I think if you're trying to address reused passwords harvested via website compromise this is indeed effective.
I was thinking it could also be leveraged to work against domain
spoofing attacks as well and without a resilient UI it is not very
effective at this as an attacker (phisher) could build a website with a
look-alike site and address bar and have the user enter their password
into the form (or script) while bypassing the PwdHash technology.
But that's true of a site spoofing any browser UI, including the master password dialog. So, we have to design our UI to make it clear what is content and what is chrome.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
