Author Topic: FR: New 'Default' and 'Advanced' Security Modes  (Read 46716 times)

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« on: May 27, 2007, 04:27:12 AM »
Firstly, thanks for not giving up on the discussion yet ;)  It's proving a very difficult topic to discuss in this communication medium, but I think we're gradually making progress...
No worries - and I actually prefer this medium, as it provides an easily reviewable record of these conversations - maybe not as effective as a face to face meeting, but better in the long run for everyone.

Quote
it sounds like you're still suggesting taking a domain like 'yahoo.com', converting it into a regexp like 'https?://[^/]+\.yahoo\.com/.*', and then matching the URL of the current page against that regexp.
I had to step back a bit and re-read some of this stuff - my brain was starting to cramp... ;) - and you were right about my use of 'TLD' - so below I changed my reference to 'Calculated URL' for clarity.

Let me preface this message by saying that I agree with you in principle, and even mostly in methods, but I think I've come up with an even simpler solution... see if this makes sense...

Given:

1. The 'Calculated URL' is the string that PWM uses to match against when trying to match a 'current URL' to an account URL. This may be just the TLD (which is the current default), or, if the user adds more URL components to the calculated URL in the URL Components Tab, it could contain more (protocol, sub-domain, etc)...

2. The 'Pattern' list is what is *currently* matched against.

3. The 'Use the following URL...' field is what is used to calculate the password when an Account match is found.

4. Currently, the URL comparison is a 'contains' search - hence the need for regex/wildcard patterns. This was also the source of some of the confusion...

5. Your suggestions still include the use of wildcard operators, and thus, room for error and confusion (think 'Grandma')...

What I am proposing is very simple...

1. Create a new 'Default Security Mode', where search behavior for new Accounts is an *exact match* simple string comparison, based purely on the 'Calculated URL'

OPTIONAL: 2.  Add an *optional* field for a 'path-string' (the search on the optional-path-string would still be a simple 'contains' search, and if it is empty, it is ignored).

OPTIONAL: 3. Provide the ability to add multiple 'Calculated URL/optional-path-string' pairs to a custom Account in this new 'Default Security Mode', just like you can currently add multiple wildcard/regex patterns.

4. Relabel the 'Use the following URL...' field to 'Use the following value/string...'
Implemented with version 1.7

5. Make the 'URL Components' a per Account Setting. New Accounts inherit the settings that are set in the Defaults, but maintain their values if the Defaults are changed - and can be changed after the account is created, if desired. This will be necessary, so that if someone decides to change the URL Components being used, it won't mess up passwords for existing accounts.

6. Make the current, highly customizable wildcard/regex pattern functionality an optional 'Advanced Security Mode', complete with warnings about how this should only be used if you know *exactly* what you are doing - and even then *be careful!*...

***** EDIT: added 10-25-07 *****

For clarification: numbers 1, 5 and 6 are the important parts of this Feature Request.

RESULT: When an Account is in 'Default' Security Mode, the 'Use the following text...' value IS IGNORED, and the 'Calculated URL' is what is used to calculate the password instead - this mimics the behavior - and provides the same security - as accounts that use the Defaults settings...

***** END EDIT *****

Now, lets use your microsoft.com and msn.com scenario as an example of how this would work...

Per above, when creating the initial account for microsoft.com, I just add 'microsoft.com' to the 'Calculated URLs' lists for this account (eventually this will be automatic when the account is first created).

Now, if I want to add MSN to the mix, all I add is 'msn.com' to the 'Calculated URLs' list (again, eventually, there will be an easy way to just 'Add Current URL' instead of manually typing it). Also, if I wanted the msn.com entry to match only when it was on a specific page, I could put 'login.htm' (or whatever text was needed to identify the proper page) as the 'optional-path-string' for that entry.

No wildcards, no nothing. Simple, clean, easy even for novices to understand.

The UI for entering these could even be made to check for syntax errors - and even validity (do a DNS lookup or something)...

So, what do you think?

[Edited on 6/9/09 for clarity - made some of these changes OPTIONAL]
« Last Edit: June 09, 2009, 10:59:29 AM by tanstaafl »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
FR: New 'Default' and 'Advanced' Security Modes
« Reply #1 on: June 01, 2007, 10:34:48 PM »
Jesus, I'm supposed to read all this?  :)  I'll have to print it out and read it during my commute on the train Monday morning.

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« Reply #2 on: June 02, 2007, 05:16:45 PM »
Heh - sorry, Eric...

Adam - never heard back from you - did my last make sense to you?

Offline adamspiers

  • Jr. Member
  • **
  • Posts: 25
FR: New 'Default' and 'Advanced' Security Modes
« Reply #3 on: June 06, 2007, 04:13:11 PM »
Heh - sorry, Eric...

