Open cmeeren opened 9 years ago
devgeeks
commented
9 years ago I have no current desire to implement auto-fill. Leaving it out was actually a conscious decision.
https://www.schneier.com/blog/archives/2014/09/security_of_pas.html
http://macperformanceguide.com/blog/2014/20140907_1526-passwordManager-vulnerabilities.html
etc
I totally understand if that is a deal-breaker though.
cmeeren
commented
9 years ago Thank you for the prompt reply. I totally understand the desire to skip features due to security implications. However, I don't understand the security implications in this case. The links you posted seem to problematize password managers autofilling without manual interaction. One could easily make manual interaction requred, e.g. like Keefox (optionally) does, where you click the KeeFox icon in the browser toolbar and select one of the matching credentials to autofill. (As an additional security measure, you could choose to never autofill iframes.)
devgeeks
commented
9 years ago That would certainly be possible, and preferable to complete auto-fill. However, it would also mean porting Encryptr from a standalone app to a browser extension in order to have access to the web page you are intending to fill in.
Again, totally possible. I will re-open this issue and flag it for review in our next major revision (after the feature frozen 2.0.0 coming out soonish).
knoxxs
commented
9 years ago Is anyone working on it? I don't have much experience with security or browser extension but want to give it a try.
barafael
commented
9 years ago I totalllz second this. Currently only keefox and lastpass have this kind of functionality and lastpass is proprietary. KeePass is a little hard to install on linux. So, I would be willing to donate just for this feature.
cmeeren
commented
9 years ago @medium-endian, have you read this? I didn't have any problem getting it to work (including KeeFox - you'll just have to point it manually to the KeePass executable, and perhaps copy the plugin manually to the KeePass folder).
barafael
commented
9 years ago @cmeeren I have read this. Still, lastpass is easier and better...
knoxxs
commented
9 years ago Just some issues I faced with last pass:
helgatheviking
commented
9 years ago :+1: I know it sounds so lazy, but opening encyrptr, searching for the site, and then copying the password isn't anywhere as convenient as Lastpass's autofill. Or if you're really opposed to autofill and sometimes that doesn't work on the Lastpass, but at a minimum when you visit a site LastPass will automatically show a list of username/passwords that match a particular site. Then I can just click on the one and tell it to auto-fill. So only rarely do I have to actually search the vault for a particular site or copy the password manually.
diessica
commented
9 years ago Agree completely with @knoxxs. I've deleted my LastPass account because of this:
All of sudden, when I was trying to recover my master password using my logged browser. My folder organisation, usernames and generated passwords: all gone.
We just can't trust it for managing passwords. I've lost a lot of (generated) passwords cause I believed in the "Last password you'll need to remember" thing.
I don't believe autofill is the thing here. LastPass' autofill wasn't that good anyway.
Integrating Encryptr with web browsers somehow would be nice though, just like @cmeeren pointed out.
phicyclist
commented
9 years ago Mitro had done a good job with browser plugins. The functionality worked very well in Chrome and Firefox.
It might be a good starting point.
maxkueng
commented
9 years ago However, it would also mean porting Encryptr from a standalone app to a browser extension
The browser extension could communicate with the desktop app instead of being standalone.
devgeeks
commented
9 years ago Except since this is a JS based app anyway, it's almost less work to just talk directly to Crypton from the extension...
Gitoffthelawn
commented
9 years ago I will +1 this idea and all the people who are discussing it intelligently.
GameplayJDK
commented
9 years ago But if the extension would first request access from the local application, the user would be forced to interact actively, for example by a little message box inside encryptr saying "Hey, your browser plugins wants to auto-fill this and that.".
helgatheviking
commented
9 years ago I've since moved to Dashlane, which I think handles this very well. On forms that it can fill, you see a little icon in the inputs:
And then when you focus on the input, a list of available logins for that site pops up and shows the available logins for that site.
Login in as: helga1 helga 2 helga 3
Then when you make your selection, the form is auto-filled and submitted and you are logged in.
I think this is a very good experience.
exadeci
commented
8 years ago Dashlane is insanely expensive but it does work well, they went with the extension linked with a stand alone soft (that launches a service) but the hole package uses arount 200-300Mb. A nice feature they got is "password changer" it's a feature on the soft that allows you to change the supported websites (only a dozen for me) password in a second (everything is done in the background).
Auto-fill (on demand) is really something that is important for a password manager.
tyrel
commented
8 years ago +1 here from me for a browser extension, at least, to allow me to click a button to fill in a login form. I realize there are security concerns here, but you really have to find a balance between usability and security, as always. However, you have to let a user determine where they want that balance to be. If you force it to be difficult, a lot less people will use it. If you make it easier, more people will use it and the world will be a little bit more secure than it was before, which is the end goal, right?
You could implement a variety of security levels for a browser extension. For example:
The user can choose what level of security they want, and you can warn them about the implications of such.
Personally, I prefer not to have my passwords sitting in plaintext on my clipboard. There are way too many ways for someone to stiff my clipboard without me knowing!
r3k2
commented
8 years ago +1 for browser extension, at least have it as an option do not enforce it.. that way people can choose when and how to use their own security, should be up to the user to have the tools and options but not to be forced to use one or another, so yes, I will like a extension so I can choose which what sites I have it auto fill and with what sites I want to use copy/paste or some other solution the more options the better.
lordkitsuna
commented
8 years ago I understand security concerns, however there are so many ways to get around the initial concern. simply not making it automatic but making an easy button either in the password field or somewhere on the browser that I can click to manually invoke autofill so that it does not do it on a whim. Sad to say it's just far too God damn inconvenient especially on mobile to have to manually copy-and-paste passwords constantly. Not to mention it's fairly easy to grab things from the clipboard on most operating systems. This looks almost perfect but until it has some form of integration with browsers I sadly cannot consider it an option. Which is upsetting since I am really looking for something to replace LastPass but so far nothing else has the support for platforms it has as well as ease of use. Dashlane came close but they sadly do not have a Linux version. If this request for browser integration ever comes to fruition I will instantly switch over and likely donate to make sure that it continues as at that point it will be perfect for my uses.
tgagor
commented
8 years ago +1 I want this too. Keepass behaviour for autofill is secure enough in my opinion. Please implement it and you will get much more audience with those plugins.
Svenito
commented
8 years ago Also consider how Enpass handles this. The browser plugin communicates with the desktop application. This might be an option as mentioned above. Would like to see tighter integration with browser too
peterloron
commented
8 years ago +1 This is a killer/deal-breaker feature for me. I'm (so far) putting up with LastPass because of it.
morriswinkler
commented
8 years ago 👍 for a password manager it is a must have these days
HelmicNewciv
commented
7 years ago This is a deciding factor on what I suggest people to use to get them started with a password manager. I would love to have them use Encryptr because it's open-source and cloud-based, but without proper integration and auto-fill it's just too much of a hassle to convince non-techie people to use it regularly.
This extends to the mobile client as well - on Android, LastPass has a neat little feature to punch in your login information in apps. I'd love to see similar tools for the Encryptr mobile apps to make it easier to get people to use it there too.
I'm currently using KeePass with the KeeFox Firefox plugin. This auto-fills my credentials when I visit a login form, which means I don't have to open the password database and manually find the relevant credentials.
I'm very open to trying new password database solutions such as Encryptr, but unless it can auto-fill my credentials when I browse the web, it's probably not worth the hassle.
Are you planning on implementing this feature?