Bafflement for new user

[quixin]

For #3 I think something needs to be conveyed which gives some basic insight into the three active options. Incidentally, when I added the before+after option, level 5, the password strength indicator dropped significantly.

I wouldn't put much stock into the strength indicator.  It really only serves as a guide.  There has been discussion about replacing it but other features and fixes garner greater priority.  The leet setting is in general is just another way to add some randomness to the recipe.  I think the idea from the start is that given so many options to choose different hash algorithms, leet settings etc. are to make your password that much more secure.  One could possibly argue that its overkill.

#4 is beyond me as yet. Sounds like you guys are saying something different as seems the case in many of the threads.

tanstaafl is saying an entry into this field will result in a change to your generated password.  Keep that in mind, your password is generated based on all these settings that you are choosing.  If you take all these settings (master password, url, username, leet setting, modifier) and throw them in a blender, they come out the same way everytime.  If one of these setting are not perfect.  The password will not be generated correctly.

Picture this now.  You create a new account for your bank website.  You set your url, your username, the hash.  You may even choose to use a leet setting and level.  You have a brand new generated password that you submit to the banks registration page.  Now 1 year passes by and your receive notification that your bank required you to change your password once per year for security purposes.  Without the modifier you would have to either change your hash, or perhaps your leet setting.  What if you prefer to use the same setting for every account you have though.  You now have the option to simply put a 1 or an A or whatever in the modifier field giving you a new generated password as well as leaving all your account settings the same.

Hope this helps...

[JonM]

Thank you quixin, most helpful indeed. 

Concerning the Modifier, does whatever might be entered for this have to follow any particular sequence once you have started, or can you literally change it to anything, any time, to suite?

How do you go about updating your chosen logon when the time comes to implement the change? Would you login with the existing password, edit the modifier, and simply follow the same actions for changing an existing password? 

Does the use of a modifier work equally well for Defaults in your opinion? Any pitfalls you can think of for beginners in this respect?

Much obliged,

Jon

[tanstaafl]

Hi Jon,

Yes, it can be anything... a single character, a word, a phrase, a date (formatted however you want), etc...

The important thing to understand is that ANY change will change the generated password... for example, if you had a 'a' in this field, the generated passwrod would be one thing... if you then changed this to 'A', the generated password would be completely different.

[JonM]

Hi Jon,

Yes, it can be anything... a single character, a word, a phrase, a date (formatted however you want), etc...

The important thing to understand is that ANY change will change the generated password... for example, if you had a 'a' in this field, the generated passwrod would be one thing... if you then changed this to 'A', the generated password would be completely different.

Yes understood, so it will be how you implement the change which would determine whether or not you mess up a logon with this feature enabled. In which case is the assumption I have made above correct/on the right track?

The main difficulty as I see it for new users is URL patterns, myself included, especially for the purpose of migrating existing accounts to PWM. Whilst I have managed to make some progress, in so far as establishing PWM with a certain few logons/accounts, I'm pretty sure these are not very well designed. Or to put it another way, PWM has enabled me to generate passwords for some custom accounts (existing logons), yet as a whole there is some dysfunction with the arrangement, and therefore still some work to be done.

Is there any reason not to discuss individual logons/URLs on the open forum?

Cheers,

Jon

[tanstaafl]

The main difficulty as I see it for new users is URL patterns, myself included, especially for the purpose of migrating existing accounts to PWM. Whilst I have managed to make some progress, in so far as establishing PWM with a certain few logons/accounts, I'm pretty sure these are not very well designed. Or to put it another way, PWM has enabled me to generate passwords for some custom accounts (existing logons), yet as a whole there is some dysfunction with the arrangement, and therefore still some work to be done.

You might be interested in some Feature Requests of mine that will substantially reduce the initial learning curve while increasing the basic security of PWM for custom Accounts at the same time...

In this post I outline a change to the way Basic and Advanced Options work in general...

And in this post, I outline a change to the way the Advanced Settings work, specifically the way the 'Using Text' and URL Patterns are used to generate passwords.

It's a bit of a read, especially if you read the original threads that resulted in the FRs, but well worth it if yo are interested in making PWM easier to use...

[JonM]

Just to clarify the above comment - this relates to my own current lack of expertise tanstaafl.

That said, I was saying to myself earlier that I should have a more in-depth look at the FAs, and will endeavor to do this, as well as gladly pick up with those you have pointed out, just as soon as possible.

 

[tanstaafl]

Just to clarify the above comment - this relates to my own current lack of expertise tanstaafl.

No, it is a definite issue with new users... you aren't the only one who has had problems grasping the Advanced Options...

The FR's I referenced in my last message are meant to directly address this area of complexity.

[rdebay]

I've read the wiki and the FAQs.  I'm confused, really confused.  Now I'm going to read them again with a pen and paper and see if I can make a plan and some sense of everything. 

Over 60, ready to go on Social Security, and I don't understand your computerese.  The Wiki is like Greek to me.  I've been using computers for over 15 years, and this is the very first time I have been so completely baffled by a set of instructions.

I have to agree, I can't see any evidence that this has gone through usability testing.  Having tried to introduce it in to business environments, I can say it's difficult to administer and difficult to train the users.

The user can't be presented with any choices, they should just enter their username on the web page.  The administrator shouldn't have to set up a unique account for every logon page, but should be able to create sets of generic accounts.

[tanstaafl]

Rdebay,

Real security will never be as simple as pressing a button.

While I agree that PWM has a lot of room for improvement, the fact is, it is very simple to use once you learn how to use it.

The learning curve is steep for advanced use, but for basic use it is pretty easy.

As for rolling it out in a business environment - you'd have to provide some training sessions, and follow-up support... but it shouldn't be  that big a deal, unless you wanted to make its use mandatory, which I probably wouldn't do...

You can lead someone to instructions on how to be secure online, but you can't make them follow them.

[Eric H. Jung]

I've read the wiki and the FAQs.  I'm confused, really confused.  Now I'm going to read them again with a pen and paper and see if I can make a plan and some sense of everything. 

Over 60, ready to go on Social Security, and I don't understand your computerese.  The Wiki is like Greek to me.  I've been using computers for over 15 years, and this is the very first time I have been so completely baffled by a set of instructions.

I have to agree, I can't see any evidence that this has gone through usability testing.  Having tried to introduce it in to business environments, I can say it's difficult to administer and difficult to train the users.

The user can't be presented with any choices, they should just enter their username on the web page.  The administrator shouldn't have to set up a unique account for every logon page, but should be able to create sets of generic accounts.

I'd like to point out that Abine, a PasswordMaker offshoot, supports the kind of accounts you're talking about here and the other thread you started. At least, I think it does. I'm sure tanstaafl will tell me why it doesn't