Author Topic: FR: New 'Default' and 'Advanced' Security Modes  (Read 58922 times)

Offline adamspiers

  • Jr. Member
  • **
  • Posts: 25
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #15 on: April 13, 2009, 11:13:52 PM »
OK, some of this is news to me.  I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.  Let me check my understanding based on the above...

If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com".  If it finds one, then it applies the settings from the account which had the matching pattern.  Is that right?

In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).

Actually I just realised this can't be right, since I currently have only the Domain checkbox ticked, and "bar.com" does NOT match against the regexp: https?://[^/]+\.bar\.com/.*

So either my interpretation of your explanation of the matching mechanism (point 1. in particular of your list of 5 "givens") is wrong, or your understanding of the mechanism is wrong...

Eric, without asking you to read this whole thread, you could probably clear up a lot of confusion by answering the following simple question:

For custom (i.e. non-default) accounts, do the "URL Components" checkboxes have any relevance at all, and if so, what?

Actually I think that in http://forums.passwordmaker.org/index.php/topic,1231.msg1279916.html#msg1279916 tanstaafl already pointed out the answer, but I'd love to know if it's right:
Quote
it also provides the default *value* for the 'Use the following URL...' field when a new specific Account is created

but this only affects password generation, not pattern matching.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #16 on: April 14, 2009, 10:02:13 AM »
3. The 'Use the following URL...' field is what is used to calculate the password when an Account match is found.
Presumably you mean the 'Use the following text...' field - as you point out, in the newer versions this was changed to emphasise that it didn't have to be a URL.

But of course... :)

Quote
Quote
4. Currently, the URL comparison is a 'contains' search - hence the need for regex/wildcard patterns. This was also the source of some of the confusion...

OK, some of this is news to me.  I thought the current (visited) URL was matched directly against each URL pattern, not against a truncated form.

Truncated form != 'contains'.

Quote
Let me check my understanding based on the above...

If I visit a website at https://foo.bar.com/some/path and for the sake of example, in the settings for the default account I have ticked Protocol and Domain but not subdomain(s) or the other stuff, then PWM will look through each of the URL patterns (whether they are wildcards or regexps) for a pattern which matches "https://bar.com".  If it finds one, then it applies the settings from the account which had the matching pattern.  Is that right?

Yes, but only for custom accounts (you only mentioned 'Defaults' above, which has no 'URL patterns').

Quote
In that case I would expect all my regexp patterns to break if I tick the Protocol checkbox, since all my patterns are of the form: https?://[^/]+\.bar\.com/.* which would not match "https://bar.com" (it would match "https://foo.bar.com" though).

No, the URL components only affect the CALCULATED URL, which is only used by the 'Defaults' account. It is not used during pattern matching - at least for wildcard patterns (I just tested this and it still detected the tested site fine after I unticked the 'protocol' component).

Currently, modifying the URL components does NOT affect custom account passwords, but if this idea were implemented, because the URL components would become account specific AND because the calculated URL would be used (unless something was entered into the 'Use the following text...' box), yes, it would affect the password, but it still would not affect pattern matching...

Quote
To check my understanding again, you are proposing that the choice of security mode (default vs. advanced) would be per-account?

Yes...
« Last Edit: April 14, 2009, 10:15:47 AM by tanstaafl »

qwavel

  • Guest
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #17 on: August 14, 2009, 06:55:25 PM »
The purpose of this change is to provide the SAME level of security (very high) for Custom Accounts as exists currently for sites that use the 'Defaults'... ie, instead of using the 'Use the following text...' value, it uses the 'Calculated URL' for actually calculating the password.

I totally agree with this, not just to improve security but to make it more useful to: it allows me to use this feature to create a second security configuration to be used with many sites, rather then just one.

A bunch of sites require a simpler password (e.g. no special chars and only 8 characters) so it is useful to have a way to create a second profile for all of these sites.

Offline rdebay

  • Jr. Member
  • **
  • Posts: 19
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #18 on: September 30, 2009, 02:45:22 PM »
Yes, anything to make this simpler.  Right now, it is too complex to use in a business environment, where the users have little computer experience and simply want to get their work done.

Offline bmadtiger

  • Normal Members
  • *
  • Posts: 1
Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #19 on: July 20, 2012, 01:37:05 AM »
Did anything come of this FR?

Using the calculated URL in custom accounts (like the default account does) is actually the default behaviour in the PasswordMaker Pro extension for the Chrome Browser. I can be on any website and select any profile / account and the password generated will be based on the selected components (protocol, subdomain, domain) of the current URL.

From what I can see in v1.7.8, each account either shares the one value for the "Use this text to calculate the generated password" or none at all - either way all websites that match the URL patterns end up with the same password - rather than dynamically generating different passwords based on the URL like the default account does.

I'd still like to see this feature implemented if not already done. If it's already in there somewhere, can someone please show me how to do it?

Thanks
bmadtiger

PasswordMaker Forums

Re: FR: New 'Default' and 'Advanced' Security Modes
« Reply #19 on: July 20, 2012, 01:37:05 AM »