W

(Of course, thanks to pipes and xdotool, I only *see* these passwords when running it from a terminal, just as Firefox extension users wouldn’t see their passwords normally. So they’d also probably only get familiar with the ones they had to use the web version for when stuck on someone else’s PC. Seems like a decent tradeoff.)

[1] Conkeror.

XPI is just zip archive, just like ODF (OpenDocument Format) files and JAR (Java ARchive) are zip archives, of course with some requirements to contents.

Base64 I’m thinking. Yes the way Firefox checks security in the Awesomebar would be optimal. Not sure how easy that is or if it’s even possible. I suggested a standard compression format for the submission because I want raw source code that I can build into an xpi. The source code will then be put up as an open source project.

I don’t have a good answer for the sites that require specific password constraints like upper and lower case, punctuation, etc. My thought is that supporting this would add a level of complexity to this plugin’s UI that would almost defeat it. There are other plugins like PasswordMaker, and desktop password generators that are highly configurable but as soon as you head down that road you loose the ease of use, and if it’s a pain to use only hardcore security geeks and paranoid people are going to bother. I essentially never encounter sites with these requirements. The rare things that do, like some banks, I’m fine with remembering a separate password for.

One thing that could be done is to alternate case in all generated passwords: lower, upper, lower, upper…. etc. for all generated passwords. You could also probably add a toggle to guarantee at least 1 digit, and then if you chose an 8char password but the first digit was 10 chars in it’d give you a 10 char password instead (maybe relabel the buttons short, med, and long). Those two would take care of 99% of your issues. Although I’m thinking the number toggle thing would probably have to be either a default so that you don’t have to remember which sites you used that at, or stored on a per site basis. But the problem with the latter is that then you can’t make a web based version for people to use if they happen to be on a different computer and can’t / won’t install the plugin.

A few comments:
Why hex format, and not for example Base64, uuencode, or Ascii85? What to do if web site has some requirements about passwords, like having mixed case, or at least one digit, or at least one punctation character?
Wouldn’t it be better to use exactly (or almost exactly) the same scheme like Firefox uses for its Awesomebar (URL location bar) to mark whether site uses secure connection, has some unecrypted elements on otherwise encrypted page, or is unsecured?
Shouldn’t submission be in XPI format, i.e. ready to install, instead of jar, zip, or tar.gz?