[Ann] CintaNotes 2.9 Beta 1!

User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Encryption

Postby CintaNotes Developer » Wed Apr 15, 2015 12:22 pm

Thomas Lohrum wrote:Exit, since closing to the tray with no database opened does not make sense.

Ok, will implement in the next beta.
Alex
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: Decode attachments to disk

Postby Thomas Lohrum » Wed Apr 15, 2015 12:23 pm

CintaNotes Developer wrote:
Thomas Lohrum wrote:A warning can be implemented when opening an attachment. "Warning: The attachment will be temporarily saved to disk in decrypted mode, to be able to open it with its associated application."
I think we better implement auto deletion of extracted attachments after the handling application exits. Probably the warning will be needed if the user decides to close CN while still editing/viewing the attachments.

Safely deleting the file is mandatory. Nevertheless making people aware that a file, which might contain sensitive data, will be saved to disk, is a good thing to do. It can be complemented with an option "[ ] don't show this message again". Also warning the user in case he exits CN while an attachment is opened by an other app should be implemented.

Thomas
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Encryption II

Postby CintaNotes Developer » Wed Apr 15, 2015 12:24 pm

Thomas Lohrum wrote:a) it looks a lot more professional :)
b) if you use CN as a password manager, safety can not be high enough!!!!

Ok I agree to add it as a "maybe" item for 2.9.1 :)
Alex
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: [Ann] CintaNotes 2.9 Beta 1!

Postby Thomas Lohrum » Wed Apr 15, 2015 12:24 pm

CintaNotes Developer wrote:
Thomas Lohrum wrote:Mode=All text fields SAF=ON SIW=ON
This will not find notes containing the search text in the attachments name only. I might need to rerun my test though, since attaching databases can change the settings.
Of course it won't, since attachments are not one of the text fields of the note. Or do you think otherwise? Searching with "Anywhere" or specifically "Attachments" will find them.

Of course it won't. That is why i had added "docs:" to my comment :)

Thomas
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: Encryption II

Postby Thomas Lohrum » Wed Apr 15, 2015 12:26 pm

CintaNotes Developer wrote:
Thomas Lohrum wrote:a) it looks a lot more professional :)
b) if you use CN as a password manager, safety can not be high enough!!!!

Ok I agree to add it as a "maybe" item for 2.9.1 :)

I like your handling of collecting minor but useful ideas to produce a minor, but nice update!
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: [Ann] CintaNotes 2.9 Beta 1!

Postby CintaNotes Developer » Wed Apr 15, 2015 12:27 pm

Thomas Lohrum wrote:Thanks for your ongoing support. I appreciate a lot!

It is a pleasure.
From what i have read in the forum today, i decided to use 2.9 starting with beta 2.

Ok, but please make a lot of backups! :)
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Decode attachments to disk

Postby CintaNotes Developer » Wed Apr 15, 2015 12:30 pm

Chris,

usbpoweredfridge wrote:
Thomas Lohrum wrote:A warning can be implemented when opening an attachment.

Not a bad idea :)
Would having an option to ask for the password when restoring from the system tray make sense? At the moment, you can unlock a DB, minimise CN, and when you restore it, your database is still decrypted.


But you already have a better option: "Require re-entering password after .. minutes of inactivity". It is even more convenient: if you minimized CN just for a second, you won't have to re-enter password.
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Encryption II

Postby CintaNotes Developer » Wed Apr 15, 2015 12:32 pm

usbpoweredfridge wrote:Warning - writing a password strength meter is not as easy as it sounds. There is no standard for password strengths, so every single program that has this feature writes it in a slightly different way, meaning that the same password in different applications is shown with wildly varying strengths - which may make the results meaningless (app1 says my password is really weak, but app2 says it is really strong - which is correct?). I'm not against the idea if you want to do it, but I personally don't think it is worth it myself.


Thanks for this input, that's good to know.

usbpoweredfridge wrote:I'd like to see 1 minute personally.

You'll have it in Beta 2.
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Decode attachments to disk

Postby CintaNotes Developer » Wed Apr 15, 2015 12:43 pm

Thomas Lohrum wrote:Safely deleting the file is mandatory. Nevertheless making people aware that a file, which might contain sensitive data, will be saved to disk, is a good thing to do. It can be complemented with an option "[ ] don't show this message again". Also warning the user in case he exits CN while an attachment is opened by an other app should be implemented.

Ok let's show a warning if notebook is encrypted (=contains sensitive data)
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: [Ann] CintaNotes 2.9 Beta 1!

