The issue I see is that the scheme relies on a trusted input mechanism that is triggered by user action on a webpage.
Say I use this scheme to register at a website (ie create the initial password at the site by having the browser generate an initial password per the PwdHash scheme). Now when I use another computer or browser which supports the same PwdHash technique I will have to enter the same master-password to log-in. How does I know that the dialog/pop-up is part of the local software and not the remote site? _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security