-
-
Notifications
You must be signed in to change notification settings - Fork 12
DRAFT Password management
Password management is a pain. It's a pain to create good secrets for the myriad of sites you don't really care about, and it's a pain for those sites to store them.
There's not much I can do about the latter except excitedly embrace WebAuthn when it's ready. But I will address the current situation using two techniques.
One icon would show (gray) when you have entered password into a site as an offer to save it to GNOME Keyring indicating success by turning blue. Then later when you're prompted for a password it'll show up again orange as an offer to fill it in for you.
Another icon would show (gray) when you're prompted to enter a password as an offer to generate one for you. Clicking it will bring up a popover with:
- A password field
- A secondary icon on it offering to generate a XKCD-style password for you, clear your password field, or indicating that it matches your last saved password.
- A progress bar indicating how secure your password is.
- Icons you can recognize when typing your password in again on another device.
- A checkbox (default to ticked) prompting to save the password (in-memory).
- A disclosure allowing you to specify password requirements.
- A link describing what this is all about.
- A button that'll automatically enter a site-specific password into the page.
When I implement WebAuthn I'd use that same icon but not the popover for it.
With these in combination, a login page should show either the LessPass or GNOME Keyring icons but not both. A change password page should show both. And after either I'd offer to save the password, though I'm not sure about saving LessPass passwords.
With Odysseus's automatic password generation that is now secure!
[icon] jumbles your "master password" with site-specific information to generate an effectively random password that can easily be recomputed on another device using LessPass. It is impossible for sites to reverse engineer your master password from your site-specific password, and your master password never leaves Odysseus's memory space nor is written to disk without it being jumbled first.
- What about the passwords I have already registered with websites?
- You can store those in GNOME's Keyring, using the [keyring] icon.
- What about the password requirements I struggle to fullfill?
- Click the |> button in the popover, to adjust those settings to be what the site expects. Odysseus will offer to save these details to your Keyring.
- Why can't I generate a password?
- Odysseus will refuse to generate site-specific passwords for weak master passwords. You can judge how secure your password is by how much of the password entry's background is filled in.
- What's with the dice button?
- It will generate a [secure](https://www.xkcd.com/936/) yet hopefully humorous/memorable password for you by choosing a random 4 of the [top 1000 words](https://store.xkcd.com/pages/thing-explainer-book) in the English language. This is all done entirely on your computer and as such no one else will see this password.
- Or you could simply use the password for your user account Odysseus is running in.
- What's with those coloured icons?
- These are the same icons LessPass will show beside it's master password entry, and they help you spot when you've made a mistake entering that password.
- How are you checking that I'm using the same password as last time?
- A site-specific password is generated for Odysseus, and we check that. Otherwise your password would be vulnerable to hardware forensics, and passwords warrant extra paranoya around that.