Adam - never heard back from you - did my last make sense to you?

Sorry for the slow reply, been very busy.  In short, YES!  I think we are now very close to being 100% aligned.  I still want to reply point by point in detail because IIRC there was still an outstanding detail or two, but I can't recall exactly what and don't have time to look at it again right now.  Soon though!

Thanks again,
Adam

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« Reply #4 on: June 09, 2007, 09:18:18 PM »
bump...

Just being the squeaky wheel - because I'd love to see this implemented!

:)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3348
    • http://passwordmaker.org/
FR: New 'Default' and 'Advanced' Security Modes
« Reply #5 on: June 10, 2007, 05:34:07 AM »
I haven't read the whole thread yet.

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« Reply #6 on: June 10, 2007, 05:04:16 PM »
No worries - and I'm still getting used to the fact that email notifications are actually working reliably now...

:)

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« Reply #7 on: June 16, 2007, 11:47:26 AM »
Adam? Eric? I'd like to get this FR added (before I forget about it), if Adam and I are in agreement, and Eric agrees that adding this is both feasible *and* desirable...

By the way - making this automatically create the initial 'Calculated URL+optional-path-string' pair based on the current TLD would eliminate a source of newbie confusion (see the last post by iNick), *and* fulfill part of another FR (auto creation of new account using the current URL - 9 votes, but also wanted this to work from a right-click on a password field)
« Last Edit: June 16, 2007, 11:54:18 AM by tanstaafl »

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
FR: New 'Default' and 'Advanced' Security Modes
« Reply #8 on: July 13, 2007, 12:23:00 PM »
Bump...

If I don't hear from anyone by the end of the weekend, I'll go ahead and add this FR per my last description...

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #9 on: August 28, 2007, 03:54:14 PM »
Eric, did you get a chance to read through this yet? I'm curious what you think...

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #10 on: October 24, 2007, 05:38:47 PM »
Bump again...

Eric, did you ever get a chance to read this simplified/summarized version of this FR?

The first post in this topic sums it up quite nicely, but for reference, here is the original thread...

This one, plus the Simplified 'Defaults'/'Advanced' GUI would be an incredible combination in making PWM far less susceptible to user errors when working with patterns, and far easier to learn how to use out of the box.

Or at least thats mho...

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #11 on: October 25, 2007, 11:48:57 AM »
I just edited the main post above to clarify something that I just realized may not have been clear...

The purpose of this change is to provide the SAME level of security (very high) for Custom Accounts as exists currently for sites that use the 'Defaults'... ie, instead of using the 'Use the following text...' value, it uses the 'Calculated URL' for actually calculating the password.

I also see my reference to changing the label of the 'Use the following URL...' to 'Use the following text.string...' - I shouldn't have put that in there, since that had nothing to do with this FR, really - Eric - maybe this was something that was making it difficult for you to see the benefit?

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1362
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #12 on: October 25, 2007, 12:37:53 PM »
Also, something else to consider...

If this FR is implemented, I think the 'Use the following text...' field should be hidden in/moved to the 'Advanced' mode section, so that the user doesn't see it - and it is NOT USED - when in 'Default' security mode. The goal is, after all, to both simplify things and make them more secure when in 'Default' mode.

Also, you could add a new Account-Specific option to 'Don't use 'Username' for Password Calculation.

What this would do is allow a user to cause the same password to be generated for this account regardless of the pattern matched - all the user would have to do is switch to 'Advanced' mode for this account, enter something into the 'Use the following text...' field, and check this box to not use the username in the password calculation.

I guess an argument could be made to provide this same option in the 'Default' mode, but since this is LESS secure, my argument is to leave it in the 'Advanced' mode section.

Offline adamspiers

  • Jr. Member
  • **
  • Posts: 25
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #13 on: April 13, 2009, 10:40:15 PM »

Given:

1. The 'Calculated URL' is the string that PWM uses to match against when trying to match a 'current URL' to an account URL. This may be just the TLD (which is the current default), or, if the user adds more URL components to the calculated URL in the URL Components Tab, it could contain more (protocol, sub-domain, etc)...

2. The 'Pattern' list is what is *currently* matched against.

3. The 'Use the following URL...' field is what is used to calculate the password when an Account match is found.

Presumably you mean the 'Use the following text...' field - as you point out, in the newer versions this was changed to emphasise that it didn't have to be a URL.

Quote
4. Currently, the URL comparison is a 'contains' search - hence the need for regex/wildcard patterns. This was also the source of some of the confusion...

OK, some of this is news to me.  I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.  Let me check my understanding based on the above...

If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com".  If it finds one, then it applies the settings from the account which had the matching pattern.  Is that right?

In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).

