* Password field for creating new sends should be named differently, as by default Firefox autocompletion puts there my account's password there. Potentially should be exposed from OPTIONS panel. Alternatively it can be generated by default, and then once the message is created, will be shared to the creator - or stored in options menu of my sends
* Missing an option to expire message after first opening. It's like a self destroyable notification that can be read only once. Why? For the instance if I share some confident information with someone that I know is going to open very soon, then once he/she opens the message it will be destroyed, so that if somebody accesses either my or my friend's machine, it will be impossible to read the secret message. Another aspect is that if my friend will try open the secret message, and it will show that message doesn't exist / was destoryed - then we know that message was compromised.
Oh! Right! I think this is a ripple effect of #1 for me, this is how I see the panel for creation a message:
https://i.imgur.com/IBVinx4.png
So Firefox put my account password there automatically, and color coded that, but also did this for Max Access Count. And to be frank I filtered out that field when I was looking for relative option to solve #2 problem.
What about an option to expire the message X hours or days after the first access?
So that if one forgets to save / make-use-of the secret thing, and accidentally reload the browser tab, or power off the computer -- it'll still be there, an hour later. But not a week later.
Or if you share the message with a tech illiterate person, who doesn't realize what "expires after first access" means. Then, instead, you can say to him/her: "After you've read my message, you need to use it within two days, thereafter it disappears automatically". And it won't matter if he or she accidentally reloads the browser tab (with the message in it -- trying to access it for a 2nd time), or leaves for lunch and powers off the computer and wants to continue handling your message, after lunch.
(Could be combined with expiring the message after Y days, without any access.)
If you don't trust a password manager to hold a master password for another password manager, can you trust it to hold your other passwords / whatever else you store in your password manager?
I don’t have an issue having a master password for one password manager stored inside another; I DO think having it in a web browser's built-in password manager is a bad idea, particularly because most browser password managers don’t require authentication to use (unless you’re logging into the browser for the first time).
If someone gets access to my unlocked machine and can get into my web browser, they could potentially get into my other password manager to retrieve important information. That’s a very bad thing.
Sometimes you’re required to enter a password to retrieve/view saved passwords in a web browser, sometimes you aren’t — but it is very rare that the built-in password manager requires authentication for auto-fill. As a general rule, I don’t use Chrome's built-in password manager for anything sensitive because it didn’t require prior authentication to view stored passwords (it may have changed now, but I’m not sure), and the same is true for autofill of my 1Password master password and security key on ANY platform. I don’t want someone to be able to autofill and get access to all my data.
Isn't the point of a password manager that you only have to remember one password? If you put it in another password manager, then you have to remember that password instead, so have you really improved the situation?
Plus it just adds extra, unnecessary attack vectors since there are now two attackable points of authentication for your first password manager and three attackable points for any accounts managed by that password manager.
I'm still hashing out the details, but essentially cybersecurity has one major flaw: nothing is immaculate.
At least the way I see it, good CySec is creating a chain of dependent constraints (e.g., password-protect a file, which uses a password stored in another file, encrypted with a password, etc.). Wherever that chain comes out is the "entry-point". A password you forgot is as bad as deleting one of the links in the chain.
Thus, there's no perfect solution, and cybersecurity professionals make a lot of money on the ensuing fear from that.
* Password field for creating new sends should be named differently, as by default Firefox autocompletion puts there my account's password there. Potentially should be exposed from OPTIONS panel. Alternatively it can be generated by default, and then once the message is created, will be shared to the creator - or stored in options menu of my sends
* Missing an option to expire message after first opening. It's like a self destroyable notification that can be read only once. Why? For the instance if I share some confident information with someone that I know is going to open very soon, then once he/she opens the message it will be destroyed, so that if somebody accesses either my or my friend's machine, it will be impossible to read the secret message. Another aspect is that if my friend will try open the secret message, and it will show that message doesn't exist / was destoryed - then we know that message was compromised.