XYplorer Beta Club

Creat wrote:Actually it seems to be a general problem, just tried with IE and Firefox, neither offered me to save the password
I guess all the browsers rely to some point on recognizing field names (like 'username' and 'password' or something) to offer auto-completion, it might also be because the regkey-field isn't a password-type-field (with hidden input, displayed as * or some other character, depending on settings, OS and the like).

It might be indeed that there is no password field here, and since most of the times what is offered is to remember login/password, the lack of password field might explain why it's only seen as a simple form (e.g. search box, contact form, etc). I'll admit that I have no idea if/how it works in FF natively since I don't use that feature but the excellent RoboForm myself, and I can have it save/fill those fields no problem.

On another note, FF does remember what I typed previously (in such search/form fields, etc), so now a simple dbl-click on each of the textbox will have a MRU to show up, each time only including my name/key...

Creat wrote:
btw: I'm glad you decided to drop the activation-thing

Hear, hear!

jacky wrote:On another note, FF does remember what I typed previously (in such search/form fields, etc), so now a simple dbl-click on each of the textbox will have a MRU to show up, each time only including my name/key...

Same here. FF 3.0 MRU works fine.

Anyway, I will check what happens when I change the field type to "password". This might also make users feel safer about entering their key (although I wonder what exactly they are afraid of).

admin wrote:

jacky wrote:On another note, FF does remember what I typed previously (in such search/form fields, etc), so now a simple dbl-click on each of the textbox will have a MRU to show up, each time only including my name/key...

Same here. FF 3.0 MRU works fine.

Anyway, I will check what happens when I change the field type to "password". This might also make users feel safer about entering their key (although I wonder what exactly they are afraid of).

i dont think entering a key is a good idea, why not use some type of base64/md5/sha1/hash generated key that generates off the users key, that way they can enter the base64/md5/sha1/hash code instead of the real key., using the key involves copy and paste and it could get pasted in a wrong place or make it easy to get stolen if user has a keylogger hidden in their pc.

if key is
1234-1234-1234-1234
sha1 would be this, nearly impossible to decode.
da39a3ee5e6b4b0d3255bfef95601890afd80709

noir wrote:
i dont think entering a key is a good idea, why not use some type of base64/md5/sha1/hash generated key that generates off the users key, that way they can enter the base64/md5/sha1/hash code instead of the real key., using the key involves copy and paste and it could get pasted in a wrong place or make it easy to get stolen if user has a keylogger hidden in their pc.

I like the idea of a hash. However, if a user has a keylogger on their machine, they're screwed anyway.

admin wrote:

jacky wrote:On another note, FF does remember what I typed previously (in such search/form fields, etc), so now a simple dbl-click on each of the textbox will have a MRU to show up, each time only including my name/key...

Same here. FF 3.0 MRU works fine.

Anyway, I will check what happens when I change the field type to "password". This might also make users feel safer about entering their key (although I wonder what exactly they are afraid of).

Type "password" will turn off the MRU function in FF (and rightly so). So it's the opposite of what we want.

BTW, a stolen software key is no harm for the user but rather for the software maker. Given that it's so easy to get illegal keys for XY (as for any other software) I don't see any reason to work against the much harder ways of stealing something entered into a web form.

Nevertheless I see that may users have an irrational feeling of risk when they enter a key into a form and I have to do something about that.

What about the old idea of entering the LL directly from the app with a single click (passing the key in an encrypted string to the website). Does it invoke a feeling of irrational danger in your guts?

yea that would work nicely, especially since I can just bookmark that link.
You'd probably just end up using a SHA-1 encoded key (or even better: username+key in one string) and compare it to a (probably precalculated) entry in the db. Sounds perfect, actually

What about the old idea of entering the LL directly from the app with a single click (passing the key in an encrypted string to the website). Does it invoke a feeling of irrational danger in your guts?

sounds good but you could probably do it so the user doesn't have to enter anything and automatically generates from whats in the ini and you could put it in the Help section ie Help -> members lounge.

also people with bad keys you could log and then blacklist in the next version.

Creat wrote:My browser (Opera) doesn't offer me to save the login data when logging in.

I use Opera as my secondary browser and one feature that I LOVE about it is the 'Notes' function...have you used that? It allows me to have various strings that I use often, like my email addr, web site, name, etc stored within a tree/folder structure that I can access via a down arrow in a form field...very handy!

Noir, the way I read it, you'd not have to enter anything manually.

admin wrote:
What about the old idea of entering the LL directly from the app with a single click (passing the key in an encrypted string to the website). Does it invoke a feeling of irrational danger in your guts?

Don't make that the only way to do it, because I refuse to do it through the app.

admin wrote:
Nevertheless I see that may users have an irrational feeling of risk when they enter a key into a form and I have to do something about that.

What about the old idea of entering the LL directly from the app with a single click (passing the key in an encrypted string to the website). Does it invoke a feeling of irrational danger in your guts?

I have to agree with some of the other opinions I've seen here - I won't use this either. I don't trust apps that interface with the web. I have no choice in some cases (i.e. browser, net tools, etc...), but for everything else, no way.

Demset wrote: I don't trust apps that interface with the web.

Apps that do it automatically and without user control are ones that I can't stand...if an app offers to do so, and I know more precisely what/when it's doing, I'm pretty much OK with that.

if its just a link that will open in your normal web browser then im ok with it but if it has to open within the app then i wouldn't like that.

ie
http://www.xyplorer.com/ll/members.php? ... 9&uid=1112

j_c_hallgren wrote:

Demset wrote:
I don't trust apps that interface with the web.

Apps that do it automatically and without user control are ones that I can't stand...if an app offers to do so, and I know more precisely what/when it's doing, I'm pretty much OK with that.

Unless you take a packet sniffer to it, and decode the entire transmission, you don't really know what it's doing. Even innocent transmissions can be security risks. A developer on the up and up can still code an app to send machine and network info under the guise of statistics, or troubleshooting info. But the transfer of that information can be the equivalent of taking the keys to your network and machines and tossing them on the sidewalk. It doesn't have to be malicious in order to be a very significent problem.

noir wrote:if its just a link that will open in your normal web browser then im ok with it but if it has to open within the app then i wouldn't like that.

I wouldn't even use it for the link - since it could still be transferring information as part of the process. But that's me.