In addition to the issue raised by Steve, MSecure6 no longer persists the password generator settings. Having to reset these settings for every new password is time consuming a definite step backwards.
Likes with MSecure6:
- Ability to specify/exclude special characters is valuable to prevent hard-to-distinguish special characters
- Having to reset the password parameters for every new password; removed settings persistence
- Removing ability to exclude upper/lower case
- The overall ability to filter out look-alike characters such as:
l1| (lower el, one, pipe)
0O (zero, cap oh)
`' (ticks, apostrophe)
,. (comma, period)
_- (underscore, hyphen)
:; (colon, semicolon)
Probably more I'm not thinking of....
The settings for the password generator are actually supposed to be saved for each record, so I think you have found a bug. Can you let me know what platforms you are running mSecure on? If you are using mSecure 6 on multiple devices, are the settings lost on all platforms after a record is saved?
For the ability to include/exclude upper and lowercase letters, can you give some reasons for why that's needed? It's not that I don't believe it's needed, it's just that we like to have reasons and user stories before we make changes, as it provides understanding for why a certain feature exists. Are there websites you are running into that don't allow upper or lowercase letters? One of the reasons that features removed is because a password is always much stronger when upper and lowercase letters are included.
Lookalike characters I agree with. I agree Mike from mSecure that upper and lowercase is more secure password by itself. I think the reason I'd deliberately exclude uppercase is when I'm reasonably certain that I'm going to have to type this new password into a TV or some other silly input method. (Bearing in mind the security of the account itself of course.)
Re: non-persist settings
I think that I (Mike) and Mike-msecure are talking about two slightly different issues.
The issue of non-persistence is seen on my Pixel5/android 12/SP2A.220305.012; msecure6 build 1604
I do sync with another Android; I only have one example at hand but the password generation settings, for a particular record, DO move with that record to a new device with the record. I think this is the behavior Mike-msecure expects.
However as I recall on msecure5 the password settings would persist across all new records on the same device. E.g. If I set 12 chars/upper only, then this would be the default setting each time I created a new record. I think this is different than what Mike-msecure is describing as saved per each record to persist acrossed platforms. The value here is that I have a password complexity setting that I am comfortable with for default new passwords. Especially with the new feature of symbol-inclusion/exclusion, entering the included/excluded symbols as part of creating each new record is not reasonable.
Re: upper/lower selection
I understand and agree that upper/lower creates more permutations of a given length password, and that it is good conventional wisdom for the typical user*. TV input is a good example to go all caps/lower. I had other cases where I choose to increase password length, and remove lowers also due to the input method. But this happens while thinking about risk tradeoffs.
*Perhaps pop up a "this setting has the potential to reduce password security, are you sure you want to continue?" would cover a larger user base. Or hiding them under an additional layer of "advanced options". I think the statement above that a password is "always much stronger" with upper/lower at the generator side is generally good advice (cheap insurance) but overly broad.
Thank you for the input on this one everyone. I will talk to our development team to see what they want to do about separating upper/lowercase letter options in the password generator.
@Mike Thank you very much for the clarification. You hit the nail on the head. I was thinking the settings weren't getting saved on each record, which would be a bug. I don't think we intentionally removed the remembering of the last generated password settings, but that is definitely gone. I'll get that written up so it will be back in the app.
I would like to bump this topic describing a regression in functionality, and a bug, from version 5 to version 6. Keeping it on the developer's radar.
@Mike While this is definitely not a bug, the request is on the radar.
Actually, I just reread some things you reported above, and I'm not sure what you're actually referring to. Are you saying that mSecure is not remembering the last password generator settings you are using? It should save the settings actually used on each record, then if you create a new record, it should show the settings that were used last. The separation of upper/lower case settings for the generated password was what I was referring to as not being a bug.
Yes, the phrase bug was referring to the lack of persistence of the password generator settings. Each time I generate a new password, it reverts to the default of length=18, Include letters true, include numbers true, special characters include all. I am using a Pixel 5.
I'm not sure whether it's persisting the settings for each record (which appears to be the desired behavior you're describing), but like Mike said - in mSecure 5 it persisted changes across ALL records. While it does make sense that these settings will be persisted on a per-record basis - it's also annoying that you can't set a baseline that will be the default for all records.
I think the best approach to handle this is to provide a configuration option in Settings, which will be used for any record that doesn't have a custom setting defined (perhaps with a button to reset all the custom settings on all records). That way people can still set up custom behaviors for specific records, but they can also enforce their default desired standard on all records. My standard is quite different from mSecure 6's one, so it's quite annoying to have to change it for every record (I have hundreds of them).
@Zeev Thank you very much for your input. I think I like the idea of a default setting for the password generator as well, but this all gets pretty complex very quickly. For most users, the generator settings getting remembered from the last time they were used has been either valuable or at least enough for a very long time. If were to switch over to a default setting that had to be set by the user, that would cause problems for users, since the way it worked would change all of a sudden. I think the only way to do this would be to have a default setting available for the password generator, and if that wasn't set, use the last password generator settings globally. Then, if you're in a record which has saved generator settings, use that instead of the default or last used settings. For both you and @Mike, would that be a good feature request?
@Mike I will check things in Android and Windows to make sure the password generator settings are getting stored correctly. I know for Mac and iOS, the last used settings are getting saved and then used globally.
Mike-mSecure: I think what you described is as a feature request would do the job. To be clear, I'm not looking for any new features, and I'm not positive how all the different settings in mSecure work since I have a workflow I always use, and don't stray from it much. My observation is that in mSecure5 everytime I created a new password the configuration settings popped up the same and created the same configuration of password (not sure whether it was due to a 'last used' or some 'default' I set up along the way).
I have all the members of my household using mSecure, and I've been using it for at least 10 years. My household is non-technical, so in rev 6 now I have to intervene every time one of them creates a new password to configure, whereas in rev 5 it was set-and-forget for each of them.
@Mike and @Zeev After talking this over with our development team, we've made a decision on how we're going to change the password generator based on both your feedback. We will be implementing a "Make Default" checkbox at the bottom of the Password Generator settings. This will make it possible for users to create their own custom settings that will then be displayed each time a new record is created with a Password type field. If the generator settings aren't changed, then when the record is edited again and the generator is opened, the settings will be the default settings. If, however, the generator settings are customized for a particular record, those settings will be saved. After they are saved, those are the settings you'll see if the generator is opened for that record again in the future.
This functionality will replace the "last used" settings functionality that should be active in the iOS and Mac versions of mSecure. With this functionality, every time you change the password generator, whatever settings you used are brought up the next time the password generator is used in a new context.
We think having a user-defined default will be much better functionality, but as always, we welcome your feedback.
Do we have a feel for when the ability to retain password generator settings will make it to Windows and Android? Having to change my password defaults on every single new record is a giant pain, and more importantly, my wife doesn't change the default, giving her less secure passwords.