Simplified Master Password Hash Options GUI

[tanstaafl]

Ok, after thinking about this some, here's what I propose... (and here's a mock-up of how this could look):



It is just a huge simplification of what is there now, but requires some scripting to be dynamic. I think the resulting simplified interface is worth it - although admittedly I have no idea how much work it is.

Details:

1. Display the 'Calculated URL' at the top...

2. Change the 'Using URL' to 'Using text' (for consistency sake)...

3. Add the name of the current Account below the 'Copy Generated Password' line...

4. The different possible Status values are 'UnStored', 'Matches' 'Doesn't Match'...

5. Reduce the Hash Status/Buttons to a single button that dynamically changes between 'Store' and 'Replace', depending on whether a Hash has already been stored...

6. If you want it on this window, change the 'Store the MPW Hash for all accounts' to a simple checkbox option beneath the Hash Status line that, if enabled, stores the current MPW Hash for the Default account and then simply enables a pointer to this Hash for all other accounts (rather than actually storing a copy of the Hash for each account)....

By the way, why was this called 'fingerprint' instead of 'hash'? I'm guessing it was for the benefit of non-programmers? If so, I don't think it helps. Newbies will still have to have this explained to them. With that in mind, I really think it should be referred to properly - hash - and just explain what a 'hash' is in the Help/Tip...

[tanstaafl]

Ok, wasn't thinking clearly with respect to item #1 in the list. Also, I think the 'Selected Account' should go down just above the 'Master Password Hash Status' line... I'll update the pic later when I get to the office.

Of course we don't want to lose this feature - I was thinking that the ability to store the MPW HASH for an account accomplished the same thing but of course it doesn't.

--- edit
Sorry - I edited the main FR above, so the current 'Item #1' doesn't reflect what I'm talking about here...

I was talking about whether or not we should lose the 'Store Master Password On Disk/In Memory' option, incorrectly thinking that it would be replaceable by the 'Store MPW Hash' feature...

--- end edit

However, I think the behavior needs to be changed a little...

First, a question: since storing the HASH is safer, will PWM still supply the correct generated password if this is changed to 'Store Master Password Hash [in memory][on disk]? I don't think it will, so, that only leaves the behavior when the HASH of the stored Master Password doesn't match the stored HASH of a matched account.

I'd like to see this behavior modified so that, instead of populating the username and incorrect password - like it does now - PWM should display the MPW prompt window, with a little notification to this effect, and offer to let you re-enter the MPW (aka enter a different MPW. There should also be a checkbox - unchecked by default - that would allow you to replace the Master Password that is currently stored [in memory][on disk] with this new one...

Of course, the current behavior would still apply for accounts that do not have a stored HASH to compare.

[Eric H. Jung]

It turns out all Teo was trying to do was merge the Basic and Advanced Options into a single file (not a single interface). He's not redesigning the Options screens as we thought (thank god!!)

By the way, why was this called 'fingerprint' instead of 'hash'? I'm guessing it was this for the benefit of non-programmers? I really think it should be referred to properly - hash - and just explain what a 'hash' is in the Help/Tip... but what its called is not a biggie.

Yes, it was for non-programmers.

As for your other items, please split them into a new topic and make them an FRL. This is getting to be a huge effort.

[tanstaafl]

First, a question: since storing the HASH is safer, will PWM still supply the correct generated password if this is changed to 'Store Master Password Hash [in memory][on disk]?

Anyone?

I don't think it will, so, that only leaves the behavior when the HASH of the stored Master Password doesn't match the stored HASH of a matched account.

I'd like to see this behavior modified so that, instead of populating the username and incorrect password - like it does now - PWM should display the MPW prompt window, with a little notification to this effect, and offer to let you re-enter the MPW (aka enter a different MPW. There should also be a checkbox - unchecked by default - that would allow you to replace the Master Password that is currently stored [in memory][on disk] with this new one...

Of course, the current behavior would still apply for accounts that do not have a stored HASH to compare.

Agree? Disagree? Ambivalent?

[tanstaafl]

It turns out all Teo was trying to do was merge the Basic and Advanced Options into a single file (not a single interface). He's not redesigning the Options screens as we thought (thank god!!)

