From bhtrails at gmail.com Mon Feb 14 21:58:20 2005 From: bhtrails at gmail.com (ImakeSense) Date: Tue Feb 15 00:56:34 2005 Subject: [passwordmaker] PwM resets on restart Message-ID: <4211816C.3080504@gmail.com> Whenever I shutdown Firefox the Password Maker menu bar is reset when I restart FF. So when I restart FF the bar is still there but it is blank, all the input text box's disappear... that's my only complaint, it's pretty annoying. From grimholtz at yahoo.com Mon Feb 14 21:55:59 2005 From: grimholtz at yahoo.com (Eric Jung) Date: Tue Feb 15 01:01:12 2005 Subject: [passwordmaker] PwM resets on restart In-Reply-To: <4211816C.3080504@gmail.com> Message-ID: <20050215055559.5380.qmail@web54502.mail.yahoo.com> This is fixed in version 0.2, which will be released within a week. I'm just waiting for Ian to return from vacation. There are a lot of other features in 0.2, also. --- ImakeSense wrote: > Whenever I shutdown Firefox the Password Maker menu bar is reset > when I > restart FF. So when I restart FF the bar is still there but it is > blank, all the input text box's disappear... that's my only > complaint, > it's pretty annoying. > _______________________________________________ > passwordmaker mailing list > passwordmaker@mozdev.org > http://mozdev.org/mailman/listinfo/passwordmaker > __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 From matt at aclaro.com Sun Feb 20 10:49:38 2005 From: matt at aclaro.com (Matthew Mastracci) Date: Sun Feb 20 12:51:52 2005 Subject: [passwordmaker] Cool extension - some suggestions Message-ID: <4218CDB2.9060602@aclaro.com> I found your extension from Blake Ross' post on his pwdhash project. I really like the current toolbar-based approach - it's much more explicit. As-is, it's a bit cumbersome to use the extension, but I think that a few small changes would really help. I haven't tried the CVS version of this tool, so I don't know if any of these are already implemented. :) 1. It would be nice if the password toolbar would only appear on pages that have password input fields. This is like the old link navigation toolbar that would only appear on pages with certain "link rel=" fields. Ideally, if a password is stored in the password auto-fill database the toolbar need not appear unless explicitly requested. 2. The master password should be stored in the browser password database or entered at browser start time and not displayed to the user. An alternate UI can be used to change the master password, since this shouldn't really happen that often. I can use the "protect master password database with password" feature to ensure that all of my passwords, including the master password for the password generator, are well-protected. I suppose that if the toolbar is only appearing when necessary, the password could still be visible on it all the time. 3. The site URL should be automatically populated from the current URL. 4. To faciliate entering passwords, a "copy to password field" button could search the page for any password fields and fill them with the currently visible password. Matt. From matt at aclaro.com Sun Feb 20 15:46:06 2005 From: matt at aclaro.com (Matthew Mastracci) Date: Sun Feb 20 17:47:44 2005 Subject: [passwordmaker] Cool extension - some suggestions In-Reply-To: <20050220222049.13674.qmail@web54505.mail.yahoo.com> References: <20050220222049.13674.qmail@web54505.mail.yahoo.com> Message-ID: <4219132E.2060901@aclaro.com> There's a reference to passwordmaker in Blake's paper: http://crypto.stanford.edu/PwdHash/pwdhash.pdf. Here's the blurb about it: The Password Maker[PMa] plugin for Mozilla Firefox provides a toolbar where users can obtain hashed passwords that must be manually typed or pasted into the password ?elds on the page. This approach combines the functionality of the PwdHash roaming page with the convenience of a browser toolbar. However, the process of typing passwords into the toolbar and then re-entering them into the page is a major departure from the usual user experience. Also, because Password Maker hashes using the current page domain rather than the form action domain, it would provide different passwords for different sites that used the same domain to process the password. Sorry - #2 wasn't articulated very well. Ideally, I'd like to have the "master password" for passwordmaker stored in the browser password manager (ie: the one that managed the "saved passwords" list). I'm not certain how 0.2 works, but in 0.1 I need to enter my passwordmaker master password each time the browser starts. The advantage to storing the master password in the password manager is that when I've selected the option to encrypt all passwords with the browser's master password, noone can recover my passwordmaker master password or any of the generated and saved pseudo-random passwords. As well, with passwordmaker and a browser master password, I need to enter two passwords when the browser starts, rather than the single password if the master password was stored in the password database. I hope that makes