PasswordMaker 0.6.1 beta2 available

[Eric H. Jung]

Download here.

Would love to hear feedback on the user-interface.

-Eric

[quixin]

If I upgrade from 0.6, will I get the same generated passwords with SHA-256?

[edit]

Nevermind, I read the beta page.  :)

[Guest]

Eric,

I've just installed bet 0.62. Here is my take after expermenting briefy:


1. User Interface

The UI works and had I not seen the previous version I'd probably say it's good. However... I very much prefer the way it was in 0.60. The need to click an extra button (Account Settings) and the lack of "live" password, make the current UI a bit less sleek IMO.

My guess is that you knew all that, but you had to change the UI in order to work around  the bug I described in a previous post (settings copied between accounts). If that is indeed the case, then of course I'll just have to live with it - and once again the current UI isn't bad, just somwhat less convenient.


2. Character range option

First of all - Great! I know I may be nit picking, but it still doesn't solve the problem with on-line banking sites. Some of them require the password to start with a letter and/or require (at periodic password change) that a password won't contain the same character in the same position as in a previous password. I would like to suggest two ideas that may help against such sites as well:

* Prepend counter to generated password - This way I can use an alphanumeric counter (A, B, C, D, ...), and have a unique password which always begins with a character.

* Provide alternate character range - Add another character range, and use the counter to switch between them. For example use the last bit of the last char in the counter, as a toggle: 0 = first character range, 1 = second character range. This way I can ensure that on each increment of the counter the range will toggle.

* Alternative suggestions - Instead of implementing the two above, you may add an option to prepend the counter but NOT use it in the hash (ie. the password remains the same). This way I can use a series of "counters" that always change the positions of the other characters in the password. For example: A[+password], BA[+password], CBA[+password], DCBA[+password], etc.


3. SHA-256 & RIPEMD-160
I read the beta notes that they are currently broken, but maybe this bit will help: Passwords generated with one of those hashes tend to contain many times the fourth character in the range. For example in the default range (0..F) the fourth character is 3 - and the passwords contain many threes. I tested with other character ranges and always the fourth character seems to take over.


HTH,

EZ.

[Eric H. Jung]

Hi E.Z.,
This is the third time I've typed a reply, so forgive me if it's short. The other two times I accidentally closed the browser and lost everything.

The need to click an extra button (Account Settings)

What if double-clicking on an account automatically opened the Account Settings dialog? Would that help? The only thing is you'd no longer be able to open/close folders by double-clicking on them. You'd have to open/close folders only with the +/- symbols.

the lack of "live" password make the current UI a bit less sleek IMO.

I'm sure you saw the live password on the Advanced Settings dialog, but you're right, it's not on the Account Settings dialog. I can add it there so it exists in both places.

I know I may be nit picking, but it still doesn't solve the problem with on-line banking sites

I know. Baby steps. My first goal was to support any/all characters. I will definitely add your Alternative Suggestion to PasswordMaker. Tyrantmizer just requested the same thing.

Passwords generated with one of those hashes tend to contain many times the fourth character in the range

Thanks, yes, I'm aware of this. It's being worked on.

Regards,
-Eric

[E.Z]

Eric,

I'm sure you saw the live password on the Advanced Settings dialog, but you're right, it's not on the Account Settings dialog. I can add it there so it exists in both places.

When I'm in the Account Settings dialog, the password (in the main window) doesn't change until I click OK to close the dialog. Previously when I changed any of the settings, such as l33t level or password length, the password reflected the change immediately.

Maybe it isn't that important for straightforward usage, but when testing and checking it's more cumbersome to go back and forth between the main window and the settings dialog (ie. click Account Settings, make some changes, click OK, check new password, click Account Settings, etc.)

I know. Baby steps. My first goal was to support any/all characters. I will definitely add your Alternative Suggestion to PasswordMaker. Tyrantmizer just requested the same thing.

I think that his suggestion is better. Leave the counter alone and add a string that will be prepended to the generated password. I'm not sure I see a need for append string as well, but if it doesn't cost anything...

And there's still the "additional field" feature - some site require another identification besideds name/password, such as email address or account number. I mentioned it in a previous post. But I don't expect everything to be on the next beta, I just post my ideas for reference, otherwise I may forget them myself...

Regards,

EZ.

[Eric H. Jung]

but when testing and checking it's more cumbersome to go back and forth between the main window and the settings dialog

Yes, I know, so I asked would it be helpful if I added the password preview to the Account Settings dialog? Please let me know.

some site require another identification besideds name/password, such as email address or account number

Two questions: (1) Should PM generate this value or must user define it? (2) How to populate the field? With right-mouse click or something else?

thanks,
eric

[E.Z]

Eric,

Yes, I know, so I asked would it be helpful if I added the password preview to the Account Settings dialog? Please let me know.

