Author Topic: display hash, master list of filters  (Read 12809 times)

Max

  • Guest
display hash, master list of filters
« on: October 30, 2007, 11:27:32 PM »
hello,
Great app, been using it for a few months now.
Though i have a couple of suggestions.

Display a hash of the master password.
I don't like displaying my master password, also i dont like entering it twice. Better i think would be display a hashed version of the master password. Over time i would remember what that has looks like and thus know if i have entered my master password incorrectly.
Also if the displayed hash was based the current setting, i would know i have the setings write. Making generating passwords while mobile easier.

Online valid chars lookup
I think that password makes is the best pass management system i have seen yet. The one thing that destroyers it is when developers add restrictions. This makes it hard to use PM, and usually i revert to an older less secure password.
It would be great to have a online look up for password requirements.
How this would work is when i enter a domain it would load the filter string and generate my password.
An example is a website that only allows a-zA-Z0-9. This would mean that my pass is as secure as it can be and i dont have to remember it or the method used to generate it.

One other ting is it just me or are the default setting for online PM and the FF plugin different. Can these be all set to the same?

Again great Idea and good implementation.
Cheers
Max

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: display hash, master list of filters
« Reply #1 on: October 31, 2007, 03:14:27 AM »
With the hash thing, it seems you're going multi edition there. A tad confusing actually.

Anyway, for the character thing, there is talk of a better interface for the character set. Anyway, except for the mobile edition I believe, all editions (that are GUI/browser based anyway) have a drop down that you can use to pick which set of characters you want to use (and normally has a Alpha Numeric set anyway)
"I'm not drunk, just sleep deprived."

Max

  • Guest
Re: display hash, master list of filters
« Reply #2 on: November 03, 2007, 03:23:08 AM »
hey,
sorry i didnt explain myself that well.

What i meant was, it would be nice to be able to see if I have entered my master password correctly with out having to display it, or enter it twice. It would also be good if we could extend this to ensuring i have the setting set correctly. I think i know a clever way how.

the current situations.
Displaying your master password as you enter it is not very safe, i dare say anyone that is security conscious enough to use this app would not do that. So it is best to hide the password.
The problem with hiding the password is that you could accidentally enter the wrong password an not notice. For example say i load up firefox, go to site.com and create a new account, i need to enter my master pass so i can register, but what if i enter it incorrectly? Next time i go to the site i will need to reset my password.
The solution to this is to set it so you have enter your master password twice.
The problem? Entering my password twice is annoying (esp on my mobile). When i go to check my email i dont really want to have to enter my master password twice. .
All this is made worse when mobile. Then i really dont want to enter something twice, nor do i want to copy and paste the wrong value.

So it seems none of the setting are really quite right.
what if where you enter your password it displayed a "check code". The check code could be a hashed version of my master password and a constant (as appose the url that generated password uses). So when i enter my master password, it will display a 2 hashed values, one the generate password using the url, and one the check code using the constant.

e.g.
say my master password is "fred"
hash("fred" + Constant) = ZXASD
hash("fred" + URL) = 123454

say i bugger my password up and enter "frde"
hash("frde" + Constant) = GFTF
hash("frde" + URL) = 09876

Over time i would remember that the right value should look like ZXASD, thus if i bugger up my master password one day i would notice it pretty quick. As i would notice the check code is wrong i would not accidentally use the wrong generated password.

comment?




Say my password is
entereing it twice is goo


Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: display hash, master list of filters
« Reply #3 on: November 03, 2007, 03:39:56 AM »
1.7 of PasswordMaker can keep a hash of the Master Password for you (A hacker with just the hash can't do anything with you RDF file unless you have a password that the hacher may have in his/her hash dictinary)

Only thing is, it doesn't show it, but PasswordMaker lets you know it's wrong (once you store it once when it's correct).
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: display hash, master list of filters
« Reply #4 on: November 04, 2007, 04:15:25 AM »
Max, everything you ask for is already in PasswordMaker 1.7 as miquel said. Maybe you're not using the Firefox edition but another one? The online edition maybe? Also, check under Global Settings... you can set whether or not your have to enter the MPW once or twice.

Max

  • Guest
Re: display hash, master list of filters
« Reply #5 on: November 06, 2007, 02:41:19 AM »
hello again.

Eric please explain how my request is already available (if you could please rebut my scenarios to make it clear for me), maybe im missing something?

