Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension > Feature Requests / Enhancements

FR: New 'Default' and 'Advanced' Security Modes

<< < (4/4)

adamspiers:

--- Quote from: adamspiers on April 13, 2009, 10:40:15 PM ---OK, some of this is news to me.  I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.  Let me check my understanding based on the above...

If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com".  If it finds one, then it applies the settings from the account which had the matching pattern.  Is that right?

In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).

--- End quote ---

Actually I just realised this can't be right, since I currently have only the Domain checkbox ticked, and "bar.com" does NOT match against the regexp: https?://[^/]+\.bar\.com/.*

So either my interpretation of your explanation of the matching mechanism (point 1. in particular of your list of 5 "givens") is wrong, or your understanding of the mechanism is wrong...

Eric, without asking you to read this whole thread, you could probably clear up a lot of confusion by answering the following simple question:

For custom (i.e. non-default) accounts, do the "URL Components" checkboxes have any relevance at all, and if so, what?

Actually I think that in http://forums.passwordmaker.org/index.php/topic,1231.msg1279916.html#msg1279916 tanstaafl already pointed out the answer, but I'd love to know if it's right:

--- Quote ---it also provides the default *value* for the 'Use the following URL...' field when a new specific Account is created

--- End quote ---

but this only affects password generation, not pattern matching.

tanstaafl:

--- Quote from: adamspiers on April 13, 2009, 10:40:15 PM ---
--- Quote from: tanstaafl on May 27, 2007, 04:27:12 AM ---3. The 'Use the following URL...' field is what is used to calculate the password when an Account match is found.

--- End quote ---
Presumably you mean the 'Use the following text...' field - as you point out, in the newer versions this was changed to emphasise that it didn't have to be a URL.
--- End quote ---

But of course... :)


--- Quote ---
--- Quote ---4. Currently, the URL comparison is a 'contains' search - hence the need for regex/wildcard patterns. This was also the source of some of the confusion...

--- End quote ---

OK, some of this is news to me.  I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.
--- End quote ---

Truncated form != 'contains'.


--- Quote ---Let me check my understanding based on the above...

If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com".  If it finds one, then it applies the settings from the account which had the matching pattern.  Is that right?
--- End quote ---

Yes, but only for custom accounts (you only mentioned 'Defaults' above, which has no 'URL patterns').


--- Quote ---In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).
--- End quote ---

No, the URL components only affect the CALCULATED URL, which is only used by the 'Defaults' account. It is not used during pattern matching - at least for wildcard patterns (I just tested this and it still detected the tested site fine after I unticked the 'protocol' component).

Currently, modifying the URL components does NOT affect custom account passwords, but if this idea were implemented, because the URL components would become account specific AND because the calculated URL would be used (unless something was entered into the 'Use the following text...' box), yes, it would affect the password, but it still would not affect pattern matching...


--- Quote ---To check my understanding again, you are proposing that the choice of security mode (default vs. advanced) would be per-account?
--- End quote ---

Yes...

qwavel:

--- Quote from: tanstaafl on October 25, 2007, 11:48:57 AM ---The purpose of this change is to provide the SAME level of security (very high) for Custom Accounts as exists currently for sites that use the 'Defaults'... ie, instead of using the 'Use the following text...' value, it uses the 'Calculated URL' for actually calculating the password.

--- End quote ---

I totally agree with this, not just to improve security but to make it more useful to: it allows me to use this feature to create a second security configuration to be used with many sites, rather then just one.

A bunch of sites require a simpler password (e.g. no special chars and only 8 characters) so it is useful to have a way to create a second profile for all of these sites.

rdebay:
Yes, anything to make this simpler.  Right now, it is too complex to use in a business environment, where the users have little computer experience and simply want to get their work done.

bmadtiger:
Did anything come of this FR?

Using the calculated URL in custom accounts (like the default account does) is actually the default behaviour in the PasswordMaker Pro extension for the Chrome Browser. I can be on any website and select any profile / account and the password generated will be based on the selected components (protocol, subdomain, domain) of the current URL.

From what I can see in v1.7.8, each account either shares the one value for the "Use this text to calculate the generated password" or none at all - either way all websites that match the URL patterns end up with the same password - rather than dynamically generating different passwords based on the URL like the default account does.

I'd still like to see this feature implemented if not already done. If it's already in there somewhere, can someone please show me how to do it?

Thanks
bmadtiger

Navigation

[0] Message Index

[*] Previous page

Go to full version