Author Topic: QUESTION: Arbitrary field population  (Read 10460 times)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« on: January 22, 2006, 08:02:56 PM »
Hi everyone,

I'm finalizing PasswordMaker's "Roboform" capability: you can have any field on any webpage automatically populated. If you specify a password field, its value is encrypted in the passwordmaker settings file.

I have one implementation question, though. Should the user be required to enter the master password before automatic population (if it hasn't been saved to disk or in-memory)? My instinct tells me yes; it can be a security flaw otherwise. On the other hand, PasswordMaker currently auto-populates username fields even if the user doesn't know the master password (just hit 'cancel' at the prompt to see what I mean).

I could make it an option for each and every field, a simple checkbox "yes" to prompt for MPW before population or "no" not to prompt.

Thanks for your input,
Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
QUESTION: Arbitrary field population
« Reply #1 on: January 22, 2006, 09:30:59 PM »
Hi Eric,

I agree with you, and would even go so far as to say it shouldn't even populate the username without the MPW being prompted for (unless, as you said, it has already been saved in memory (or to disk)).

Nor do I see a need for making this a per-field option - sounds like way too much work for very little benefit to me. Just a blanket option should be fine, *if* you want an option at all...

Personally, I don't think it should be an option. The main reason is, *why*? Why would anyone want to be able to populate any of these fields *without* the MPW? I guess there could be a reason I haven't thought of...

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #2 on: January 22, 2006, 10:50:04 PM »
Quote
The main reason is, *why*? Why would anyone want to be able to populate any of these fields *without* the MPW? I guess there could be a reason I haven't thought of...
Heh, one thing I've learned is people have the desire to do anything and everything with their computer. Thanks for the comments. Anyone else have something to say?
« Last Edit: January 23, 2006, 12:58:10 AM by Eric H. Jung »

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
QUESTION: Arbitrary field population
« Reply #3 on: January 23, 2006, 02:12:11 AM »
Yes, I have just got to say something here.  If you remember, a long time ago, that was a request I had.  I am really glad to see it finally being implemented.  Back then, we were talking about hiding the tree, etc.  We never really came to an agreement on it.  But yes, by all means, hide the username, when the MPW is not supplied.

As I said back then, the username is one piece of the puzzle, which any hacker trying to break into your account will need to solve.  Why give them half of the answer up front?

And I agree with tanstaafl.  Make it hide and do not give the user a choice.  But then, I see your point, too.  If you give the user a choice, you should make it checked by default, IMHO. - Just look at my tagline.
« Last Edit: January 23, 2006, 02:15:32 AM by Romeo »
It is impossible to create a fool-proof system, because fools are ingenious.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #4 on: January 23, 2006, 02:18:37 AM »
Hi Romeo,

Point taken. I will not bother with giving the user a choice. No MPW, no auto-populated fields!

-Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
QUESTION: Arbitrary field population
« Reply #5 on: January 23, 2006, 05:02:43 PM »
Quick question...

Does this 'roboform' functionality you're talking about include the 'auto-submit' capability, by any chance? Thats one I've been looking forward to ever since it was added to the FRL...

Thanks for all your hard work Eric...

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #6 on: January 23, 2006, 09:45:12 PM »
Quote
Does this 'roboform' functionality you're talking about include the 'auto-submit' capability
No, not yet... not for 1.5, unfortunately. The reason is because before we have auto-submit capabilities, PasswordMaker must support "When URL Equals". My release philosophy has been to try to release features as soon as they are done, not stack them up into one giant release. So, with that in mind, I had to make a decision about which to implement first: auto-submit or arbitrary field auto-population. I promised the latter would be done in 1.0, and it wasn't. I realize both features are highly requested (arbitrary field auto-population gets a lot of requests from people who never formally vote), but I had to make a decision. I chose to do arbitrary field auto-population first. As SOON as that's done and released, I'll start work on "When URL Equals". As soon as that's done, then auto-submit work can begin.

Sorry for the delays.

-Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
QUESTION: Arbitrary field population
« Reply #7 on: January 24, 2006, 12:09:04 AM »
No worries at all... personally I am amazed at how much you already do...

:)

Offline Felipe

  • Jr. Member
  • **
  • Posts: 26
QUESTION: Arbitrary field population
« Reply #8 on: January 27, 2006, 04:12:52 AM »
Quote
I could make it an option for each and every field, a simple checkbox "yes" to prompt for MPW before population or "no" not to prompt.
I agree with this 100%
Quote
the username is one piece of the puzzle, which any hacker trying to break into your account will need to solve. Why give them half of the answer up front?
and this
Quote
personally I am amazed at how much you already do...
:)
and this!


:lock:
« Last Edit: January 27, 2006, 04:15:38 AM by Felipe »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #9 on: January 27, 2006, 04:50:22 PM »
Quote
I agree with this 100%
I wish you had expressed interest sooner. I am mostly done implementing arbitrary field auto-population, and would have to rewrite a lot of stuff to support MPW prompt (or not) by individual field.
« Last Edit: January 27, 2006, 04:51:12 PM by Eric H. Jung »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
QUESTION: Arbitrary field population
« Reply #10 on: January 27, 2006, 05:20:13 PM »
Don't worry about it Eric... as I said earlier, there is no really good reason to allow to auto-populate fields without the MPW, and indeed, I would prefer that it not even be an option.

Offline Felipe

  • Jr. Member
  • **
  • Posts: 26
QUESTION: Arbitrary field population
« Reply #11 on: January 27, 2006, 10:17:28 PM »
don't sweat it, eric! It's your baby (PWM i mean)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #12 on: January 27, 2006, 11:33:00 PM »
Quote
It's your baby
Thanks, but I've always strived for that not[/i] to be the case. I hope you consider it everyone's[/i] baby. A community-driven baby :)

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
QUESTION: Arbitrary field population
« Reply #13 on: January 28, 2006, 02:24:45 AM »
Well, the cli and PHP version have community-driven so far.

I should update the PHP version to support the unlimited length passwords though...
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
QUESTION: Arbitrary field population
« Reply #14 on: January 28, 2006, 04:07:08 AM »
Quote
I should update the PHP version to support the unlimited length passwords though...
That would be very helpful since I'm about to release a BlackBerry version of PasswordMaker which uses the PHP version.

PasswordMaker Forums

QUESTION: Arbitrary field population
« Reply #14 on: January 28, 2006, 04:07:08 AM »