Postby CintaNotes Developer » Wed Apr 15, 2015 12:44 pm

Thomas Lohrum wrote:Of course it won't. That is why i had added "docs:" to my comment :)

Oh so you meant that we need to reflect this in the help?
Alex
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Encryption II

Postby CintaNotes Developer » Wed Apr 15, 2015 12:45 pm

Thomas Lohrum wrote:I like your handling of collecting minor but useful ideas to produce a minor, but nice update!


From the former experience, I know that 2.9.1 and probably also 2.9.2 are inevitable after a major release :)
There always will be bugs that slip through beta testing, and small improvements which only become evident in hindsight :)
But this is normal. Thanks to you all the bugs that do slip won't be very serious.
Alex
User avatar
usbpoweredfridge
Posts: 407
Joined: Fri Jan 17, 2014 11:08 pm
Contact:

Re: Encryption II

Postby usbpoweredfridge » Wed Apr 15, 2015 12:46 pm

Thomas Lohrum wrote:You are correct. However, in terms of computers being able to crack a password i think a strong password should be defined as having at least 12 characters, having upper- and lowercase characters, as well as special chars.


Yeah - essentially that is how it works now. Each program that implements this makes up their own set of rules on what constitutes weak and strong, and then ranks passwords accordingly. 12 characters (upper, lower plus special) is probably pretty reasonable...until the user picks something like this:
Bestpassword1
BestPassword-1

Both words are in the dictionary. The special character and the number provide increased protection against attack - but I would consider both those as weak, despite them being 14 characters in length. There are other factors of course - for example, I have referred to KeePass previously. As part of its database format, it provides a hardening factor, which slows down the number of attempts per second at which you can guess a password:
http://keepass.info/help/base/security.html (see "Key Protection against Dictionary Attacks" section)

With the sheer power of multi-GPU boxes in cracking passwords (the numbers of passwords a good multi-GPU based system can guess per second is frightening), slowing down the number of guesses a system setup to brute force a password can make per second is quite important.

Anyway, as I say - not as easy as it sounds! If thought is put into the rules that the password meter uses, I think a strength meter can be a guide to how your password is secure - I was just making the point that it is not the be all and end all of password security.

Chris

Edit: There was a recent study which discussed password strength, summary here (original paper linked in that article):
http://readwrite.com/2015/03/27/passwor ... -you-think
Last edited by usbpoweredfridge on Wed Apr 15, 2015 12:54 pm, edited 3 times in total.
User avatar
usbpoweredfridge
Posts: 407
Joined: Fri Jan 17, 2014 11:08 pm
Contact:

Re: Decode attachments to disk

Postby usbpoweredfridge » Wed Apr 15, 2015 12:48 pm

CintaNotes Developer wrote:Chris,
But you already have a better option: "Require re-entering password after .. minutes of inactivity". It is even more convenient: if you minimized CN just for a second, you won't have to re-enter password.


Yes - with the addition of 1 minute to the minutes of inactivity field, this is probably a viable alternative.

Chris
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: [Ann] CintaNotes 2.9 Beta 1!

Postby Thomas Lohrum » Wed Apr 15, 2015 1:01 pm

CintaNotes Developer wrote:
Thomas Lohrum wrote:Of course it won't. That is why i had added "docs:" to my comment :)
Oh so you meant that we need to reflect this in the help?

Yes
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: Encryption II

Postby Thomas Lohrum » Wed Apr 15, 2015 1:04 pm

usbpoweredfridge wrote:
Thomas Lohrum wrote:You are correct. However, in terms of computers being able to crack a password i think a strong password should be defined as having at least 12 characters, having upper- and lowercase characters, as well as special chars.
Yeah - essentially that is how it works now. Each program that implements this makes up their own set of rules on what constitutes weak and strong, and then ranks passwords accordingly. 12 characters (upper, lower plus special) is probably pretty reasonable...until the user picks something like this: (.....)

Chris, thanks a lot. Very interesting stuff. I agree. My point is, that the user must be aware of the potential risk of using weak passwords. Maybe this can be achieved by the means of a label giving advice on how to create strong passwords.
User avatar
usbpoweredfridge
Posts: 407
Joined: Fri Jan 17, 2014 11:08 pm
Contact:

Re: Encryption II

Postby usbpoweredfridge » Wed Apr 15, 2015 2:08 pm

Thomas Lohrum wrote:My point is, that the user must be aware of the potential risk of using weak passwords.


