Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Update SECURITY.md
  • Loading branch information
adhintz committed Apr 29, 2015
1 parent b41e679 commit 2903896
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions SECURITY.md
@@ -1,5 +1,3 @@


## Data is kept locally
Password hashes are kept locally and never sent anywhere. A 37-bit, salted SHA-1 of the password is kept in localStorage.

Expand All @@ -11,7 +9,7 @@ One attack idea is for a malicious page to generate fake keystrokes and then wat

1. We discard keyboardEvents that appear to be generated by JavaScript on the page instead of a real user typing. For example, in [chrome/content_script.js](chrome/content_script.js) passwordalert.handleKeypress_() see the checks for .view and .timeStamp.

2. The background page limits key press events to a somewhat human speed. Anything over the limit is silently discarded. For the code, see [chrome/background.js](chrome/background.js) passwordalert.background.checkRateLimit_()
2. The background page limits password checks to a somewhat human speed. Anything over the limit is silently discarded. For the code, see [chrome/background.js](chrome/background.js) passwordalert.background.checkRateLimit_()

3. Saving only 37 bits of the hash intentionally creates collisions. A straight-forward brute force of the hash would result in 10 million+ collisions for a 10 character password, depending on your character space. An attacker would need to pick out the correct password from this list. The value 37 bits was chosen to be rare enough that the collisions would essentially never happen during normal typing, but common enough to cause collisions in brute-forcing. Normal typing would cause a false positive approximately every 10k+ years of regular typing.

Expand Down

0 comments on commit 2903896

Please sign in to comment.