Excellent news and some well thought out suggestions!
I'll write a proper reply with my comments and ideas sometime next week when I have the time (some of suggestions are things I've put thought into but never actually done).
I welcome and support the initiative!
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "RndPhrase" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rndphrase+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Great news Ronni, there is so much room for improvement in the
RndPhrase addons! I'll try and fill you in on my thoughts.
I would probably just go with an HTML-based app that could load the
On Thu, May 23, 2013 at 10:29 AM, Ronni Elken Lindsgaard
<ronni.li...@gmail.com> wrote:
> ## RndPhrase Mobile
> ### The project
> First of all I would like to make an app for mobile devices. Personally I
> use rndphrase just about everywhere, and it is quite cumbersome having to
> load a url everytime I need the service (although it always is my first tab
> on the device).
>
> Even though the service does not require heavy computing I believe that
> native code is best. To get multi-platform from the start I am contemplating
> developing the mobile app in titanium. Another benefit is that the code is
> kept in java.
>
> I am interested in opinions about this choice before venturing into titanium
> mobile, especially if anyone has serious pros or cons for this choice.
existing JS implementation. It's just the easiest.
Is there something UI-wise that you think could be done more friendly
in a native app? Copy-to-clipboard perhaps? I don't know that much
about apps, but I too find it awkward to load the appspot site in a
browser to login to GMail.
We could definitely put the core files on appspot. No problem. And you
> ### Source organization
> Another thing is the organization of the sourcecode. I have given this some
> thought and have come to the conclusion that RndPhrase Mobile should be a
> separate project, however it would be handy to have some shared files, some
> of the core files, such that hashing on the mobile devices as well as for
> the browser plugins are always 100% in sync.
>
> Does anybody have ideas for that? Maybe just hosting the core files on
> appspot, or somewhere else so that they can always be referenced?
can get them through HTTPS and cache them locally. I guess the amount
of code that can be shared depends on the choice with respect to
implementation of the app.
I think it's safe to use "all of us" here ;) I bitch like a little
> ## Expanding the plugin userinterface
> ### Settings for domains
> I guess most of us have the problem that RndPhrase cannot be used on some
> websites because they ask for a maximum number, special characters or
> similar in the password.
girl every time a site rejects an RndPhrase for being "insecure" and I
have to remember that on this domain I added something weird to the
password. It sucks.
It's important that the rules doesn't yield information about the
generated password. For example, I have a site where my generated
password by coincidence doesn't contain any digits (it happens) and
that site, by further unfortunate coincidence, requires at least one
digit.
Now, the naïve rule would fix this by appending a digit, however that
tells everyone who can see the rules (which are simply stored inside
the browser) that the password is 16 letters followed by a digit;
perhaps not an issue since 16 letters is still difficult to guess, but
the other case of 16 digits (obviously less likely) is way worse.
A better way to implement this is to throw out the password and
generate a new one (e.g. by using the first password as the RndPhrase
password). Repeat until the criteria is met. This would only leak that
the password isn't among those that does not meat the criteria set by
the site, which is OK.
So, if possible, the rule should be met by generating a new password
using the prior. If not, add something to the existing password.
This leaves the cases where we have to lessen security significantly,
either because of a size limit or a digits-only limit. Those sites
sucks and enabling such a rule should show a warning of some kind.
NB: with respect to special characters, it's difficult. Some sites
requires a special character. Fine. However, some requires a special
character from their own *chosen* set (e.g. one of "_-.!?") and some
take this further by *only* accepting special characters from their
set (e.g. "-" fulfills the requirement while "%" is an error (by the
way, if that's the way you protect your site against SQL-injections
I'd rather not have an account)). Password "security" rules can be
ridiculous like that.
My idea was to add a sub-menu to the existing right-click context menu:
> ### Settings dialog to improve UX
> This is a nice to have, but really user friendly :) Mathis Svensson gave me
> this idea, that when you hit @@ instead of just @ when entering your
> password, a dialog for the settings appear and you can manage the settings
> for a specific domain.
> Any other ideas how to make the functionality more accesible?
"RndPhrase" ->
* "Add capital 'A' on this domain."
* "Add special char '-' on this domain."
* "Limit size to 12 characters."
Items for the most common rules. But whatever makes it easy to work
with is good.