> I posted the password "asdf" to their form. I then watched the AJAX
> request (which because it happens client side is unencrypted before
> transmission) ... and you know what they are sending to their servers?
> THE HASHED PASSWORD. It's not like it's hard to SHA1 a string in
> JavaScript.
> So the send the hash to the server, check the list of "known bad hashes"
> (which is what the hackers have published) and tell you if your password
> hash matches a known compromised hash.
Yup. And the typical user isn't equipped to do any of that research, so
they can't know that.
> It's really about as safe as you can possibly imagine and a great tool.
> Yes, we should be careful about inputting passwords onto strange sites,
> but you should also do your due diligence and check if the site might
> actually be legit.
My point is exactly "we should be careful about inputting passwords onto
strange sites". Given the ability of the typical user to actually
analyze the site, or for that matter evaluate the trustworthiness of the
site operator's staff, there's exactly one way to "be careful".
But of course I'm just pissing into the wind.
De
|