Quote
5. Your suggestions still include the use of wildcard operators, and thus, room for error and confusion (think 'Grandma')...

What I am proposing is very simple...

1. Create a new 'Default Security Mode', where search behavior for new Accounts is an *exact match* simple string comparison, based purely on the 'Calculated URL' *and* an *optional*-path-string (the search on the optional-path-string would still be a simple 'contains' search, and if it is empty, it is ignored).

2. Provide the ability to add multiple 'Calculated URL/optional-path-string' pairs to a custom Account in this new 'Default Security Mode', just like you can currently add multiple wildcard/regex patterns.

3. Relabel the 'Use the following URL...' field to 'Use the following value/string...'
Implemented with version 1.7

4. Make the 'URL Components' a per Account Setting. New Accounts inherit the settings that are set in the Defaults, but maintain their values if the Defaults are changed - and can be changed after the account is created, if desired. This will be necessary, so that if someone decides to change the URL Components being used, it won't mess up passwords for existing accounts.

5. Make the current, highly customizable wildcard/regex pattern functionality an optional 'Advanced Security Mode', complete with warnings about how this should only be used if you know *exactly* what you are doing - and even then *be careful!*...

***** EDIT: added 10-25-07 *****

6. When an Account is in 'Default' Security Mode, the 'Use the following text...' value IS IGNORED, and the 'Calculated URL' is what is used to calculate the password instead - this mimics the behavior - and provides the same security - as accounts that use the Defaults settings...

***** END EDIT *****

Now, lets use your microsoft.com and msn.com scenario as an example of how this would work...

Per above, when creating the initial account for microsoft.com, I just add 'microsoft.com' to the 'Calculated URLs' lists for this account (eventually this will be automatic when the account is first created).

Now, if I want to add MSN to the mix, all I add is 'msn.com' to the 'Calculated URLs' list (again, eventually, there will be an easy way to just 'Add Current URL' instead of manually typing it). Also, if I wanted the msn.com entry to match only when it was on a specific page, I could put 'login.htm' (or whatever text was needed to identify the proper page) as the 'optional-path-string' for that entry.

No wildcards, no nothing. Simple, clean, easy even for novices to understand.

The UI for entering these could even be made to check for syntax errors - and even validity (do a DNS lookup or something)...

So, what do you think?

Sounds perfect!  This definitely gets my vote.

To check my understanding again, you are proposing that the choice of security mode (default vs. advanced) would be per-account?

Offline adamspiers

  • Jr. Member
  • **
  • Posts: 25
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #14 on: April 13, 2009, 11:01:25 PM »
Also, something else to consider...

If this FR is implemented, I think the 'Use the following text...' field should be hidden in/moved to the 'Advanced' mode section, so that the user doesn't see it - and it is NOT USED - when in 'Default' security mode. The goal is, after all, to both simplify things and make them more secure when in 'Default' mode.

I think I either disagree or am misunderstanding something here.  The "Use the following text..." field's value is (only) relevant for determining the generated password, right?  So surely even in 'Default' security it IS used?  I thought the main point of 'Default' mode was to simplify the account matching mechanism, not the password generation mechanism.  Also, in your proposed 'Default' mode example scenario, shouldn't the user be given the choice of whether to use 'msn.com' or 'microsoft.com' as the seed for their password generation?  Otherwise the resulting password would be dependent on whether the account was first created based off 'msn.com' or off 'microsoft.com'.

Quote
Also, you could add a new Account-Specific option to 'Don't use 'Username' for Password Calculation.

What this would do is allow a user to cause the same password to be generated for this account regardless of the pattern matched - all the user would have to do is switch to 'Advanced' mode for this account, enter something into the 'Use the following text...' field, and check this box to not use the username in the password calculation.

I guess an argument could be made to provide this same option in the 'Default' mode, but since this is LESS secure, my argument is to leave it in the 'Advanced' mode section.

Yes, this would also be a good feature, since it would allow change of username on a site without changing the password.

One final thought: whatever the matching mechanism is currently or ends up being, having a clickable button which exposes the inner workings of the pattern matching engine on a given page would be extremely useful in debugging one's URL patterns.  For example, the debug output could look something like:

Checking account 'foo' ...
Current page http://baz.qux.com/a/path does not match regexp 'https://[a-z]+\.foo\.com/.*'
Current page http://baz.qux.com/a/path does not match wildcard '*.foo.sistersite.com/*'
No URL patterns in account 'foo' matched

Checking account 'qux' ...
Current page http://baz.qux.com/a/path does not match regexp 'https?://qux\.com/.*'
Current page http://baz.qux.com/a/path matches wildcard '*baz.qux.com/a/path' !
Using account 'qux'

PasswordMaker Forums

Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #14 on: April 13, 2009, 11:01:25 PM »

 

anything