sense. :) Matt. Eric Jung wrote: >Hello Matt, > >Thanks very much for the feedback! They are excellent ideas, and as >you guessed, some of them are already in 0.2. Ian is just back from >vacation so we're hoping to get 0.2 out this coming week. > >I'm very curious about how you found our extension. I googled on >PwdHash and found this discussion >(http://blakeross.com/index.php?p=39) but no reference to >PasswordMaker. Could you let us know? We'd like to inform these >people that their extension has already been written, and it would be >great if they could contribute to *it* instead of writing a new >one.... > >I'm not sure I fully understand #2... can you elaborate on it? Are >you asking for a database of hashed passwords? Are you asking that a >URL for which a previously-generated password has been calculated be >auto-populated next time visisted? > > > >--- Matthew Mastracci wrote: > > > >>I found your extension from Blake Ross' post on his pwdhash >>project. I >>really like the current toolbar-based approach - it's much more >>explicit. >> >>As-is, it's a bit cumbersome to use the extension, but I think that >>a >>few small changes would really help. I haven't tried the CVS >>version of >>this tool, so I don't know if any of these are already implemented. >> :) >> >>1. It would be nice if the password toolbar would only appear on >>pages >>that have password input fields. This is like the old link >>navigation >>toolbar that would only appear on pages with certain "link rel=" >>fields. Ideally, if a password is stored in the password auto-fill >> >>database the toolbar need not appear unless explicitly requested. >> >>2. The master password should be stored in the browser password >>database or entered at browser start time and not displayed to the >>user. An alternate UI can be used to change the master password, >>since >>this shouldn't really happen that often. I can use the "protect >>master >>password database with password" feature to ensure that all of my >>passwords, including the master password for the password >>generator, are >>well-protected. I suppose that if the toolbar is only appearing >>when >>necessary, the password could still be visible on it all the time. >> >>3. The site URL should be automatically populated from the current >>URL. >> >>4. To faciliate entering passwords, a "copy to password field" >>button >>could search the page for any password fields and fill them with >>the >>currently visible password. >> >>Matt. >>_______________________________________________ >>passwordmaker mailing list >>passwordmaker@mozdev.org >>http://mozdev.org/mailman/listinfo/passwordmaker >> >> >> > > > > > >__________________________________ >Do you Yahoo!? >Yahoo! Mail - You care about security. So do we. >http://promotions.yahoo.com/new_mail > > > From grimholtz at yahoo.com Mon Feb 28 18:37:41 2005 From: grimholtz at yahoo.com (Eric Jung) Date: Mon Feb 28 22:04:29 2005 Subject: [passwordmaker] PasswordMaker 0.2 released! Message-ID: <20050301023741.13968.qmail@web54507.mail.yahoo.com> I am happy to announce the release of PasswordMaker 0.2! Please visit http://passwordmaker.mozdev.org to install it. Let me know if you have any suggestions (other than the ones listed for 0.3). Here's a partial list of features/changes since 0.1: * Nine different levels of l33t speak (or none at all) can be applied before, after, or before & after password generation. * Extension is now a non-modal dialog box instead of a toolbar, saving precious screen real-estate * Extension is available via global access key control-tick (cntrl-`) or command-tick on OS-X * Hashed passwords are calculated in real-time as user enters input; there is no longer a generate button * All user-entered values, except master password, are automatically persisted between executions of Firefox and instantiations of PasswordMaker * master password persistance is off by default (for added security), but can be turned on if desired. If turned on, the password is stored locally using AES (Rijndael) encryption * Added MD4, HMAC-MD4, HMAC-MD5, SHA-1, SHA-256, and RIPE-160 hash algorithms, as well as a None option for viewing passwords unencrypted * Added 4 checkboxes for automatically selecting parts of the current URL (protocol, subdomains(s), domain, and port/path/anchor/query parameters * Removed restriction on maximum length of master password * Added v0.1 compatibility mode checkbox which allows the user to turn on/off the concatenation of a colon between the master password and the URL. v0.1 added a colon by default without informing the user, making it impossible to re-create encyrpted passwords with other MD5 implementations. * Added Copy Password To Clipboard button * For added security, added the option for auto-clearing the clipboard after n seconds * Added Help button and associated help screen * Updated on-line version to match the extension, for use when you don't have access to the extension * Moved site to MozDev Sincerely, Eric H. Jung __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250