I don't really see this as a bad thing... especially now, with the addition of the ability to save the Hash...

As for your other items, please split them into a new topic and make them an FRL. This is getting to be a huge effort.

Sorry... and I really do wish I could help with the programming as opposed to just making suggestions that just mean more work for you.

Is John still around? Maybe he could take this on?

What do you think of my idea for simplifying the 'Save MPW Hash' part of the GUI? Do you at least see where I'm going with it?

[tanstaafl]

What do you think of my idea for simplifying the 'Save MPW Hash' part of the GUI? Do you at least see where I'm going with it?

And maybe you didn't notice - I update the Image in the first post of this thread - please make sure you have seen the most recent version...

[tanstaafl]

Hmmm...

No responses to any of my posts on this, or the new basic/advanced security model as described here in many days...

Did I offend? 

[tanstaafl]

Hmmm...

No responses to any of my posts on this (Simplified Options GUI), or the new basic/advanced security model as described here in many days...

Did I offend? 

I guess so... 

[Eric H. Jung]

Sorry for the lack of a response. Long posts and emails are harder to follow-up on than shorter ones because they're a lot bigger time investment for me.

1. Display the 'Calculated URL' at the top...

Looks like you changed your mind on this in the 2nd post to this thread. Good

2. Change the 'Using URL' to 'Using text' (for consistency sake)...

Done.

3. Add the name of the current Account below the 'Copy Generated Password' line...

I don't think this is necessary since the selected account appears very clearly in the accounts tree. I did, however, make the "Store the MPW Fingerprint/Hash" button disabled when the user selects an account folder/group.

4. The different possible Status values are 'UnStored', 'Matches' 'Doesn't Match'...

Ok. Are you sure this is better than the current wordy implementation?

5. Reduce the Hash Status/Buttons to a single button that dynamically changes between 'Store' and 'Replace', depending on whether a Hash has already been stored...

Good idea.

6. If you want it on this window, change the 'Store the MPW Hash for all accounts' to a simple checkbox option beneath the Hash Status line that, if enabled, stores the current MPW Hash for the Default account and then simply enables a pointer to this Hash for all other accounts (rather than actually storing a copy of the Hash for each account)....

I'd rather just get rid of the "Store MPW Hash for Default Account" button altogether.

First, a question: since storing the HASH is safer, will PWM still supply the correct generated password if this is changed to 'Store Master Password Hash [in memory][on disk]? I don't think it will, so, that only leaves the behavior when the HASH of the stored Master Password doesn't match the stored HASH of a matched account.

The hash and MPW are stored in two completely different variables in memory. On disk, there are actually separate places for each to be stored, too. They are completely independent of each other, so I'm not sure how this question applies. To see what I mean, open passwordmaker.rdf and watch how it changes as you make changes to the MPW and MPW Hash in the GUI (contrary to other posts I've read, you CAN keep the rdf file open while PasswordMaker writes to the file--just reload the file after PasswordMaker settings are changed).

I'd like to see this behavior modified so that, instead of populating the username and incorrect password - like it does now - PWM should display the MPW prompt window, with a little notification to this effect, and offer to let you re-enter the MPW (aka enter a different MPW. There should also be a checkbox - unchecked by default - that would allow you to replace the Master Password that is currently stored [in memory][on disk] with this new one...

Of course, the current behavior would still apply for accounts that do not have a stored HASH to compare.

Let's tackle this in another release otherwise I'll never get 1.7 out the door. Please add this to the Feature Request List.

Hope I've addressed everything,
Eric

[tanstaafl]

Sorry for the lack of a response. Long posts and emails are harder to follow-up on than shorter ones because they're a lot bigger time investment for me.

Understood, and no worries - I knew you'd get to it eventually...

1. Display the 'Calculated URL' at the top...

Looks like you changed your mind on this in the 2nd post to this thread. Good

Actually, no... I edited the first post of this FR to the way it is now before I moved it to the FR forum, but forgot to edit that follow up post, which was talking about a different 'Item #1'...  - fixed now (read the first part of the second post again, and this should make more sense)... and I won't edit a post like that again without indicating so using the strikethrough like I just did on the second post... sorry for the confusion.

