anything

Author Topic: regex match as URL used for generated password  (Read 25788 times)

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
regex match as URL used for generated password
« on: June 24, 2007, 08:56:42 PM »
There needs to be a way to create an account for which the URL used "to calculate the generated password" is defaulted to the current site. Even better, there should be an option to use a string from the matched pattern(s) for calculating the password. For example, I could create my own "default accounts" by specifying a regex as "(f/ht)tp://([^.]+)?(\w+[.]\w+)[:/]" and the set the URL to use for calculating the password to $3.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #1 on: June 24, 2007, 09:05:44 PM »
I don't follow you...

Can you elaborate a bit? What exactly is it you are trying to accomplish?

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #2 on: June 24, 2007, 09:42:06 PM »
Most simply, I'm trying to create an account that acts similar to the default account. That is, one that uses the current URL as the URL for calculating the generated password. Currently, there seems to be no account other than the default that can use the current URL for generating the password. All the accounts I create have to use a fixed string for the string used for generating the password.

To see what I mean, edit an account and click on the URLs tab. The top input box is the issue. It should allow me to specify elements from the matched patterns I specified for that account (the patterns which are also specified on the URLs tab).

For example, I have lots of accounts where the only difference is the URL. It'd be much easier to manage if I could have just one account that could generate the password for them all. This is basically what the default account is for but I need different "default settings" for different situations. For example, some passwords are longer, some exclude certain characters, use different algorithms, ...

Basically, one way to look at what I'm asking for, is the ability to collapse accounts into a single account and specify a bunch of patterns for each of the hosts and the matched host is used for generating the password. Note: I'm really asking for something far more general but that's one way to understand what I want.

e.g. One account might be where the sites allow 20 character passwords
The URL to use for generating password: $2 (note: this refers to the second RE grouping of the matched patterns below, like how perl handles RE matches)
Patterns:
^[^:]//([^.]+[.])?(yahoo[.]com)[:/].*
^[^:]//([^.]+[.])?(google[.]com)[:/].*
^[^:]//([^.]+[.])?(flickr[.]com)[:/].*
^[^:]//([^.]+[.])?(myspace[.]com)[:/].*
^[^:]//([^.]+[.])?(claimid[.]com)[:/].*

then another account for sites that limit passwords to 8 characters and only letters and numbers:
The URL to use for generating password: $2
Patterns:
^[^:]//([^.]+[.])?(aninsecuresite[.]com)[:/].*
^[^:]//([^.]+[.])?(nothingimportant[.]com)[:/].*
^[^:]//([^.]+[.])?(constantlycracked[.]com)[:/].*
^[^:]//([^.]+[.])?(brokendaily[.]com)[:/].*
^[^:]//([^.]+[.])?(microsoft[.]com)[:/].*


One additional feature might be to generalize this into how the default account works in this respect, that is, on the URLs tab, the "URL Components" check boxes. Though, these user-defined accounts must still support pattern matching unlike the default account. In fact, it would be really nice if the patterns were even generalized into the URL components. Notice how my patterns always follow the same format. The patterns should be broken into input boxes for [protocol][subdomain][domain][TLD][port][path][query] so that passwordmaker and ensure secure patterns for any element not specified.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
Re: regex match as URL used for generated password
« Reply #3 on: June 25, 2007, 02:53:55 AM »
PasswordMaker is complex enough for new users, not sure if adding this is a good idea. But there may be a way to put something like this in (I'm not counting on it, it's up to Eric really)
"I'm not drunk, just sleep deprived."

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #4 on: June 25, 2007, 03:26:38 AM »
I agree that passwordmaker is fairly complex for new users. I don't think REs are a new-user feature. Regardless, I actually think part of this request is a simplification of the regular expression and pattern matching components, actually making it easier for new users to understand and become familiar with. For example, if all I care about is the the domain name for a pattern, I just type it into the domain field and all the rest of the RE can be supplied by passwordmaker. As for allowing the matched patterns to be used in the URL for password generation, again, an advanced feature that is easily hidden from new users. In fact, there's no end-user complexity being added, and in fact, simplicity combined with feature enhancements for anyone already familiar with REs.
« Last Edit: June 25, 2007, 03:31:10 AM by nicerobot »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #5 on: June 25, 2007, 01:42:45 PM »
Hi nicerobot,

Ok, I think I understand what you are asking for now.

First, have you seen this discussion about a new Security Mode for PWM (which finally resulted in this FR)? My final suggestion - which is still awaiting feedback from both Adam and Eric - doesn't provide exactly what you are asking for, but it easily could (assuming I understand what you are asking for), by adding an additional optional field in the part described in #2.

But... the bottom line is, I just don't see any advantage to having a single account serve the purpose of multiple accounts - in fact it kind of defeats the purpose of multiple accounts.

Looked at another way, your suggestion only provides a more complicated way of serving the same purpose as multiple accounts. In other words, what is the difference between multiple complex regex statements for different domains under a single account, and simply having a separate account for each domain?

