Eric,
Here are my comments after briefly using beta 3/4.
1. GREAT!
The new features all seem to work fine, and make PasswordMaker more powerful and even more fun to use. Don't let this long post give you the wrong idea - there are always things to improve but already PM is wonderful.
2. UI of account settings
The UI is functional and easy to use, however I think it can be tweaked to make it a bit more straightforward to use and visually pleasing:
* Align input boxes:
Name....... __________________________________________________
Description __________________________________________________
...
When URL contains _______________ Use this URL _______________
Username......... _______________ Password.... _______________
* Try to optimize "URL components" frame - currently it's mostly empty. Maybe squeeze it into a single line:
-- URL Components --------------------------------------------
[] Protocol [] Domain [] Subdomain(s) [] Port, path, params
--------------------------------------------------------------
* Re-order fields into functional groups:
---------- Section 1 - Account identification ----------
Name
Description
When URL contains / Use This URL
URL Components
Username
(Future: ID field Name / Value )
---------- Section 2 - Password generation ----------
Hash Algorithm / Password Length
Use l33t / l33t Level
Characters
---------- Section 3 - Password modifiers ----------
Counter / Password Prefix / Password Suffix
---------- Section 4 - Generated password ----------
Generated Password / Strength Meter
Notes:
- The notation "field1 / field2" means fields are on the same line.
- Consider using section headers or frames to visually seperate the groups.
3. Minor password meter issues
The whole meter thing is not very important, but if you have spare time and looking to improve it... I think that the meter algorithm needs some tweaking.
The first thing I checked is how the length of the password affects the score. Currently it shows about 30% strength for passwords that are 3 characters long. On the other hand increasing the length rarely gets to 50%. Adding more characters to the charset improves the score, but the maximum I could manage was around 60-70%.
I think that the length of the password should have a bit more influence, lets say about 25% of the score - that is with a very long password but of poor quality the score will be 25%. For example, assuming 20 chars and above is sufficiently long:
If Length > 20 Then
Length = 20;
Score = (Length DIV 4) * 5;
Another thing I noticed is that sometimes the meter gives lower score to longer password. For example this password: "7103F" gets about 40%, while both "7103F5" and "7103F53" get about 30%, although they are certainly not less secure.
My guess is that the meter algorithm computes a "randmoness index" that is relative to the length of the password, but isn't relative to the size of the character set.
Maybe the character set also needs to be part of the score, let's say another 25%. For example, assuming 6 chars and less isn't secure and 25 chars and above is good:
Count = (count unique chars in set);
If Count < 7 Then
Count = 0
Else
If Count > 25 Then
Count = 25;
Score = Score + Count;
That leaves 50% of the score to the randmoness of the chosen characters. I don't know what is the accepted method to measure randomness - maybe standard deviation? Something else? Whatever it is, there's one more thing to take into consideration, and that is trivial patterns.
The most obvious case is popular words, names, etc. But this requires a huge dictionary (in multiple languages) that is outside the scope of PM, and is anyway not very relevant for hash results.
However hashes do sometimes produce a sequence of characters that have some pattern, especially when the password is short and especially when the user adds a prefix/suffix that isn't really random. For example the password "ABCd3" scores about 60%, but it isn't a strong password.
I thought of a simple logic that probably doesn't cover eveything but detects trivial sequences:
1. Upper-case password - if possible invoke locale upper-casing.
2. Calculate absolute differences between adjacent chars (eg. ABCBA should produce 1,1,1,1).
3. Calculate standard deviation on differences.
4. Scale result to range 0..1
5. Multiply result by randomness index.
6. Multiply result by 0.5 (50%) and add to score.
4. And...
The Auto-populate checkbox mentioned above will be a very welcome addition!
Thanks for the great work.
EZ.