PySGP

CLI version: Store hash of master password; previous domains

Bug #324908 reported by Matt Giuca
2
Affects Status Importance Assigned to Milestone
PySGP
Triaged
Wishlist
Unassigned

Bug Description

The Command-Line version should store settings locally, with a few things to go in there.

Firstly, there should be the option of storing the master password hash locally, allowing the program to warn you if you get it wrong, as with the bookmarklet version. Also, there could be an option to store the actual master password locally, so the program does not need to prompt you at all - however, like the bookmarklet version, this will be extremely discouraged.

We can also (as suggested by Tim Cuthbertson) store a list of domains which have previously been entered. This serves a few purposes. Firstly, we can do a spell-check like feature. If you type a domain similar to one you have already used, it will say "did you mean...?" Secondly, the list of domains itself is useful, because it lets you know which sites you have used SGP with (in case you want to change your master password, this is a list of sites you need to update).

Matt Giuca (mgiuca)
Changed in pysgp:
importance: Undecided → Wishlist
Matt Giuca (mgiuca)
Changed in pysgp:
status: New → Triaged
Revision history for this message
Tim Cuthbertson (gfxmonk) wrote :

sgp-platform already manages a list of domains in ~/.supergenpass.domains when you use the --remember or --forget flags. (at least in the git version).

It also allows you to save the password in the system store using --save. This uses keytool on OSX, and seahorse in GNOME. I'd be weary of implementing our own password storage...

Revision history for this message
Matt Giuca (mgiuca) wrote :

I'm not sure if I buy that argument. Firstly, features should not exist solely in platform if they can be provided in a platform-independent manner and work on the command-line. Secondly, this isn't a suggestion to implement our own password storage, just to store the hash of the master (which we are sending out across the Internet all the time anyway). I would use the same hash as SGP itself, with some fixed salt. So it shouldn't be unsafe.

(I would certainly not implement a storage of the cleartext master password without using an existing password storage service.)

Still, it is some work. But that's why there's a bug on it ;)

Revision history for this message
Tim Cuthbertson (gfxmonk) wrote :

> I'm not sure if I buy that argument. Firstly, features should not exist solely in platform if they can be provided in a platform-independent manner and work on the command-line.

Twasn't an argument, just noting that it's already implemented. I'm happy for it to move into core.

Revision history for this message
Matt Giuca (mgiuca) wrote :

Wait, is the hash store/verify actually implemented in sgp-platform? Or is it just the cleartext password store?

Revision history for this message
Tim Cuthbertson (gfxmonk) wrote :

Just cleartext (though I assume it's encrypted at least). I haven't done any storing of hashes.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.