Yep, I completely agree :) It's all up to the user in the end, making the trade-off between security (longer and more complex passwords, which are harder to remember and which take longer to type in) and convenience (shorter and less complex passwords, which are easier to remember and take less time to type in but which potentially weaken the DB). The user may only want to stop a non-technically minded family member from accessing their DB for example - in which case, a shorter password would probably be enough. But if they carry their DB around on a USB drive (portable CN install), they may want to prevent someone (who may be technically inclined) from accessing their data if they lose their drive (in which case, a more complex password would probably be appropriate).

Of course, if a bad guy wants access to someone's CN database, password length/strength potentially won't matter - they have the option of directing their attack at getting a keylogger or related malware on the system CN is installed on. If they manage to do that, from that point onwards it is game over, regardless of how long the password is.

Maybe this can be achieved by the means of a label giving advice on how to create strong passwords.


I guess each approach has advantages and disadvantages. A password meter may be easier for some people to understand - especially if you choose a tick and cross icon (as some programs use) to give the end result (tick means password is considered strong, cross means it is considered weak - usually the tick is coloured green and the cross is coloured red). The various strength meters I have seen most often use the bar type of display rather than the tick/cross icons however - these may be more meaningful to more technically minded users as they can see how 'strong' is 'strong' (rather than just a simple 'strong' or 'not strong' indicator) and how various changes to the password effect the final result, but are potentially more intimidating to non-technical users.

The advantage of text I suppose is that it does away with the more specific - and potentially more misleading - strong and weak labels, and gives the user some general advice on what factors can make a password stronger (and then just lets the user decide what strength they need). The disadvantage is that some people don't like to read messages a program displays (I think every software developer has probably seen this when a user asks a question that is answered in the program documentation).

I suppose a hybrid approach would also be valid. In that the password screen displays the list of tips you suggest, and then underneath (or beside) that, it gives a big green tick if the password meets those requirements, or a big red cross if it does not. For people interested in pictures rather than words, the tick or cross could be their guide, and for the people who don't mind reading, the list of tips can be their guide.

Maybe we could just start out with a list of tips though (which is the simplest approach), and then see what sort of user feedback rolls in?

Chris
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Minimize/maximize attchment list region

Postby Thomas Lohrum » Thu Apr 16, 2015 6:29 am

Hi Alex,

i suggest a functionality with a shortcut to minimize/maximize the attachment list. Similar to the tag sidebar, when i press the shortcut the window region of the a-list should be reduced to its minimum required by the icon size. Pressing the shortcut again will maximize it to the max defined percentage value you suggested. This will also allow for a user setting to configure whether the list will be shown minimized or maximized when opening the editor.

Thomas
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Minimize/maximize attchment list region

Postby CintaNotes Developer » Fri Apr 17, 2015 1:05 pm

Thomas Lohrum wrote:i suggest a functionality with a shortcut to minimize/maximize the attachment list. Similar to the tag sidebar, when i press the shortcut the window region of the a-list should be reduced to its minimum required by the icon size. Pressing the shortcut again will maximize it to the max defined percentage value you suggested. This will also allow for a user setting to configure whether the list will be shown minimized or maximized when opening the editor.


Maybe it will be simpler just to remember the last width and use it for all editors?
Alex
Thomas Lohrum
Posts: 1310
Joined: Tue Mar 08, 2011 11:15 am

Re: Minimize/maximize attchment list region

Postby Thomas Lohrum » Fri Apr 17, 2015 1:19 pm

CintaNotes Developer wrote:
Thomas Lohrum wrote:i suggest a functionality with a shortcut to minimize/maximize the attachment list. Similar to the tag sidebar, when i press the shortcut the window region of the a-list should be reduced to its minimum required by the icon size. Pressing the shortcut again will maximize it to the max defined percentage value you suggested. This will also allow for a user setting to configure whether the list will be shown minimized or maximized when opening the editor.
Maybe it will be simpler just to remember the last width and use it for all editors?

Absolutely not. My editors are of different size. Using the same width for all of them does not make sense at all. As you suggested a percentage value (configurable via a setting) seems logical. Imo the suggested min/max feature makes a lot sense.

Thomas
User avatar
CintaNotes Developer
Site Admin
Posts: 4711
Joined: Fri Dec 12, 2008 4:45 pm
Contact:

Re: Minimize/maximize attchment list region

Postby CintaNotes Developer » Fri Apr 17, 2015 1:23 pm

Thomas Lohrum wrote:Absolutely not. My editors are of different size. Using the same width for all of them does not make sense at all. As you suggested a percentage value (configurable via a setting) seems logical. Imo the suggested min/max feature makes a lot sense.

Ok, thanks for the suggestion. I'll need to think a bit about it.
Alex

Return to “CintaNotes Personal Notes Manager”