I think that showing the current calculated URL at the very top - in display only form - is a good idea, for one simple reason...

What if I have set something other than the URL for the 'Use the following text...'? I in fact do this for certain accounts...

Displaying the current 'Calculated URL' (maybe the label should read 'Current Calculated URL') would just be an added safety factor when using PWM manually, to make sure that I'm on the correct site (not being phished) - not absolutely necessary, but I think it would be 'A Good Thing'(tm)...

3. Add the name of the current Account below the 'Copy Generated Password' line...

I don't think this is necessary since the selected account appears very clearly in the accounts tree. I did, however, make the "Store the MPW Fingerprint/Hash" button disabled when the user selects an account folder/group.

Fair enough - and good idea to make the button disabled when an account isn't selected...

4. The different possible Status values are 'UnStored', 'Matches' 'Doesn't Match'...

Ok. Are you sure this is better than the current wordy implementation?

Its just a simplification, in that it reduces two lines to one... placing both the Status of the Hash and the button to Store/Replace the Hash all on the same line... not a big deal, but in my mind it is cleaner...

I'd rather just get rid of the "Store MPW Hash for Default Account" button altogether.

Fine with me... but this begs the question, should there be a new option for Accounts to 'Use Default Account Hash'? Or just require Accounts to have to store their hash individually, and if the user wants them to share the same Hash as the Default Account, they have to store it for each one? Personally, I think it should be an option to share it, but disabled by default.

Hey, I just had an idea - why not also provide an option for all Accounts in any given Group to share the same Hash?

Of course, I'm just talking future possibilities out loud here...

The hash and MPW are stored in two completely different variables in memory. On disk, there are actually separate places for each to be stored, too. They are completely independent of each other, so I'm not sure how this question applies.

Right - which is what I meant when I said 'I don't think so', answering my own question...

I'd like to see this behavior modified so that, instead of populating the username and incorrect password - like it does now - PWM should display the MPW prompt window, with a little notification to this effect, and offer to let you re-enter the MPW (aka enter a different MPW. There should also be a checkbox - unchecked by default - that would allow you to replace the Master Password that is currently stored [in memory][on disk] with this new one...

Of course, the current behavior would still apply for accounts that do not have a stored HASH to compare.

Let's tackle this in another release otherwise I'll never get 1.7 out the door. Please add this to the Feature Request List.

Done: New 'MPW Hash Mis-Match' dialog

Hope I've addressed everything

Yes, except for the question of adding the 'Calculated URL' at the top, and the new FR for the 'MPW Hash Mis-Match' dialog...

Thanks!

[Eric H. Jung]

Displaying the current 'Calculated URL' (maybe the label should read 'Current Calculated URL') would just be an added safety factor when using PWM manually, to make sure that I'm on the correct site (not being phished) - not absolutely necessary, but I think it would be 'A Good Thing'(tm)...

Fine. Do you want this for 1.7?

Its just a simplification, in that it reduces two lines to one... placing both the Status of the Hash and the button to Store/Replace the Hash all on the same line... not a big deal, but in my mind it is cleaner...

Ok.

but this begs the question, should there be a new option for Accounts to 'Use Default Account Hash'? Or just require Accounts to have to store their hash individually, and if the user wants them to share the same Hash as the Default Account, they have to store it for each one? Personally, I think it should be an option to share it, but disabled by default.

Each one individually if more than sufficient imho.

Hey, I just had an idea - why not also provide an option for all Accounts in any given Group to share the same Hash?

I think this is overkill.

Looks like 1.7 won't be getting out the door anytime soon based on this. That's too bad.

[tanstaafl]

No, no, no... 

Did you miss this comment?:

Of course, I'm just talking future possibilities out loud here...

I was just thinking out loud about how all of this new killer functionality might be refined/enhanced sometime in the future... leaving it completely up to you as to how much - if any - you wanted to use before publishing 1.7. Remember, I don't really know just how simple or complicated some of my suggestions might be, so of course, any suggestions that you like that are simple, then by all means, implement them before. But if they are complicated and/or you don't like them, then by all means, just say so...

