Re: Password Manager Support from George Staikos on 2006-04-11 (public-usable-authentication@w3.org from April 2006)

From: George Staikos <staikos@kde.org>
Date: Tue, 11 Apr 2006 12:53:23 -0400
To: public-usable-authentication@w3.org
Message-Id: <200604111253.23849.staikos@kde.org>

On Monday 10 April 2006 13:31, Thomas Roessler wrote:
> Hello,
>
> another item that came up as a possible work item during the
> workshop is form filler / password manager support: Could web
> forms that are used to provide login functionality be annotated
> with information that makes it easier for form-fillers and
> password management tools to do their task?
>
> The design space in this area is rather large; it ranges from
> low-resistance microformat-like annotations to deeper changes
> to mark-up.
>
> Your thoughts on possibly promising directions for this kind of
> work would be most welcome.

  We [KDE] have something called KWallet which allows auto-form-fill of 
password login forms on web pages as well as applications.  The wallet is 
locked with a master password and stored in an encrypted file.  In order to 
determine if we -should- prompt for the master password, we store hashes of 
the access keys (form URLs) unencrypted.  If a hash match is found, we 
prompt.  There is a small leak of information here, but it's not nearly as 
bad as storing all this information in plain text and gets us a decent user 
experience.

  Problems we have:

1) It's very tied to KDE and only starts after the KDE session starts.  
Hopefully we can extract this for KDE4.
2) Our UI and application integration leave much to be desired.  This is just 
a matter of developer-hours to fix.
3) Some forms make it very difficult to make this work
	3a) Script changing the form after page load
	3b) Script changing the form field contents dynamically for "security"
	3c) Just plain weird usage of forms
	3d) Dynamically changing URLs
4) We don't support multiple logins per form well (at all)

  Yes, we could improve forms for this.  One thing that would be nice is to 
have forms that explicitly state that they are "wallet-appropriate".  Right 
now we have to guess, and the guessing doesn't always work right (see #3 
above).

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

Received on Tuesday, 11 April 2006 16:54:46 UTC