SuperGenPass: http://stackoverflow.com/questions/554224/is-the-bookmarklet... I thought the criticisms by "Mike" were pretty convincing, although I'm not an expert in software security or cryptography. Starting with the source of a simpler JavaScript password generator: http://www.angel.net/~nic/passwdlet.domain.html I did a little noodling around and found it's perfectly practical to use even several thousand iterations of a newer hash algorithm (SHA2-256) to produce passwords, rather than a few dozen iterations of an obsolete one. That should address some of the cryptographic concerns. It's also perfectly possible for the script to accept the master password through a JavaScript popup rather than from a text box inserted into the current page. That should address concerns about a "malicious webmaster" type attack. So some of the most important criticisms of SuperGenPass (which is undeniably very slick and pleasant to use) are at least addressable. |
|
|