Thanks for the pointers, but please don't just dismiss my idea. Its a better solution then all others implemented (IMO), if you feel it is not better please give reasons, lets discuss the pros and cons. I really like password maker, but if it can be made easier without reducing our security then isn't that a good thing?

The storing of the hash is handy but im not always at my PC, some times i reinstall.... Again this is a solution to a problem but not quite right. If we were to display that hash no one can use it against us. If that hash was displayed on all versions then i could remember it (i dont mean repeat it but i could patter match it), without having to use my PC to validate it against the stored value. I must say my typing seems pointless now.
Can we show that value, in all versions, please??

as for the character set, issue bellow.
To be honest i have not looked in to using groups and what not. One issues i have is the more i configure the app the more i am tied to my pc where the setting are stored.
would it be possible to have a look up, where we could pass in my domain and we could get returned the password rules for that domain? Why cos then my password can be the max length for that site, and as complicated as they will allow, with out me having to remember config settings for each site.
I realise the issues with this idea (what if the rules change??), but its better then the alternative.
the point if PWM is to make it easier for us to have different password on every site with out having to remember them. but now i have to remember what password structure i had to use to make it work.

for example  (not really values)
Gmail
length 8-40 allowed chars A-Za-z0-9<>?:"
so rule could be [length=40,chars="A-Za-z0-9<>?:"]
Three.com.au (stupid developers and there "we will limit your password"
length 6-10 allowed chars A-Z0-9 (must contain a number, cant start with a number)
so rule could be [length=10,chars="A-Za-z0-9<>?:",suffix="1"]

Again these suggestions are just in the aim of making it easier for me and thus i would assume everyone.

PS im using the FF plugin, the desktop app and the web version.

Cheers fro your time.
Max

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: display hash, master list of filters
« Reply #6 on: November 06, 2007, 03:47:03 AM »
OK, you are right. Display of MPW hash is not there. I was referring to the ability to turn off "enter the MPW twice". In the Global Settings tab you can turn this off so you only have to enter the MPW once.

Anyway, on to your ideas.

As for displaying the MPW hash, yes, I can add that.... as another option in the Global Settings tab. By default it will be OFF, though, so as to avoid confusion to people who have no idea what a hash is.

As for the other idea--the database of password rules for various sites--that actually was suggested some time back (perhaps a couple years ago). If you're interested, you could search the forums and find the discussion... but it's not worth it. I'll just state my (updated) case on the idea again.

I don't have the time to implement something like that. It requires server-side work (i.e., a website and database to host the password meta info) and client-side work (i.e., the Firefox extension). If someone else is willing to implement at least the server-side, then I'm willing to consider doing the other half (the client-side). But as it is, I don't have the time for both.

Thanks,
Eric

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: display hash, master list of filters
« Reply #7 on: November 06, 2007, 03:54:59 AM »
As to tying yourself to a computer, the Firefox extension at least has a way around that, server-side backup. If the SVN copy of the on-line edition is ever brought back in sync with what is actually on-line, then I would start work on a PHP script that allows one to use that backup for their own copy of the on-line edition. (The Desktop Edition needs the backup stuff first before that can be even thought about, but at least you can keep it on a portable drive of sorts)

I don't think we have a server that can handle the bandwidth of the meta info right now anyway. And there's the issue that there's a site or two that don't tell you it's rules until you break them (I believe I hit one anyway at some point)
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: display hash, master list of filters
« Reply #8 on: November 06, 2007, 04:36:18 AM »
As to tying yourself to a computer, the Firefox extension at least has a way around that, server-side backup.

Right. You can upload/download your settings file to an FTP or WebDAV server using the Upload/Download tab.

Max

  • Guest
Re: display hash, master list of filters
« Reply #9 on: November 06, 2007, 04:46:13 AM »
hello again.
I would be interested in seeing if we could display the hashed value as part of the master password hash section (so no option).
E.G. if password stored don't display if it is not stored display (so match or show).

I would consider creating a server application that would support the storing of the domain limits.
I have required skills to implement such an idea.
I would think the service would have a web front end, we could enter the domain and set the limits.
There would be another interface that would be a webservice/XML only interface.

The obvious problem here is that what if the server changes the rules, or rules change as they were not right.... Then our passwords would stop working (actually im ok with this, i would prefer update my password then remember rules).
This cant be fixed, but any ideas how we can levitate it?





 









PasswordMaker Forums

Re: display hash, master list of filters
« Reply #9 on: November 06, 2007, 04:46:13 AM »