Unless I'm simply misunderstanding the request...
« Last Edit: October 22, 2007, 12:19:03 PM by tanstaafl »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #6 on: June 25, 2007, 01:59:13 PM »
Looking at this further... tell me if I'm right - what you are asking for could be accomplished by making a slight modification to item #3 in the above referenced new Security Mode...

...
3. Relabel the 'Use the following URL...' field to 'Use the following value/string...', and make it one of two radio selection choices:

x) 'Use the following value/string...'
-) 'Use the Calculated URL...

with x) being the default, and a notice above the 'Calculated URL/optional-path-string' list when this is changed, notifying the user that changing this selection will result in a different password being generated for each 'Calculated URL/optional-path-string'.

I'm still unsure of any real added value...

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #7 on: June 25, 2007, 02:24:42 PM »
Yes, I think you're correct. That post almost fully covers part of the concept I'm requesting.

As for combining accounts, I think of it as just another, logical way to organize passwords. Not better or worse. Equal but different.

I use PWM in two different modes:

  • As an account manager. I use specific accounts when I want to store username and other information about the site. This mode of usage isn't impacted by this feature request. I will still manage accounts using the current model.
  • As a pure password generator. In this mode, the attributes for password generation are the only attributes of the account being used. In other words, the _only_ settings that matter are the characters, length, algorithm, ... In this mode, combing URLs more clearly, logically groups sites as requiring the same password model instead of having to manage each as an individual account.

    For example, my accounts list contains dozens of accounts in which I use the description field to indicate the password model I use for the site. I currently have 5 models: simple/8, simple/12, strong/8, strong/12, strong/20. I have no desire to manage a full account when I really just want to only add a site to a specific model.

I know you have to have run into the same problem as me. The default account does not work on many, many sites. These stupid site limitations for only using letters and numbers and some randomly chosen length limitation drive me a little crazy. Hence, my 5 models, which, so far, cover every site I've encountered.

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #8 on: June 25, 2007, 02:46:04 PM »
Looking at this further... tell me if I'm right - what you are asking for could be accomplished by making a slight modification to item #3 in the above referenced new Security Mode...

...
3. Relabel the 'Use the following URL...' field to 'Use the following value/string...', and make it one of two radio selection choices:

x) 'Use the following value/string...'
-) 'Use the Calculated URL...

with x) being the default, and a notice above the 'Calculated URL/optional-path-string' list when this is changed, notifying the user that changing this selection will result in a different password being generated for each 'Calculated URL/optional-path-string'.

I'm still unsure of any real added value...
I think your original explanation of 'Use the following value/string...' will suffice. It's just that I don't want the 'value/string' limited to a single URL component. I don't really care how it's specified (certainly more friendly than my "$2", "$3" example). But, I'd like the 'value/string' to be as complex as I choose. For example, maybe I want "[host][port]" (this happens often because of admin pages for webhosting products like cpanel) but for the same host, I may also want one for just "[host]/blog" and another "[protocol][host]" (think ftp accounts) and yet another "[host]/db" or even "[host][&param3]" where "&param3" is the query parameter value for the param3. In other words, I'd want the generated passwords to be different for several different uses even though they're all accessing the same host. So they'd require different 'value/strings' for calculation.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #9 on: June 25, 2007, 03:25:18 PM »
Dang it - lost the reply I was working on...

Ok, as far as I can tell, you can already easily accomplish what you want...

1. Create a Group for each desired model
2. Copy each Account into the appropriate Group (moving accounts around is problematic right now)
3. Whenever you want to add a new Account to one of your Model Groups, just Copy an existing Account and edit the URL pattern appropriately.

Its a question of six to one, half dozen to another. I see no difference between managing these as actual Accounts, or as URL patterns.

What do you think?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #10 on: June 25, 2007, 03:54:18 PM »
Quote
I think your original explanation of 'Use the following value/string...' will suffice. It's just that I don't want the 'value/string' limited to a single URL component.
Currently, the URL components are not account specific - making these account specific is a part of the new Security Mode FR (that I haven't actually added to the FR list yet, since I'm still waiting on feedback from Adm and Eric).

There is currently no individual FR to make the URL components Account specific, although I think it is a part of at least one FR, if not others.

Quote
I don't really care how it's specified (certainly more friendly than my "$2", "$3" example). But, I'd like the 'value/string' to be as complex as I choose. For example, maybe I want "[host][port]" (this happens often because of admin pages for webhosting products like cpanel) but for the same host, I may also want one for just "[host]/blog" and another "[protocol][host]" (think ftp accounts) and yet another "[host]/db" or even "[host][&param3]" where "&param3" is the query parameter value for the param3. In other words, I'd want the generated passwords to be different for several different uses even though they're all accessing the same host. So they'd require different 'value/strings' for calculation.
So, in essence, all you are really asking for is to make the URL Components Account Specific, which, when combined with using Groups per my previous post, would appear to give you the exact control you are looking for, though not precisely in the manner which  you originally requested (it still uses accounts, instead of URL patterns on an account).

If I got that right, I'll be happy to add this to the FR with a vote from you...

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #11 on: June 25, 2007, 04:07:18 PM »
Dang it - lost the reply I was working on...

