QUESTION: Arbitrary field population

[Eric H. Jung]

Hi everyone,

I'm finalizing PasswordMaker's "Roboform" capability: you can have any field on any webpage automatically populated. If you specify a password field, its value is encrypted in the passwordmaker settings file.

I have one implementation question, though. Should the user be required to enter the master password before automatic population (if it hasn't been saved to disk or in-memory)? My instinct tells me yes; it can be a security flaw otherwise. On the other hand, PasswordMaker currently auto-populates username fields even if the user doesn't know the master password (just hit 'cancel' at the prompt to see what I mean).

I could make it an option for each and every field, a simple checkbox "yes" to prompt for MPW before population or "no" not to prompt.

Thanks for your input,
Eric

[tanstaafl]

Hi Eric,

I agree with you, and would even go so far as to say it shouldn't even populate the username without the MPW being prompted for (unless, as you said, it has already been saved in memory (or to disk)).

Nor do I see a need for making this a per-field option - sounds like way too much work for very little benefit to me. Just a blanket option should be fine, *if* you want an option at all...

Personally, I don't think it should be an option. The main reason is, *why*? Why would anyone want to be able to populate any of these fields *without* the MPW? I guess there could be a reason I haven't thought of...

[Eric H. Jung]

The main reason is, *why*? Why would anyone want to be able to populate any of these fields *without* the MPW? I guess there could be a reason I haven't thought of...

Heh, one thing I've learned is people have the desire to do anything and everything with their computer. Thanks for the comments. Anyone else have something to say?

[Romeo]

Yes, I have just got to say something here.  If you remember, a long time ago, that was a request I had.  I am really glad to see it finally being implemented.  Back then, we were talking about hiding the tree, etc.  We never really came to an agreement on it.  But yes, by all means, hide the username, when the MPW is not supplied.

As I said back then, the username is one piece of the puzzle, which any hacker trying to break into your account will need to solve.  Why give them half of the answer up front?

And I agree with tanstaafl.  Make it hide and do not give the user a choice.  But then, I see your point, too.  If you give the user a choice, you should make it checked by default, IMHO. - Just look at my tagline.

[Eric H. Jung]

Hi Romeo,

Point taken. I will not bother with giving the user a choice. No MPW, no auto-populated fields!

-Eric

[tanstaafl]

Quick question...

Does this 'roboform' functionality you're talking about include the 'auto-submit' capability, by any chance? Thats one I've been looking forward to ever since it was added to the FRL...

Thanks for all your hard work Eric...

[Eric H. Jung]

Does this 'roboform' functionality you're talking about include the 'auto-submit' capability

No, not yet... not for 1.5, unfortunately. The reason is because before we have auto-submit capabilities, PasswordMaker must support "When URL Equals". My release philosophy has been to try to release features as soon as they are done, not stack them up into one giant release. So, with that in mind, I had to make a decision about which to implement first: auto-submit or arbitrary field auto-population. I promised the latter would be done in 1.0, and it wasn't. I realize both features are highly requested (arbitrary field auto-population gets a lot of requests from people who never formally vote), but I had to make a decision. I chose to do arbitrary field auto-population first. As SOON as that's done and released, I'll start work on "When URL Equals". As soon as that's done, then auto-submit work can begin.

Sorry for the delays.

-Eric

[tanstaafl]

No worries at all... personally I am amazed at how much you already do...

:)

[Felipe]

I could make it an option for each and every field, a simple checkbox "yes" to prompt for MPW before population or "no" not to prompt.

I agree with this 100%

the username is one piece of the puzzle, which any hacker trying to break into your account will need to solve. Why give them half of the answer up front?

and this

personally I am amazed at how much you already do...
:)

and this!


:lock:

[Eric H. Jung]

I agree with this 100%

I wish you had expressed interest sooner. I am mostly done implementing arbitrary field auto-population, and would have to rewrite a lot of stuff to support MPW prompt (or not) by individual field.

[tanstaafl]

Don't worry about it Eric... as I said earlier, there is no really good reason to allow to auto-populate fields without the MPW, and indeed, I would prefer that it not even be an option.

[Felipe]

don't sweat it, eric! It's your baby (PWM i mean)

[Eric H. Jung]

It's your baby

Thanks, but I've always strived for that not[/i] to be the case. I hope you consider it everyone's[/i] baby. A community-driven baby :)

[Miquel 'Fire' Burns]

Well, the cli and PHP version have community-driven so far.

I should update the PHP version to support the unlimited length passwords though...

[Eric H. Jung]

I should update the PHP version to support the unlimited length passwords though...

That would be very helpful since I'm about to release a BlackBerry version of PasswordMaker which uses the PHP version.