search

palant / pfp

A simple and secure browser extension to be used with KeePass databases.
https://pfp.works/
Mozilla Public License 2.0
114 stars 14 forks source link

Make password names more obvious #27

Closed kzar closed 8 years ago

kzar commented 8 years ago

With LastPass it's pretty useful how the current URL for the website is automatically entered when you store a new password. It's stored along with the record which means that the extension has more context than just the hostname when deciding which credentials to offer / auto-fill. It also gives more context for the user, so they can remember exactly which page credentials are for. (I usually find myself deleting the query strings however, they are rarely useful and look messy.)

So how about we add an extra field in Easy Password when creating a new password to do something similar? The path part of the URL could be automatically entered, but it would still be editable should the user need control. To start with this field would just be there to give the user a little more context, but in the future it might be used by the extension itself to decide which password to fill for a page.

Secondly I found the name field kind of confusing, I found myself asking "what is this for, what am I supposed to type?" and was kind of annoyed when the default blank string wasn't allowed. How about the name defaults to the domain or is simply optional? (I think if the path part of the URL was stored the name string would often be less vital anyway.)

palant commented 8 years ago

It's generally a bad idea to report two problems in one issue. So, which one should it be?

Your first request is definitely "won't fix" - I don't really care what LastPass is doing, their UI is a mess. It is quite typical that the login form is available on many different pages. See for example https://bugzilla.mozilla.org/ - clicking "login" will produce the login form regardless of the page you are on. Connecting passwords to the exact URL by default is bound to become a mess with the less technical users, particularly given that many of them don't understand the URL concept in the first place. The concept of aliases is already complicated enough, no need to make it worse.

So let's morph this report to be about the second part, namely making password names more obvious? A default is definitely a no-go, for security reasons. Since the password name is used as the salt for the generated password, it's essential that different users choose different password names. A default will make one particular password name much more prominent and thus weaken the whole system. However, showing a hint is a good idea. I'd go with placeholder="Your user name or anything else" but that might already be too long.