search

philipmw / phrase.shop

A web app to generate secure yet memorable passphrases
https://phrase.shop
MIT License
4 stars 3 forks source link

Saved parts #39

Closed robbielove closed 1 year ago

robbielove commented 2 years ago

I would like to be able to create my own custom preset

It would appear that an update has removed the ability to choose your own parts I would like the ability to choose my own and then save that set of parts as a custom preset

So where there are currently 3 buttons, a fourth choice could be added for the user's custom preset that could be used when returning to the site

philipmw commented 2 years ago

Hello,

First, I am glad to meet a customer of this app! Thanks for sharing your ideas.

As you note, the app used to allow custom-built phrases, but does not anymore. The reason is that the phrases it generated were not very memorable, because they were not grammatically correct. The app would generate each word independently of others.

I considered this to be a big hurdle to the app's usability and mission of memorable phrases.

So I redesigned the app to generate words in a dependent manner. For example, a noun following a digit would be pluralized depending on the value of that digit.

But defining the dependencies is not trivial, especially as phrases get longer. I cannot derive these dependencies automatically-- I specify them for each of the three preconfigured templates.

In summary, it is not enough to specify the sequence of phrase parts-- we also need to specify the tree of dependencies.

So, I don't see a way to support user-defined phrase templates. But I am open to ideas.

robbielove commented 2 years ago

Hey @philipmw

Thanks for taking the time to explain your reasoning behind removing the ability to create custom preset phrases. I can see how it could be difficult to manage the dependencies between different words in a phrase.

I thought about this and came to a conclusion that I think would solve both of our problems.

Your aim appears to be one of keeping passphrases memorable, while my aim with the custom preset is security through obscurity. I think we can solve both issues by allowing users to check a box that would indicate if they care more about security or memorability.

If a user chooses memorability, then they would be given an output using one of the pre-defined phrase templates. If a user chooses security, then they would be given the option to create their own custom phrase template - eg. they gain access to the old saved parts list and can use that to create any phrase they want. (in-fact; this 'checkbox' could be built into the 4 buttons presented to the user - choosing the 4th button means they have this checked for 'security mode' automatically - eg. if the 4th button is pressed, security mode is auto-activated otherwise its memorable mode - other 3)

This would allow us to keep the app easy to use for the majority of users, while still giving power-users the ability to create their own phrases.

What do you think?

Could you also please explain more about the dependencies you defined for each of the three preconfigured templates? It's not clear to me if that would matter in terms of my proposed security mode.

Thanks!

philipmw commented 2 years ago

Hi, Robbie,

My main hesitation with this is that allowing custom phrases adds significant complexity to the app code. To overcome that, we'd need to determine a good customer use case. I'd have to believe that multiple customers would want this functionality and would not be satisfied with the existing phrase templates.

You understand that this feature would reduce memorability since words would be generated independently. But you believe it is more secure, and the added security justifies the reduced memorability.

Do you mean that you'd want to build phrases longer than the longest phrase the app supports? Or that you'd want to rearrange words from the templates (without making the phrase longer) so the attackers can't guess the order if they know you used phrase.shop to generate?