Password levels

I propose to add a note to the FAQ/Docs that it might be a wise idea to use
different master passwords for sites of different security levels
i.e. a different one for
{i-dont-care-websites},
{mailinglists, normal websites that just make you register, toy social websites},
{important social websites(}, {)email websites(}).

I'm still afraid of JavaScript masterpassword-spying attacks though
(they *are* possible, right? Could NoScript help, e.g. by delaying the
activation of domain-JS until supergenpass-JS is finished?).

And of course, for *really* important websites (banking,...) I still use non-automated
passwords that are only entered after typing in the https:// URL directly (to avoid MITM),
cert checking, etc. On the plus side they are very few ;-)

Have a nice day!

Good proposal, I will try to work it in.

It has been proposed that a JavaScript-based attack could traverse the DOM or redefine important methods and recover your master password. This is possible, though no such malicious attacks have ever been reported. However, you are correct that use of NoScript would obviate these attacks.

NoScript would block JavaScript execution on any untrusted website while allowing the implicitly trusted SGP code to run. However, the block must be total, not just a delay. Running untrusted code after you run SGP could result in such an attack.