Ok, as far as I can tell, you can already easily accomplish what you want...

1. Create a Group for each desired model
2. Copy each Account into the appropriate Group (moving accounts around is problematic right now)
3. Whenever you want to add a new Account to one of your Model Groups, just Copy an existing Account and edit the URL pattern appropriately.

Its a question of six to one, half dozen to another. I see no difference between managing these as actual Accounts, or as URL patterns.

What do you think?
You approach is similar to what I already do but it would break my current grouping strategy, which is part of what I want to avoid. Maybe using tags for grouping would alleviate that issue by giving me more flexibility but that'd be another feature request.

Your strategy doesn't change the fact that every account I create in this manner requires that I update:
  • The name
  • The URL to use for generating the password
  • The RE pattern
I'd much prefer to just add a new pattern (actually, generally just a new host) to an existing account (password model) since, in these cases, I don't care about the name of the account and I always have specific elements of the URL that I use for generating the password. It's just a tremendous amount more duplication than I prefer (being a developer, I prefer as much automation as possible, cuz I'm very lazy). Especially considering it requires three dialogs to get through all the information and editing an RE each time.
« Last Edit: June 25, 2007, 04:08:58 PM by nicerobot »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #12 on: June 25, 2007, 04:30:13 PM »
Quote
You approach is similar to what I already do but it would break my current grouping strategy, which is part of what I want to avoid. Maybe using tags for grouping would alleviate that issue by giving me more flexibility but that'd be another feature request.
And actually, there are already two different FRs dealing with this, Custom Group Functionality and View by Group/Account... wanna cast a vote?

Quote
Your strategy doesn't change the fact that every account I create in this manner requires that I update:
  • The name
  • The URL to use for generating the password
  • The RE pattern
I'd much prefer to just add a new pattern (actually, generally just a new host) to an existing account (password model) since, in these cases, I don't care about the name of the account and I always have specific elements of the URL that I use for generating the password. It's just a tremendous amount more duplication than I prefer (being a developer, I prefer as much automation as possible, cuz I'm very lazy). Especially considering it requires three dialogs to get through all the information and editing an RE each time.
True enough... and now I see more clearly the value. Also, fyi, it's not that I'm trying to force you into doing it any certain way, I just want to clarify precisely what your need is, to see if it can be filled without adding any new features.

On that note - would you agree that the new Security Mode I am suggesting - since it requires making 'URL Components' account specific - combined with the new option suggested above (to make the 'Use the following value/string' a radio choice with the alternative being 'Use the Calculated URL') would provide exactly what you are asking for, albeit in a slightly different way from your original request? If so, then I'll add that option as a separate FR, and bug Adam and Eric for their feedback on the New Security Mode FR so I can get it finalized/posted too...
« Last Edit: June 25, 2007, 04:50:33 PM by tanstaafl »

Offline nicerobot

  • Jr. Member
  • **
  • Posts: 16
Re: regex match as URL used for generated password
« Reply #13 on: June 25, 2007, 04:52:14 PM »
there is already a FR in place for this (although it doesn't specifically call them Tags, which is actually a better word for it) - wanna cast a vote for it?
Yea, that's sounds good. I'll vote for that.

Quote
True enough... and now I see more clearly the value. Also, fyi, it's not that I'm trying to force you into doing it any certain way, I just want to clarify precisely what your need is, to see if it can be filled without adding any new features.
I understand. These can become complicated discussions. It's important to clarify.

Quote
On that note - would you agree that the new Security Mode I am suggesting - since it requires making 'URL Components' account specific - combined with the new option suggested above (to make the 'Use the following value/string' a radio choice with the alternative being 'Use the Calculated URL') would provide exactly what you are asking for, albeit in a slightly different way from your original request? If so, then I'll add that option as a separate FR, and bug Adam and Eric for their feedback on the New Security Mode FR so I can get it finalized/posted too...
Yea, I think that would come close to fulfilling a large part of my request.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: regex match as URL used for generated password
« Reply #14 on: June 25, 2007, 05:08:22 PM »
there is already a FR in place for this (although it doesn't specifically call them Tags, which is actually a better word for it) - wanna cast a vote for it?
Yea, that's sounds good. I'll vote for that.
I edited my post after you replied, - there are actually two FR's - may want to check them both...

Quote
Quote
On that note - would you agree that the new Security Mode I am suggesting - since it requires making 'URL Components' account specific - combined with the new option suggested above (to make the 'Use the following value/string' a radio choice with the alternative being 'Use the Calculated URL') would provide exactly what you are asking for, albeit in a slightly different way from your original request? If so, then I'll add that option as a separate FR, and bug Adam and Eric for their feedback on the New Security Mode FR so I can get it finalized/posted too...
Yea, I think that would come close to fulfilling a large part of my request.
Ok - but mind if I was why you say it would only come *close* - it seems to me it fulfills all of it, just, as I said, a bit differently than you had originally asked for...

PasswordMaker Forums

Re: regex match as URL used for generated password
« Reply #14 on: June 25, 2007, 05:08:22 PM »