In no way were these suggestions meant to be necessary for the 1.7 release... or even ever. I'm just trying to participate in the development in the only way I can - by discussing possible features/GUI enhancements. It doesn't offend me if you decide you don't like an idea of mine, and unless you ask me to stop, I'll keep right on making suggestions, some of which will hopefully give you some good ideas for improving PWM.

I barely have time to add these comments in the forums, and have to steal time to create the mock-ups late at night while my wife waits for me to come to bed, but PWM is important enough to me that I will always make the time for at least this kind of feedback - unless you don't want it...

So, please don't take my comments/suggestions as demands. Now, with this in mind, I'll post a follow-up in a minute...

[tanstaafl]

Displaying the current 'Calculated URL' (maybe the label should read 'Current Calculated URL') would just be an added safety factor when using PWM manually, to make sure that I'm on the correct site (not being phished) - not absolutely necessary, but I think it would be 'A Good Thing'(tm)...

Fine. Do you want this for 1.7?

Eric - you seem to be taking my suggestions the wrong way.

If you disagree with me about this change, then by all means don't add it... if it is easy, and you agree with my reasoning, then yes, please...

but this begs the question, should there be a new option for Accounts to 'Use Default Account Hash'? Or just require Accounts to have to store their hash individually, and if the user wants them to share the same Hash as the Default Account, they have to store it for each one? Personally, I think it should be an option to share it, but disabled by default.

Each one individually if more than sufficient imho.

Sufficient, yes... but I was thinking it was overkill - say I have 150 accounts, and I want them all to use the same MPW hash, why store it 150 times, when once would do? But hey - if changing this doesn't give much bang (minimizing size of RDF file and/or simplifying code) for the buck (work involved), then that is different...

Hey, I just had an idea - why not also provide an option for all Accounts in any given Group to share the same Hash?

I think this is overkill.

Ok...

Looks like 1.7 won't be getting out the door anytime soon based on this. That's too bad.

Ok, I guess I'll just have to stop spending so much time trying to think of ways to improve PWM... its fun for me, actually, so a bit disappointing, but the last thing I want is to make you feel like this...

[Eric H. Jung]

Did you miss this comment?:

Of course, I'm just talking future possibilities out loud here...

I did not miss that comment. However, it follows this statement:

Hey, I just had an idea - why not also provide an option for all Accounts in any given Group to share the same Hash?

so I naturally assumed "future possibilities" only applied to that suggestion. You appear to be saying it should be applied to all of your suggestions.

[tanstaafl]

Did you miss this comment?:

Of course, I'm just talking future possibilities out loud here...

I did not miss that comment. However, it follows this statement:

Hey, I just had an idea - why not also provide an option for all Accounts in any given Group to share the same Hash?

so I naturally assumed "future possibilities" only applied to that suggestion. You appear to be saying it should be applied to all of your suggestions.

Well... not necessarily... the way I thought this was working was, you, as the developer, would decide what ideas of mine (or anyone else's) you liked, and which ones you didn't - and of the ones that you liked, you would have at least a rough idea of how much work might be involved in implementation, so would be able to say 'yeah, I like that, think I'll add it for 1.7', or, 'yeah, I like that, but it will be a bit of work, it'll have to wait, so go create an FR for it'...

Of course, when the issue being discussed is how to implement something specific that you are working on at the moment, then of course I'm not talking about 'future possibilities', I'm just trying to help you work out how best to implement it the only way I can. If I could code, I'd do it that way, but I can't, so making suggestions here - sometimes doing GUI mockups to make an idea clearer - is the only other way I know of.

In this case, I did bring up some 'future possibilities' ideas in the same thread where we were discussing a specific issue you were working on (the new 'Save Hash' functionality in the GUI), so I guess thats where the confusion came in...

This isn't the first time that you have mistaken my enthusiasm (ie, making lots of suggestions) for demands, so it must be a failing on my part...

Again, this was not intended, and again, my apologies for the misunderstanding...