Improve Password Manager UX

[blackgwe]

Idea

Autofill

Very often Min has asked me to save the password, even if I have only logged in with the built-in password manager. It should be easy to prevent the "save password" overlay in this case. see comment below

Complex Login forms

It's not possible to fill complex login forms like this:

Solution1

Additional key/value Collection for each site/password, where key is the HTML DOM querySelector (or fallback the elementId) of the input field and the value is the string that should be filled in.

Solution2

Provide an additional userScript textarea for each site/password, which is executed after the username/password has been set.

Maybe it's possible to add an "Autologin" checkbox, which submits the form nearby the password field.

allow UserScripts to call Min functions (ipc)

Chrome Extensions have a background script and communicate with message passing:
chrome.runtime.sendMessage Maybe Min could provide a JS Object (global) for userscripts to enable

• persistency (cookies / localStorage)
• access metaData (current Tab url, ...)
• hooks for min-functions
• …

---

my background

I do not have any experiences with electron and only a little knowledge in JS. To learn it a bit I started an experiment POC (google chrome extension) to show, that it's easy to generate any given user/password credentials using PBKDF2 and XOR function (correction bytes)
– E@syPe@syP@ss home: https://github.com/blackgwe/easy-peasy-pass
– some background doc (not reviewed) https://github.com/blackgwe/easy-peasy-pass/blob/master/doc/background.md
– There is even a backup feature and sharing username/password credentials (symmetric aes)
– the google chrome extension file (extension.crx) is in the main directory of the repo

[PalmerAL]

Thanks for the ideas (and also thank you for sponsoring!)

It's probably going to be best to split these up into separate issues, but I'll address each one individually first:

Very often Min has asked me to save the password, even if I have only logged in with the built-in password manager. It should be easy to prevent the "save password" overlay in this case.

Can you give an example of a site where this happens? Min should check for this already; I'm not sure why it wouldn't be working.

Additional key/value Collection for each site/password, where key is the HTML DOM querySelector (or fallback the elementId) of the input field and the value is the string that should be filled in.

This seems like a fairly complex solution that a lot of people would have difficulty using; I'm not sure it makes sense to put this in the main UI. But I wonder if you could write a userscript that runs in that page and fills in the DB name, etc.

Provide an additional userScript textarea for each site/password, which is executed after the username/password has been set.

You wouldn't actually have to run the userscript at the same time as autofill; you could just run it on page load, or have it run on the same keyboard shortcut as autofill (cmd+\)

allow UserScripts to call Min functions (ipc)

This is a good idea. I think there's an issue for this somewhere, but I can't remember.

What we'd most likely want to do is implement the existing greasemonkey api: https://wiki.greasespot.net/Greasemonkey_Manual%3aAPI, so that scripts from that extension can be ported (and we already support a subset of their syntax).

Also, you can already get the current page URL from within the userscript using window.location.

I read over the extension background document briefly, and while I haven't read it in detail, I'm not sure I understand what additional protection it offers. Given that the master password, salt, and secret are all stored in the same place, combining them together and using that to retrieve a password doesn't seem to be any different from just using the master password. (Although it could make a difference if the user chooses a very weak master password. Most password managers currently just assume that won't happen).

If you're looking for a set of password length/character requirements, this will probably be useful: https://github.com/apple/password-manager-resources

I don't think this work would apply directly to Min because 1) we don't support Chrome extensions, and 2) we use the operating system keychain for password storage, so there's limited room to implement our own storage format. But I suppose we could offer some kind of password generation tool in the future.

[blackgwe]

Provide an additional userScript textarea for each site/password, which is executed after the username/password has been set.

You wouldn't actually have to run the userscript at the same time as autofill; you could just run it on page load, or have it run on the same keyboard shortcut as autofill (cmd+)

I think it's not practical for the login form (shown in the first screenshot), because I have different username/pwd for different servers.... Min fills all the text input fields with the username, that's another problem… So I have to go for another approach… You're right. It's not so easy but I'll go that way. Thank's!

[blackgwe]

Additional key/value Collection for each site/password, where key is the HTML DOM querySelector (or fallback the elementId) of the input field and the value is the string that should be filled in.

This seems like a fairly complex solution

Yes it is. Other Password Mgr (Lastpass) put such a feature it under "advanced settings", and it works not in every case.

But I wonder if you could write a userscript that runs in that page and fills in the DB name, etc.

You're right, it should work. Thank you, I hope to get it ready in two weeks (so many things todo....) and then we continue discussing the solution.

[blackgwe]

is implement the existing greasemonkey api

YES I like it. But it should be a lot of work…

[blackgwe]

E@syPe@syP@ss

I'm not sure I understand what additional protection it offers.

It's only an experiment (for private use only ;-) )

• You can use a site password(optionally) as additional parameter to generate username / password pair. You have to fill it in the password field and after that you can fill the password (cmd+ \)
  • additional protection You can "reuse" that site password for different sites, and the generated username/password is different (because of the "domain", which is another parameter in password deviation)
  • additional protection it is not possible to export all user/password at once (because of different site passwords)
  • additional protection keyloggers cannot leak passwords (the domain and the saved master passwords are missing)
  • I can store multiple user/password pairs, e.g. maria-devX:s€cret / maria-prod:s€cret for user maria-dev-server-x / maria-prod-server and "site password"s€cret as parameter for PBKDF2 and so I can control with the keyboard, which user/password should be taken. The derived passwords for dev and prod server differ, even if I reuse the s€cret string.
• it's javascript and by definition it's not secure: see https://www.zdnet.com/article/google-this-spectre-proof-of-concept-shows-how-dangerous-these-attacks-can-be/

[PalmerAL]

You're right, it should work. Thank you, I hope to get it ready in two weeks (so many things todo....) and then we continue discussing the solution.

Sounds good! If you get it working, I'm imagining that we could turn this into a userscript that would work on any site (and you would just fill in the fields you want...) and then add it to the wiki for everyone to use.

RE: password security, given that desktop OS's don't really have effective sandboxing between applications, I doubt protecting against local attacks like keyloggers is going to be very feasible; once someone has local access to your machine, there's so many ways to potentially get access to things like passwords that trying to stop them one-by-one doesn't really work. Hopefully someday we'll get real sandboxing though.

it's javascript and by definition it's not secure: see https://www.zdnet.com/article/google-this-spectre-proof-of-concept-shows-how-dangerous-these-attacks-can-be/

My understanding is that even with JS, processes still isolate data effectively from spectre attacks (ie JS in one process can't access data in another process), which is why Chromium adopted site isolation. In Min, general password management all happens in a browser-level process, and only the passwords for the specific domain gets sent into the tab's renderer process, so I don't think it should be possible to read other sites' password in that manner. (But that's probably worth looking into more - my understanding of this could be wrong).