-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Titke wrote on 11/06/15 15:42: > > I propose to include my Internet account password creation scheme > into the current account / password / keychain management systems > on Ubuntu.
That would be excellent! > Whenever you would like to do something very very important you > probably will need a new password for subscribing to a mailing > list, creating another online account and else. After some > password you start to develop a scheme on how to easily create new > passwords but it remains daunting. The password storage and > retrieval is already done by Firefox, Thunderbird, Key Chain and > Account Managers but the password creation is still left to the > user who - as a matter of fact - only needs to memorize his master > password. > > To fill the gap I have written a small command line utility in > Guile Scheme which serves my needs. For those interested I > attached the program. But I would like to see this feature > incorporated into the existing solutions in the open source world. Think of the funnel that people need to go through, to benefit from a password generator. Broadly, they need to do four things: 1. Notice that the generator exists. Probably 90%+ of the time that people choose a new password they are concentrating on a Web page. So to be noticeable, you'll need to embed a button directly into the "Choose password:" field on that page. So you'll need a browser extension. (The extension should look for <form>s that contain at least two <input type="password"> fields; the penultimate one will be a "Choose password" field. There may need to be a maintained list of popular sites that flout this heuristic.) That leaves native apps. To make your generator noticeable in those, you'll need to provide it as part of the password field control in toolkits for app developers to use. Here you have three problems to tackle: language, toolkits, and adoption. Language: Writing in Scheme is of little benefit as long as Guile doesn't ship by default. Toolkits: Ubuntu suffers from toolkit proliferation, in that we ship apps with password fields in GTK (e.g. file-roller's "Compress" dialog), XUL (Firefox and Thunderbird), VCL (LibreOffice's "File" > "Properties" > "Security" > "Protect"), and soon QML (Ubuntu Touch apps). The more toolkits you cover, the more work it will be, but the more often people will be able to recognize and use the feature. Adoption: Persuading app developers to adopt the toolkit feature once it is implemented and shipping. More difficult for cross-platform apps. 2. Be interested enough to use it. 3. Be confident that they'll be able to use the password later. These are interface design problems. The generator needs to be not just easy to use, but satisfying to use (look up the research on the psychological effects of password strength meters), and reassuring in letting you know how you'll access the password later. Compare the competition -- some designs are much better than others. <https://helpdesk.lastpass.com/generating-a-password/> <http://www.roboform.com/tutorial-password-generator> <http://blogen.stickypassword.com/creating-strong-passwords-with-sticky-password/> <https://www.google.com/search?tbm=isch&q=keepass+password+generator> 4. Actually be able to use the password later. Here you defer to other apps. But it doesn't matter how great your password generator is, people probably won't use it if they can't then log in to the same service on their Windows/Mac PC, iPhone, Android phone, or even Ubuntu phone. So to be reliable, the system needs to be not just multi-app, but multi-platform, and automatic in syncing passwords between devices. And I'm not aware of an open-source system that meets those three requirements. Ubuntu's "Passwords & Keys" (Seahorse) from Gnome is multi-app but single-platform. KeePass is multi-app and multi-platform, but syncing is tediously manual. And Firefox Sync is multi-platform-ish (no longer on iOS) and automatic -- but it's single-app, in that (as far as I can tell) it works only for passwords inside Firefox. None of this is to put you off, I'm just sketching a map of the terrain. If all you want to do is integrate your generator with what Ubuntu has right now, you could port it from Scheme to a language we ship, and add a new dialog to Seahorse ... but few people would notice. If you have a more substantial goal -- to noticeably improve the quality of Ubuntu users' Internet passwords, say -- the first thing I'd tackle would be the device syncing problem. That could help people who are using KeePass right now, as well as influencing the architecture of any parts of the problem you work on later. Cheers - -- mpt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlV9ec8ACgkQ6PUxNfU6ecquCACgx91jrILnzc0wCeJNr+AUSc2n efcAoJYE90cpFyBYEG7MWkRJISGUdkRb =igW7 -----END PGP SIGNATURE----- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
