Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 May 2016 12:34:50 -0500
From: Jeffrey Goldberg <>
Subject: Re: Password-Manager Friendly (PMF) semantic markup

On 2016-05-10, at 2:59 AM, Per Thorsheim <> wrote:

> First presented by Max Spencer at #passwords14 in Trondheim, I am still
> a fan of this idea.

So am I. This is the kind of thing that we (at AgileBits, the makers of
1Password) have been hoping that someone would develop and get happening.

Taking a look

there are a couple of minor issues that pop up.

The semantics of mustHave is asking for trouble in terms of
misunderstanding. The example

  mustHave: ["upper", "lower", "digit”]

is described as requiring at least one upper, at least one lower, AND
at least one digit. Yet people will want to specify an OR meaning has
well. That is, at least one from the UNION of upper, lower, and digit.

I would like to see a way to express both. But more importantly, whether
the character classes listed in mustHave are meant as AND or OR; someone
is going to get it wrong. Sure the AND meaning might be more natural, but
we should expect that some people will give it the OR meaning.

The other thing is that the proposal should make it clear which base64
character set is meant by “base64”. We might find that in the context in
which PMF is used that base64url is more common.

I cannot speak for resource allocation at AgileBits. We’d love to see
(something) like this. But I don’t anticipate that we can dedicate
resources toward development until I can really convince the powers that
be that our already stretched extension and “brain”[1] team should spend
time on this, no matter how beneficial it will be in the longer run.

So I would love to promise that we will be the first (well, after Pico)
password manager to implement this, but I can’t.

[1]: We refer to the part of 1Password that analyzes a DOM to figure out
what field is what and how to fill them as “the Brain”.



Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.