Thierry

About me

Developer Information
Name Thierry
User since Jan. 26, 2010
Number of add-ons developed 0 add-ons
Average rating of developer's add-ons Not yet rated

My Reviews

Hash Password Generator

Rated 3 out of 5 stars

Works as advertised.

I was a long user of supergenpass in it's applet version (with the security problem some javascript can stole the secret master password)

#1 Hash Password Generator can solve this security issue of original supergenpass I think.

I hope the function "verify the password" works with hash and the password is never stored in clear.

Some suggestions to improve
#1 Hash Password Generator :

1: The verify password should verify with a list of valid password and not only one. In case we have more than one master password (ie more than one user or for extra-safety reason)

2: The verify password should verify on the "on change event of the edit box" and change the color to green when the password is OK so we can know password is OK before trying to submit it for more convenience.

3: Username, email, and settings should be relative to master password. I mean if we create more than one master password, for each master password a hash of this password is stored for validity check. When the validity check with the hash is successful software can retrieve corresponding username, email, and settings (length of generated password, algorithm) for THIS master password

4: For function remember password for session in case of many master password we can imagine to check the username / email to select the right one and if there is more than one master password meet the conditions let the user choose in a list of master password. password can be show in clear (this fonction remember memorize password in clear) or by a name given to master password.

5: if the option "verify password" is not checked, all theses function cannot be done (hash cannot be stored if user don't want verify password check as this hash stored reduce the safety in case of local brute force attack, by the way, when option "verify password" is checked, minimal required lengh of master password should be increased to at least 15 and warning should inform user master password should be very strong)

6: if the option "verify password" is not checked, maybe it's possible to imagine to store a hash on only few char of master password (for example first and last char). enough char to differentiate one master password to the other to retrieve the right username, email and settings but not to much to don't compromise the security (a very simple brute force attack will retrieve these 2 chars)

Thanks for your addon.

This review is for a previous version of the add-on (0.3.2).