Sorry I didn't answer this question and the one in the previous post. Here:

1. I think a double-click to open accoutn settings will mitigate some of the inconvenience. I don't mind losing the ability to expand/collapse on double-click, but I'm sure it's a matter of taste and habit, so other people might object. I think it will be better also to leave the button in place, as some people might not know to double-click, so the button will ofer them a visual cue.

2. Dynamic password in the settings dialog will be great.

Two questions: (1) Should PM generate this value or must user define it? (2) How to populate the field? With right-mouse click or something else?

1. The value is user defined. However not only the value, but also the name of the form field that should be populated with the value. So you need to add a pair of user strings, one for the field name and the other for the field value. Examples of usage:

For a site that requires email identification -
Field name:  email    
Field value:  [email protected]

For bank site that requires account number -
Field name:  acctid
Field value:  712367/45

I think that a single pair of name/value should be enough. I have never seen any site that requires more than 3 fields (user/password/extra-id), and I can't think of any reason to require additional fields.

2. The field should be populated with the user/password fields, either if auto-populate is turned on, or on right-click.

Regards,

Eyal.

[Eric H. Jung]

Got it.

Thanks for clarifying. I can add those; just give me time.

[Guest]

SHA-256 and RIPEMD-160 are still not generating the same passwords as previous versions.

Eric, would it be possible to add a 'legacy' button to beta 2, such that when this is checked, the two hash algrithms referred to in my quote will generate the same passwords as previous releases of PM ?

I realize that you are having difficulties getting them to work in the latest two beta versions, but adding this 'legacy' button, will make PM downward compatible.  Then, when you get them to match, this buton can just disappear.

Being a programmer myself, I recognize how difficult it can be at times to track down even the smallest error.

Thanks again for a great extension.

[Eric H. Jung]

Hi E.Z. (looks like you didn't login before posting :)),

would it be possible to add a 'legacy' button to beta 2, such that when this is checked, the two hash algrithms referred to in my quote will generate the same passwords as previous releases of PM ?

How about I just make it so that, if you select one of these two algorithms, the Characters aren't changable and the old algorithms are automatically used. No button necessary then.

I really would rather not release the extension until the other two algorithms are fixed. Paul Johnston just wrote to me yesterday saying he'll work on them the end of this week.

Is there a reason you want the release to be issued even with these bugs, or will solution above suffice?

[Romeo]

How about I just make it so that, if you select one of these two algorithms, the Characters aren't changable and the old algorithms are automatically used. No button necessary then.

That would work, but when you say

I really would rather not release the extension until the other two algorithms are fixed

that makes a lot of sense.

Is there a reason you want the release to be issued even with these bugs, or will solution above suffice?

There is no special reason, it's just that I would like to see the new version in action, without having to convert some of the sites I use to a different hash algorithm and there is one site in particular for which I am using the workaround of just adding an upper case character manually.  So yes, the above mentioned solution would suffice.

But, of course, you are the one doing all this great work and it is totally up to you what you decide.  I can wait.

[E.Z]

Hi E.Z. (looks like you didn't login before posting)

That wasn't me!

EZ

[Eric H. Jung]

Sorry EZ!!

Hi Romeo,

There is no special reason, it's just that I would like to see the new version in action, without having to convert some of the sites I use to a different hash algorithm and there is one site in particular for which I am using the workaround of just adding an upper case character manually. So yes, the above mentioned solution would suffice.

I completely understand. In the meantime, I think you'll find the new beta 3 can help you. It has password prefix/suffix capabilities. This means you no longer need to manually add the upper-case character.

I haven't forgotten the other request re: the button. It's just that I'd rather spend time on features that add value instead of ones which eventually will be removed. Let's see how much longer for those hash algorithms to be fixed... if it goes past July 8, I will release PasswordMaker 0.6.1 final with the "fix" above (SHA-256 and RIPEMD-160 use fixed character set 0123456789abcdef)

Regards,
Eric

[Romeo]

I completely understand. In the meantime, I think you'll find the new beta 3 can help you. It has password prefix/suffix capabilities. This means you no longer need to manually add the upper-case character.

You are correct.  Beta 3 works great.  Regarding SHA-256, you do have a way to limit the character set in this release.  Not that it makes a difference to me anymore, as I did convert all my accounts to a different hashing scheme.

[Eric H. Jung]

Hi Romeo,

Being a programmer myself, I recognize how difficult it can be at times to track down even the smallest error

What kind of programmer are you?

-Eric