Identity/Watchdog/Password Reuse Visualizer

From MozillaWiki
< Identity‎ | Watchdog
Revision as of 05:28, 29 February 2012 by Psawaya (talk | contribs) ([whoops])
Jump to navigation Jump to search

Password Reuse Visualizer

Features

This add-on adds a small green padlock icon to the add-on bar. Upon clicking, it opens a new page with a graph visualization on it.

The graph visualization is generated with data from nsiLoginManager. It's a force directed graph visualization, as seen below. The green nodes represent each individual password in the Firefox profile. The blue nodes represent individual websites that those passwords (green nodes) are used on. Orange nodes serve as "notifications" that two green nodes (again, passwords) connected are very similar.

Hovering over a blue node with the mouse displays the name of the website in question. Hovering over a green node displays a password's visual hash. Clicking on a green node prompts the user with a confirm dialog. If the user clicks "OK", their password is displayed on screen.

Screenshot

Screen shot 2012-01-18 at 1.21.08 AM.png

Implementation

The visualization is rendered using a SVG canvas and the d3.js library. It's a force directed graph visualization, which automatically organizes itself. Individual nodes can be dragged, and the entire graph will respond. Password similarity is calculated via edit distance.

Unfortunately, the force directed graph doesn't scale up well to a large number of nodes. The fact that password similarity among n passwords often leads to n^2 edges in the graph further complicates things. Future updates could address this problem by only displaying a certain number of passwords on screen at once, changing the way password similarity is expressed, or (a more extreme approach) use an entirely different graph engine.

This add-on requires data from nsiLoginManager to function. Although the code is fairly modular, Google Chrome does not offer user password data to browser extensions, so this add-on is not portable. [1]

The source code is available on Github. [2]

Security Concerns

This add-on saves nothing to disk, so there is no risk of unencrypted login information leaking out to the user. The password manager will prompt the user for a master password before passing password data onto the add-on, so that security is not compromised.

However, some users seemed unaware of the way the password manager and master passwords work, and expressed concern that this add-on could give someone using their Firefox profile access to their passwords. Of course, that information is already accessible via Preferences, but it is possible that this add-on makes this information more discoverable, as many users were unaware of the Saved passwords pane in Preferences.

Password reuse data, even if unaccompanied by actual passwords or password hashes, can be of use to attackers. This add-on does not yet transmit that data in any form. Future versions may make it possible to publish screenshots of password reuse, however these screenshots contain no sensitive information.

This add-on also makes use of visual hashing, so those same security concerns apply.

Retrieved from "https://wiki.allizom.org/index.php?title=Identity/Watchdog/Password_Reuse_Visualizer&oldid=402231"